The Data Commissioner has slapped Oppo Kenya with a Sh5 million fine over privacy infringement after using the photo of an unnamed complainant on its Instagram page without consent.
The Office of the Data Protection Commissioner (ODPC) last month issued an enforcement notice against the company after it infringed on the privacy of the complainant by using their photo on the company’s Instagram account (stories) without the complainant’s consent.
ODPC said the fine slapped on Oppo is as a result of its “neglect and/or default to comply with an enforcement notice issued against it”.
The fine will be paid to ODPC which is legally tasked with penalising and enforcing actions against individuals and firms found culpable of privacy infringements.
The penalty notice was issued pursuant to Section 62 and 63 of the Data Protection Act, 2019 (Act) and Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021, said ODPC.
“Oppo Kenya has refused to co-operate with ODPC by among others; failing to adduce and/or develop a policy for compliance with Sections 37 of the Act,” said ODPC.
The Section provides that a person shall not use for commercial purposes personal data obtained pursuant to the provisions of the Act, unless the person has sought consent from a data subject or is authorised to do so.
It added: “Oppo Kenya has also failed to adduce a data protection policy pursuant to the enforcement notice issued; and proof that it has developed an internal complaints mechanism to address data subjects’ complaints.”
Data Commissioner, Immaculate Kassait urged entities to comply with the Data Protection Act by implementing data protection principles and safeguards to all processing activities that relate to the collection, storage and other processing of personal data and sensitive personal data.
“ODPC urges Data Controllers and Data Processors to ensure that the processing of personal data is in accordance with the provision of the Act. Failure to comply with the Act will result in instituting enforcement procedures,” she said.
This comes more than two months after the Data Commissioner commenced an audit on 40 digital lenders, including Branch and Tala, over misuse of customers’ data, following complaints from the public.
The ODPC in October said it had received 299 complaints from members of the public against the 40, over how their data was handled.
The Data Commissioner says that of the digital credit lenders that received a notice, 22 have failed to provide a response and notifications have been issued against them.
“ODPC wishes to notify the public that as of the deadline for submission of documents for the compliance audit, 18 out of 40 entities had responded to the letter from the Office by submitting documents for preliminary review,” said ODPC.
It said that a comprehensive review of the documents submitted by the lenders is currently ongoing before further action is taken.
