Mobile phone firm Oppo Kenya has found itself on the wrong side of the recently enacted privacy laws after it was fined Sh5 million by the office of the Data Protection Commissioner (ODPC).
The amount is the maximum allowable penalty, for ‘infringement on the privacy of a complainant’.
The Data Commissioner said Oppo had defaulted on compliance and was issued an enforcement notice on November 3.
“ODPC on November 3, 2022, issued an enforcement notice against Oppo Kenya (Company) after it infringed on the privacy of a complainant by using their photo on the company’s Instagram account (stories) without the complainant’s consent,” said the Data Commissioner in a statement.
“Oppo Kenya is therefore required to pay to the ODPC a penalty of Kenya Shillings Five Million pursuant to Section 63 of the Data Protection Act, and Regulation 20 of the Data Protection (Complaints Handling Procedure and Enforcement).”
The ODPC said Oppo had refused to cooperate as it has not come up with a policy for compliance with Section 37 of the Act.
The new privacy laws prohibits the use of personal data that has been obtained pursuant to the Act for commercial purposes without consent from the data subject or authorisation under any written law.
Oppo was also accused of failing to prove that it had developed an internal complaints mechanism to address data subjects’ complaints.
The privacy laws, which received a parliamentary nod in March of this year, require all data controllers and data processors to register with the ODPC.
The set of regulations includes the data protection (General) regulations 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
Companies that breach the rules face fines of not more than Sh5 million or up to one percent of their annual turnover.
Data Commissioner Immaculate Kassait yesterday urged entities to comply with the laws by implementing data protection principles and safeguards to all processing activities that relate to the collection and storage of sensitive personal data.
“ODPC urges data controllers and data processors to ensure that the processing of personal data is in accordance with the Act. Failure to comply with the Act will result in instituting enforcement procedures,” said Kassait.