Roma School fined Sh4.5m for posting minor's image without parental consent

Data Commissioner Immaculate Kassait speaking during the 2022 Data Governance conference/ [Wilberforce Okwiri, Standard]

Office of the Data Protection Commissioner (ODPC) has cracked the whip on three companies that allegedly breached data privacy rights.

As a result, the three companies have been penalised a total of Sh9.4 million.

Roma School based in Uthiru has been fined the highest penalty of Sh4,550,00 for posting a minor's picture without parental consent. According to the ODPC, the penalty aims at sending a strong message to schools and other facilities handling minors' data to obtain consent from parents/guardians before processing minors' data.

Mulla Pride Limited which is a Digital Credit Provider (DCP) that runs KeCredit and Faircash mobile lending applications, has been penalised Sh 2,975,000 after the Data Protection Commissioner Immaculate Kassait found them culpable of using the names and contact information of the complainants which were obtained from third parties.

"Subsequently, they used the information to send threatening messages and phone calls. This penalty will ensure that digital lenders and financial institutions notify data subjects when collecting and processing their data and the intention of processing the said data," the ODPC noted.

Casa Vera Lounge restaurant located along Ngong Road in Nairobi has also been penalized Sh 1,850,000 for posting a reveler's image on their social media platform without the subject's consent.

"This penalty seeks to ensure that other lounges, clubs, etc. seek consent from their customers before posting their images online."

The penalty notices have been issued under Sections 62 and 63 of the Data Protection Act,2019, and Regulations 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

"The office has also conducted a compliance audit on WhitePath, (a digital credit provider) and an inspection on Naivas Supermarkets on a recent data breach. The findings will be shared with the data controllers for their swift action," the statement concluded.