The Office of the Data Protection Commissioner (ODPC) has issued three Penalty Notices to three Data Controllers for failing to observe Data Privacy Rights to Data Subjects and also not complying with the Data Protection Act.

The three Data Controllers are:

• Mulla Pride Ltd, a Digital Credit Provider (DCP) which operates KeCredit and Faircash mobile lending Apps (Sh2,975,000)

• Casa Vera Lounge, a restaurant based along Ngong Road in Nairobi (Sh1,850,000)

• Roma School, an Educational Institution based in Uthiru (Sh4,550,000)

The ODPC found Mulla Pride Ltd culpable of using names and contact information of the Complainants which were obtained from third parties, and subsequently used to send threatening messages and phone calls.

The DCP was also found to be failing to provide data subjects with access to their personal data and failing to erase personal data upon request.

Casa Vera Lounge was fined for posting a reveller’s image on their social media platform without the Data Subject’s consent.

Roma School was fined for posting minors’ pictures without parental consent.

The ODPC urged entities to comply with the Data Protection Act by implementing data protection principles and safeguards.

Data Commissioner Immaculate Kassait said that failure to comply with the Act will result in instituting enforcement procedures.

The office has also conducted a compliance audit on WhitePath, (a digital credit provider) and an inspection on Naivas Supermarkets on recent Data Breach.

The findings will be shared with the Data Controllers for their swift action. The Office will be embarking on conducting forty (40) Compliance Audits to various Data Controllers and Processors in various sectors this Financial Year.

Below is the full statement by the Office of the Data Protection Commissioner: