The Casa Vera Lounge, an establishment situated along Ngong Road in Nairobi, recently found itself facing a substantial fine of Ksh.1.85 million. The reason behind this penalty was their unauthorized posting of a patron’s photograph on their social media platform without obtaining the individual’s consent. This punitive measure was handed down by the Office of the Data Protection Commissioner (ODPC) in a statement issued on a Tuesday. The core premise for this fine was that the restaurant had transgressed data privacy rights and had failed to adhere to the stipulations of the Data Protection Act.
ODPC underscored that this financial penalty should serve as a stark warning to other lounges and clubs, emphasizing the importance of obtaining explicit consent from their customers before sharing their images online.
In a similar vein, Roma School, a mixed day and boarding primary school located in Uthiru, was slapped with a substantial fine of Ksh.4.55 million by ODPC. The school incurred this penalty for the unauthorized posting of a minor’s images without acquiring the requisite parental consent. This marked a significant milestone, as it represented the first and the most substantial penalty ever levied against an educational institution. The underlying message sent by this penalty was that schools and other establishments handling personal data of minors must diligently seek consent from parents or guardians before processing such data, as stated in the ODPC’s official statement.
Furthermore, Mulla Pride Ltd., a Digital Credit Provider (DCP) operating KeCredit and Faircash mobile lending Apps, found itself on the receiving end of a Ksh.2.975.000 penalty. The reason behind this fine was their usage of names and contact information obtained from third parties, which they subsequently employed to send threatening messages and make phone calls.
Meanwhile, Naivas Supermarket and the digital credit lender WhitePath were placed in a state of suspense as they awaited the outcome of a compliance audit prompted by data breach reports. ODPC noted that the findings of this audit would be shared with the Data Controllers for prompt action.
In light of these developments, various entities have been strongly urged to comply with the Data Protection Act by implementing data protection principles to safeguard the personal identity of citizens. It was emphasized that failure to adhere to the Act would lead to the initiation of enforcement procedures.
ODPC also announced its intention to conduct 40 compliance audits on a range of data controllers across different sectors throughout the year, underscoring their commitment to ensuring data protection and privacy in various industries.