Data Privacy Breach Costs Zerox Technology Kshs. 500,000: A Case of Persistent Calls and Unlawful Data Use

/ Legal Updates & Insights / By

Introduction
The complaint was lodged by Sandra Bonareri Ongakli against Zerox Technology Limited (Zerox), concerning persistent calls from the company’s product, Asapkash, for a loan she was not party to. The Office of the Data Protection Commissioner (ODPC) handled the case under the Data Protection Act, 2019 and Regulation 14 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

  • Complainant’s Allegation: Sandra was repeatedly contacted by agents of Asapkash, demanding she reach out to a relative who had defaulted on a mobile loan. Despite clarifying she was not involved, the calls persisted.

The ODPC notified Zerox of the complaint, stating that if the claims were substantiated, Zerox was in breach of the Data Protection Act, 2019.

Legal Issues
1. Infringement of Rights:

Right to Privacy: Under Article 31 of the Constitution and Section 26(a) and (c) of the Data Protection Act, the complainant’s rights were infringed. Sandra was not informed her number had been used as an emergency contact, and despite her objection to further processing of her personal data, Zerox’s calls continued.

2. Obligations of Data Controllers:

Direct Data Collection: Under Section 28 of the Act, Zerox failed to prove that they lawfully collected Sandra’s personal data directly. The collection occurred via a third party (the loanee), violating their obligation to collect data directly from the data subject unless specific exceptions applied.

Consent for Processing Data: Zerox failed to demonstrate they had obtained Sandra’s consent to process her personal data, contrary to Section 30 of the Act.

Investigation Findings

Zerox’s Defense: Zerox argued that the complainant was listed as an emergency contact by a loanee. They claimed to have sent Sandra an OTP message to confirm or reject being listed as an emergency contact, but failed to provide evidence of this.

ODPC Conclusion: Zerox did not prove it had notified Sandra of the use of her personal data or obtained consent. Further, the continued calls after Sandra objected constituted a breach of her data protection rights.

Determination
The ODPC found Zerox liable for infringing Sandra’s data protection rights under Section 26 of the Act. Zerox also failed in its obligations as a data controller, particularly by:

  • Processing personal data without consent.
  • Not directly collecting data from the complainant.

As a result, the ODPC ordered Zerox to:

  • Pay Sandra Kshs. 500,000 as compensation for the infringement.
  • Adhere to previous enforcement notices issued under the Act within 30 days.
  • Both parties granted the right to appeal the decision to the High Court of Kenya within 30 days.

Implications

This case emphasizes the importance of:

  1. Consent in Data Processing: Companies must obtain explicit consent before processing personal data, particularly when it is obtained indirectly, like through an emergency contact.
  2. Data Subjects’ Rights: Individuals have the right to be informed and to object to the processing of their personal data. Failure to uphold these rights can result in significant penalties.
  3. Corporate Accountability: Organizations like Zerox are liable for misuse or mishandling of personal data and face legal consequences for repeated violations.

This case also highlights the growing role of the ODPC in enforcing Kenya’s data protection laws and setting precedents for future data-related disputes.

At Mbuchi & Associates Advocates, we assist organizations in complying with Kenya’s Data Protection Act, 2019 and related regulations. Our services include helping businesses navigate data protection challenges, offering legal guidance on data privacy, and ensuring that data processing practices are in full compliance with the law. Whether it’s handling complaints like the one above or providing advice on data processing and consent management, we are here to support your organization’s data protection needs.

Let us help you safeguard your organization’s data and avoid the legal pitfalls associated with non-compliance. Reach us at mbuchiadvocates@gmail.com or call 0713188474 to schedule your consultation.