ODPC COMPLAINT NO. 1938 OF 2023
ODPC COMPLAINT NO. 1938 OF 2023
MANASSEH NJERU vs. SAFARICOM PLC

1. Introduction

Manasseh Njeru alleges that Safaricom PLC accessed and shared his personal data with third parties without his consent, violating the Data Protection Act, 2019.

2. Nature of Complaint

The Complainant alleged that the Respondent accessed and shared his personal data held in the Safaricom database to third parties without his consent, failed to protect his personal data from unauthorized access and disclosure, and thereby violated his right to privacy under Article 31 of the Constitution and the Data Protection Act, 2019.

3. Analysis of Evidence

Complainant’s Position
  • Adduced evidence demonstrating that his personal data was accessed and shared with third parties
  • Stated that he never gave consent for the disclosure of his personal data to any third party
  • Prayed for compensation for the violation of his rights under the Act
Respondent’s Defense
  • Denied the allegations of unauthorized access and disclosure of the Complainant’s personal data
  • Argued that it has robust data protection measures in place to safeguard customer data
  • Contended that the Complainant failed to provide sufficient evidence to support his allegations

4. Issues for Determination

  1. Whether the Respondent violated the Complainant’s right to privacy by accessing and sharing his personal data without consent
  2. Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations

5. Final Determination

The Data Commissioner found:

  1. The Respondent accessed and disclosed the Complainant’s personal data to third parties without his consent.
  2. The Respondent failed to implement adequate technical and organizational measures to protect the Complainant’s personal data from unauthorized access and disclosure.
  3. The Complainant’s right to privacy under Article 31 of the Constitution and the Data Protection Act, 2019 was violated by the Respondent’s actions.

Orders:

  • Compensation of KES 500,000 to the Complainant.
  • Parties have the right to appeal this determination to the High Court of Kenya within thirty (30) days.

6. Significance and Impact

Data Protection by Design and Default
  • Reinforces the obligation of data controllers to implement appropriate technical and organizational measures to protect personal data
  • Establishes that telecommunications companies bear heightened responsibility for safeguarding customer data
Unauthorized Access and Disclosure
  • Clarifies that unauthorized access and sharing of personal data constitutes a violation of data subject rights
  • Holds organizations accountable for internal security failures that lead to data breaches
Customer Trust and Regulatory Compliance
  • Highlights the critical importance of maintaining customer trust through robust data protection practices
  • Demonstrates that data protection compliance is essential for business operations

Broader Impact: This determination reinforces the stringent obligations on data controllers to protect personal data from unauthorized access and disclosure. Telecommunications companies must maintain robust security measures to prevent data breaches. Organizations are reminded that internal security failures carry significant legal consequences. Proactive data protection compliance is non-negotiable.

Leave a Reply

Your email address will not be published. Required fields are marked *