Whitepath, Regus slapped with Sh5m fine for breaching data laws

Mobile loan lender Whitepath and office space provider Regus Kenya have been fined 5 million Malaysian shillings each for breaching customer data privacy.

The Office of the Data Protection Commissioner (ODPC) said it had received nearly 150 complaints from Whitepath customers alleging that the digital lender was mining their phone contacts and sending them spam in contravention of data protection laws.

The regulator said on Tuesday that the company had failed to comply with an earlier enforcement notice, which resulted in the fine being paid.

Regus was penalized for failing to respond to complaints alleging frequent spam and inappropriate automated information despite the complainant’s attempts to stop the company.

“Each company is required to pay a fine of Sh5 million to the ODPC in accordance with Section 63 of the Data Protection Act and Regulation 20 of the Data Protection (Complaint Handling and Enforcement Procedure),” said the Data Commissioner.

The inferred section prohibits the use of personal data obtained by law for commercial purposes without the consent of the data subject or permission under any written law.

The privacy laws, which received parliamentary approval in March last year, require all data controllers and data processors to register with the ODPC.

The suite of regulations includes the Data Protection (General) Regulations 2021, the Data Protection Regulations (handling of complaints and enforcement procedures), 2021, and the Data Protection Regulations (registration of data controllers and data processors), 2021.

Businesses that break the rules face fines of no more than 5 million shillings, or up to one percent of their annual turnover.

Also read: Oppo fined Sh5m for breaching data laws

environmental industries

The ODPC also issued an executive notice to Ecological Industries Limited for non-cooperation with several notices of complaint filed. In the suit, the company is accused of posting a personal photo in the company’s catalog and calendar for marketing purposes.

The company was given a penalty notice if it failed to comply with the enforcement notice within the stipulated timelines.

Data Commissioner Immaculate Cassette urged companies to comply with data protection laws to avoid penalties.

“Data protection is the responsibility of every data controller and processor and should be a top priority for a company when they collect, process or store personal information. I challenge companies to protect personal data by design and by default to avoid penalties,” said Ms Cassett.

is reading: Google to block apps borrowed from photos and contacts

→ (email protected)