| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 40(1)(b), 29 of the Data Protection Act, 2019; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | No violation |
| Started: | 28 September 2023 |
| Decided: | 15 December 2023 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | James Kabiru vs. Safaricom PLC & Guarantee Trust Bank Kenya Ltd (Interested Party) |
| Case No.: | 1829 of 2023 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Safaricom PLC (the “Respondent”) was found not liable for violating the rights of the complainant by sharing a customer's personal mobile phone number with third parties. The Complainant continued to be listed as a contact person for Paybill/Till administration despite having left his employer five years prior. His details were never updated.
The complaint was filed against Safaricom PLC for allegedly sharing the personal mobile phone number of John Kabiru with Guaranty Trust Bank (Kenya) Limited's customers who make payments to Mount Kenya University via paybill and occasionally require transaction reversals to be initiated by John Kabiru, a former employee of the Interested Party.
The Interested party was enjoined in the case once it was established from a preliminary review of the case by the ODPC that they were a necessary party to the complaint.
The Complainant alleged that the Respondent's customer care agents have been advising Mount Kenya University's customers to contact him for transaction reversals, and he has advised the Respondent to stop sharing his personal number without success.
This alleged sharing of personal information has been ongoing from 2018 to the present, worsening during school fees payment season.
The Complainant provided a Certificate of Service from the Interested Party dated 24 November, 2023, as proof of his former employment with the Interested Party in the Information Security Department. The Interested Party provided a copy of the employment contract between the Complainant and itself as proof of his former employment.
The Interested Party stated that all personal data collected from the Complainant was for the explicit, specified, and legitimate purpose of his employment, and the data was only limited to what was necessary for that purpose.
The Complainant also alleged that students from Mount Kenya University have been sharing their personal information with him, and he has been verbally abused because he cannot help them with the reversal requests, as they were given his contact information by the Respondent's agents.
The Respondent stated that it collected and recorded the Complainant's details on account of his employment with the Interested Party and based on the terms of an agreement to manage/aggregate a paybill/ till, and that the personal data collected was reasonable, necessary, and for a specific purpose. The terms of the till/payment agreement placed sole responsibility for updating key contacts on the Third Party. The Respondent averred that it has never received a change request from the Third Party to enable it update the contact records for paybill administrator.
The Interested Party, upon being notified of the complaint, took remedial measures by requesting the Respondent to erase the Complainant's personal data and remove him as an administrator of the paybill in 28 November 2023.
Upon carrying out its investigations, the Office found that the complainant's rights were not violated, and it noted that the Interested Party swiftly and in a timely manner took steps to remedy the situation upon being made aware of it. The Office also found that the complainant did not provide evidence of making a request to the Interested Party to remove him as a paybill administrator. Therefore, the Office determined that the complainant is not entitled to any remedies under the Data Protection Act and the attendant regulations.