The Office of the Data Protection Commissioner has penalized the Casa Vera Lounge for posting a reveler’s image on their social media.
In a public notice issued Tuesday, September 26, the Commissioner said it fined the restaurant located at the intersection of Ngong Road and Kaburu Drive in Nairobi Sh1,850,000 for posting the image without the reveler’s consent.
“The establishment was fined KES 1,850,0000 for posting a reveler’s image on their social media platforms without the Data Subject’s consent.
“This penalty seeks to ensure that other lounges and clubs seek consent from their customers prior to posting their images online,” said the Data Commissioner.
The popular joint is one of three Data Controllers that have been fined for failing to observe Data Privacy rights and failure to comply with the Data Protection Act.
KeCredit and Faircash
The commissioner also penalized Mulla Pride Ltd, a Digital Credit Provider that operates KeCredit and Faircash mobile lending apps.
“The DCP was found culpable of using names and contact information of the complainants which were obtained from third parties, and subsequently used to send threatening messages and phone calls,” said the Commissioner.
As a result, Mulla Pride has been fined Sh2,975,000.
“This Penalty will ensure that Digital lenders and financial institutions notify data subjects when collecting and processing their data, and the intention of processing the said data. t will further ensure that the data controllers are limited to strictly dealing with data subjects who have consented to the collection and processing of their data,” a press release reads in part.
Also fined is Roma School based in Uthiru. The Data Commissioner says the learning institution posted minors’ pictures without parental consent, costing it a Sh4,550,000 million fine.
“This being the first and the highest penalty to an educational facility sends a message to schools and other facilities handling minors’ personal data to obtain consent from parents/guardians prior to processing minors’ data,” said the commissioner.
Adding: “These penalty notices have been issued pursuant to Section 62 and 63 of the Data Protection Act, 2019 (Act) and Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.”
While urging entities to comply with the Data Protection Act by implementing data protection principles and safeguards, Data Commissioner Immaculate Kassait called upon Data Controllers and Data Processors to ensure that the processing of personal data is in accordance with the provision of the Act. Failure to comply with the Act will result in Instituting enforcement procedures.
The office has also conducted a compliance audit on WhitePath, (a digital credit provider) and an inspection of Naivas Supermarkets on a recent Data Breach.
The findings will be shared with the Data Controllers for their swift action. The Office will be embarking on conducting forty (40) Compliance Audits to various Data Controllers and Processors in various sectors this Financial Year.