The Data Protection Commissioner’s Strict Pursuit of Personal Data Processing Claims under the DPA 2019

The right to privacy as a constitutional protection was guaranteed when the Data Protection Act 2019 (the DPA/the Act) came into force.

The Act established, inter alia, the Office of the Data Protection Commissioner, [1] made provisions to regulate the processing of personal data, and provided rights for data subjects [2] and obligations for data controllers and processors.  

This article analyses the primacy of the right to privacy, the protection of personal data and the weight of obligations that data controllers and processors are subject to. More specifically, attention is paid to the balance between their conduct of business and their obligations as data controllers and processors.

The Office of the Data Protection Commissioner (the Office/the ODPC) has the duty to, among others, exercise oversight over data processing operations, either on its own motion or at the request of a data subject, and verify whether the processing of data is done in accordance with the Act, receive and investigate any complaint by any person on the infringement of their rights, and carry out inspections of public and private entities with a view to evaluating the processing of personal data. [3] The Act sets out principles that data controllers and processors ought to apply when processing personal data. [4] Yet, on numerous occasions, the Office has received complaints from data subjects relating to the unwarranted processing of their personal data.  

Consent, withdrawal of consent and right of erasure

Section 30 of the Act specifies that data processing is subject to obtaining consent for a specified purpose, which consent can be withdrawn. [5] A data subject also has a right of erasure of their personal data, [6] which can constitute a withdrawal of consent as was established in ODPC Complaint No. 2533 of 2023 – Terrence Adriano versus Swara Acacia Lodge Limited. The complainant was a former employee of the Respondent who had sought the erasure of their personal data from the Respondent’s Facebook page. While he had consented to the taking of and use of his photographs for marketing purposes by the Respondent, he wished to withdraw his consent to the continued use of his pictures after his employment with the Respondent ended. Despite several requests for erasure by the Complainant, the Respondent failed to take down his pictures, until after the Office issued a Notification of Complaint lodged before it. However, the Respondent had not taken down all the Complainant’s images as at the time the matter was being determined. The Office found that the Respondent had violated the Complainant’s right of erasure, and thereby his right to privacy, and ordered that the images be deleted.

Personal data relating to a minor

Section 33 (1) of the Act places an obligation on a data controller or processor to obtain parental consent before processing personal data relating to a minor and to ensure that the processing is carried out in a manner that protects and advances the rights and best interests of the child. Further, the burden of proof evidencing that consent was sought is placed on the data controller or processor pursuant to Section 32(1). 

In ODPC Complaint No. 502 of 2024 – Fatuma Hadi Ali Suing on Behalf of J.A.A (Minor) versus Nova Pioneer Kenya Limited, the Respondent had advertised its school on billboards and on its website using the Complainant’s image without first obtaining parental consent. The Respondent claimed to have obtained parental consent twice for the use of the minor’s image in the Respondent's promotional material. However, the Respondent failed to prove that it had been granted consent or that it satisfied the exemptions to obtaining consent prescribed in Section 30 (1) (b). As such, the Respondent was found to have breached its obligation to seek parental consent. 

Further, the Office found that the Respondent had a duty to notify the minor’s parent that personal data was being collected (the minor’s photographs) and that they intended to use it for advertising. Since advertising is a commercial purpose, the Respondent ought to have obtained express consent for this purpose pursuant to Section 37(1) of the Act. 

As to its obligation to uphold the right of erasure, the Office found that the Respondent fulfilled its obligation when, upon being issued with a demand to pull down the billboards and the images of the minor from its website, the Respondent complied. The ODPC concluded the matter by awarding the Complainant compensation of KES 950,000 (over USD7,000) owing to the fact that it was personal data relating to a minor and that it was used for commercial purposes.

Unauthorised collection, use and access of personal data

In ODPC Complaint No. 0381 of 2024 - Sandra Bonareri Ongaki versus Zerox Technology Limited, the Office received a complaint relating to the indirect collection of personal data from the data subject. The Respondent provided loan facilities and required every applicant to provide at least two emergency contacts in their loan application, including their phone numbers and name, for the Respondent to use when they were unable to reach the loanee to remind them to pay their defaulted loan. The Claimant was listed as an emergency contact to one of the Respondent’s loanees. Upon the loanee’s default, the Complainant received persistent calls from the Respondent’s agents urging her to engage the loanee on the matter. Despite her objection to such processing of her data pursuant to Section 26 (c), the Respondent, through its agents, was still persistent. The ODPC found this to be in contravention of the Complainant’s rights and the Respondent’s obligations.

The issue of the obligation of the Respondent, as a data controller, to collect data directly from a data subject, and the instances where they were permitted to do so indirectly, was canvassed. [7] The Office emphasized the obligation of first obtaining consent from a data subject to collect data indirectly from another source. By this, it was immaterial that the loanee had listed the Complainant as an emergency contact, and the Respondent ought to have provided proof that they obtained the Complainant’s consent to collecting their personal data through the loanee. 

Implication for data controllers and data processors

A heavy burden is placed on data controllers and processors to align the processing of personal data with the provisions of the Act. The principles set out in Section 25, such as upholding the right to privacy, collecting for explicit, specified and legitimate purposes, and doing so in a lawful, fair and transparent manner, ought to be a guiding tool for all data controllers or processors. The Office has also put great emphasis on the rights of data subjects and placed a strict obligation on data controllers and processors to uphold them. It is also apparent that data controllers and processors need to align their businesses and employ measures that ensure that they comply with data processing regulations. 

Some key definitions

• “Personal data” means any information relating to an identified or identifiable natural person.
• “Data subject” means an identified or identifiable natural person who is the subject of personal data.
• “Data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
• “Data controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data
• “Processing” means any operation performed on personal data
   

[1] Data Protection Act (Cap. 411C), Section 5.

[2] Data Protection Act, Section 26, 27.

[3] Data Protection Act, Section 8 (1).

[4] Data Protection Act, Section 25.

[5] Data Protection Act, Section 32 (2).

[6] Data Protection Act, Section 40 (1).

[7] Data Protection Act, Section 28 (1), (2).