A mobile loan lender Whitepath Company Limited and a modern workspace provider Regus Kenya, have each been fined KSh5 million by the Office of Data Protection Commissioner (ODPC) for breaching data privacy laws.

This is after the ODPC received close to 150 complaints against Whitepath alleging that their applications have accessed their mobile phone contacts and are sending unwarranted and unsolicited text messages to the said contacts.

The Whitepath staff are also accused of harassing the complainants and their contacts irregularly obtained from the complainant’s phone book.

Regus Kenya, a firm that provides modern, flexible workspace to customers was penalised for failing to respond to complaints alleging frequent spamming and inappropriate automated information despite attempts by the complainant to make the firm stop.

“Each company is required to pay the ODCP a penalty of KSh5 million pursuant to section 63 of the Data Protection Act, and Regulation 20 of the Data Protection (Complaints Handling Procedure and Enforcement),” a statement from ODCP read in part.

In 2021, ODPC began investigations into several mobile loans lender for sharing borrowers’ data in pursuit of loan defaulters. And in early last year, the Central Bank of Kenya (CBK) banned the lenders, their officers, or agents in the course of debt collection, from using obscene or profane language with the customer or the customers’ contacts for purposes of sharing them.

Under the Digital Credit Providers Regulations 2021 which came to effect last year, mobile loans lenders are not supposed to send information about loan defaulters to third parties in name-and-shame tactics meant to recover the money.

According to Data Commissioner Immaculate Kassait, data protection is the responsibility of every data controller and processor, and it must be a company’s top priority whenever they collect, process, or store personal information. “I challenge businesses to protect personal data by design and by default and cooperate with the ODCP to avoid penalties,” she said.

The ODPC also issued an enforcement notice to Ecological Industries Limited for non-compliance with several notifications of a lodged complaint. The company is accused of publishing a personal photo on a company catalogue and calendar for marketing purposes.

The ODPC warned the company of a penalty notice if it fails to comply with the enforcement notice within the stipulated time.

Section 63 of the Data Protection Act stipulates that, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to KSh5 million, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower.