| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 5(6), 8(1)(f), 26, 37, 58, 61, 65(1), 65(4) of the Data Protection Act, 2019; Regulation 14 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021; Regulation 15, 16, 8(4) and 8(5) of the Data Protection (General) Regulations 2021; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 3rd and 4th June 2024 |
| Decided: | 26 August 2024 |
| Published: | Yes |
| Fine: | KES 650,000 (KES.200,000 to the first complainant and KES.450,000 to the second). |
| Parties: | Aluo Jane Njoki and Anor vs. Spoton Vacations Ltd |
| Case No.: | 740 & 779 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
This case involves a complaint against Spoton Vacations Limited for sending unsolicited promotional messages to two complainants. The complainants claim their right to privacy was violated under the Kenyan Constitution and Data Protection Act because they did not consent to the use of their data for marketing purposes. The ODPC found the respondent failed to secure proper consent and did not provide an opt-out mechanism, ordering them to pay KES 650,000 in compensation.
This case involves two complainants, Aluo Jane Njoki and Teresia Mutindi Munyiwoki, and the respondent, Spoton Vacations Limited.
The first complainant's case was initially resolved in June 2024, but she filed a new complaint after she continued receiving unsolicited promotional messages from the respondent.
The second complainant inquired about holiday rates from the respondent on December 26th, 2021 and May 9th, 2023. She then began receiving promotional messages from the respondent.
The second complainant repeatedly requested that the respondent cease sending promotional messages.
She claims the respondent has purged her number from their database, which does not rectify their previous unauthorised use of her data.
The respondent stated that the complainants were clients who previously engaged them. The respondent said it implemented an outreach initiative to inform previous clients of upcoming activities, and messages were inadvertently sent to the complainants.
The respondent asserted that they blocked the first complainant's number after the resolution of the first complaint.
The respondent maintained that the second complainant consented to receiving broadcast messages. The respondent produced their privacy policy and terms of service as evidence.
The ODPC found that the respondent obtained the complainants' personal data when they inquired about the respondent's services.
The respondent failed to inform the complainants that their personal data would be used for direct marketing purposes.
The respondent did not obtain explicit consent for the use of the complainants' personal data for direct marketing purposes. The respondent did not provide proof of consent as required by Section 32(1) of the Act.