Two companies penalised for breaching personal data laws

Each company is required to pay the office a penalty of Sh500,000.

The Office of Data Protection Commissioner has penalised an online lender and a city working space provider Sh500,000 each over allegations of intruding and sharing Kenyans’ personal data.

Digital lender Whitepath Ltd and Regus Kenya Ltd were penalised for non-compliance and non-cooperation with the office following complaints lodged against them by users of their services over breach of personal data.

The mandate of the office, which is headed by Data Commissioner Immaculate Kassait, is to regulate the processing of personal data and protect the privacy of individuals.

The office received close to 150 complaints against Whitepath alleging that the company’s Mobile App was mining phone contacts data to engage in debt shaming practices like sending messages about the existing debt.

The complainants said that the company’s Mobile App had accessed their mobile phone contacts and was sending unwarranted and unsolicited text messages to the said contacts.

Additionally, it was alleged that the Whitepath staff were harassing the complainants and their contacts irregularly obtained from the users’ phone books.

Relating to Regus, the office said that the complaint was alleged frequent spamming of automated improper information to the complainant despite attempts to make it stop.

Each company is required to pay the office a penalty of Sh500,000.

At the same time, the office issued an enforcement notice to another company, Ecological Industries Limited, due to non-cooperation with several notifications of a complaint launched in January 2023.

The complaint was against the company publishing of a personal photo on its catalogue and calendar for marketing purposes.

The Data Commissioner said that the “data protection is the responsibility of every data controller and processor and it must be the company’s top priority whenever they collect, process or store personal information”.

“I challenge businesses to protect personal data by design and by default and cooperate with the Office of Data Protection Commissioner to avoid penalties,” she said.

According to section 63 of the Data Protection Act, the maximum amount of penalty that may be imposed by the Commissioner in a notice is up to Sh5 million or in the case of an undertaking, up to one per cent of the company’s turnover of the preceding financial year.