Are you a business or organization that handles data in Kenya? Then you need to take data privacy issues seriously as the Kenyan regulator has come out guns blazing.
On 26th September 2023, the Office of the Data Protection Commissioner (ODPC) issued a Press Release in which they confirmed having issued penalty notices totalling Kenya Shillings 9.3 Million to three entites operating in the digital lending, hospitality and educational sectors. The penalties were issued to the entities for instances where the organizations processed individual’s data contrary to the requirements of data privacy laws i.e., failure to follow guidelines on obtaining consent.
A copy of the Press Release by the ODPC is below.
It is apparent that we are now living in an era where massive amounts of data are being collected, stored and used by third parties and it is the responsibility of such entites to put in place both legal and technical measures to protect individual’s personal information.
Consent is either Yes or No and cannot be Implied.
Under the Data Protection Act 2019 (the Act), where a data controller or data processor collects personal data, they must ensure that such data is procesed within the requirements of the law and with due regard to the rights of the data subjects from whom they collect such information. A key component of this obligation is to obtain the free, express, informed and unequivocal consent of a data subject (or their parent/guardian, if they are a minor).
Since the Press Release, certain notices by night clubs have come to light imposing “implied consents” on patrons entering their establishments, which unfortunately points to a lack of understanding of the new law since implied consent fails to meet the threshold for free, express, informed and unequivocal consent as required by the Act.
It is apparent that the ODPC is starting to ramp up its enforcement mandate and focusing attention on a wide variety of sectors. Businesses and organisations therefore need to quickly adapt to the new laws and appreciate the added responsibility placed on them to ensure the processing of personal data is in accordance with the Act
In case you require further information on this topic, please feel free to contact us at TechGroup@fmcadvocates.com
Download our Legal Alert here https://rb.gy/vkazc