⚖️📄 Featured Data Protection Determinations

What Are Regulators Saying?

We spotlight real rulings and decisions from Africa’s data protection authorities. Whether it’s a fintech misstep or a lesson in lawful consent, each case offers practical insights for businesses navigating compliance in a fast-changing landscape. Here’s what caught our eye this month in Kenya 👇🏾

Third Party Compliance

Platinum Credit failed to demonstrate that they took all reasonable measures to ensure their agents complied with the Data Protection Act's provisions. Their agents continued calling the Complainant about their products and ignored repeated requests to stop. Read more in DataHub

Data Breach

It was alleged that the director of a sports federation, shared the complainants personal data with a third party without consent. The Respondents claimed they shared the data for legitimate reasons and notified the ODPC after becoming aware of the breach.The ODPC found the Respondents violated the Data Protection Act by failing to promptly report the data breach and sharing data without consent. They issued an Enforcement Notice and held the Respondents liable. Read more in DataHub

Disciplinary Processes

The Complainant alleged her personal data was processed by Samasource without consent during an employment investigation. Samasource argued that written consent was given for data on the work laptop. The ODPC found valid consent existed and processing was limited to the laptop, deeming it lawful. The complaint was dismissed. Read more in DataHub

Obstruction of Justice

Samuel Waweru complained of unsolicited promotional calls and messages from Platinum Credit Ltd's agent despite no prior engagement or consent. Platinum Credit initially denied knowing the applicant but later stated the agent's actions were within their mandate. The ODPC found the respondent processed the data without express consent for commercial purposes. The final ruling held them liable, ordered KES 400,000 compensation, and recommended prosecution of directors for providing false information. Read more in DataHub

Access Easy-to-Read Summaries of Determinations in Africa

🧠 Compliance Corner: Quick Quiz

Which of the following has been the most common reason Kenyan companies, especially fintechs, have landed in hot water with the ODPC?

A) Failing to register as data controllers

B) Not having a Data Protection Officer (DPO)

C) Sending marketing texts without consent

D) Using personal data collected indirectly (e.g., from third parties) without informing the data subject

Answer: D — Using personal data collected indirectly without informing the data subject.

📉 This has become a frequent red flag, especially in fintech and credit scoring apps.

The ODPC has made it clear: if you collect personal data not directly from the individual, you're required to notify them, and in many cases, get consent. Failure to do so? That’s how you end up with an enforcement notice.

The Fines Database is Live!

Our Fines Database is searchable, regularly updated resource tracking data protection enforcement actions in Africa.

Largest Fine This Week: KES.1M against Tulia Amboseli Safari Ranch Ltd

🔗 Explore the Fines Database → The Fines Database

🔍 The Privacy Lens | Featured Article

Soft Opt-In and Direct Marketing: What Benin Gets Right About Data Protection

As African countries advance their data protection regimes, a growing divergence is emerging in how they balance consumer privacy with business needs, particularly around direct marketing and consent. This article compares Benin’s “soft opt-in” model, which allows limited marketing without prior consent under specific conditions, with Kenya’s stricter stance, recently affirmed in the Jaggys (Kienyeji) ruling by the ODPC. Through this lens, we explore how regulatory choices are shaping everyday business communications and what this means for compliance across the continent.

---

This is a summary of an article appearing on DataHub | The Privacy Lens, A Blog. You can read the full article for a more detailed analysis by clicking on the link below.

🔗 Click Here to Read the Full Article

🎙️ Audio Notes, a Podcast

Audio Notes, powered by NotebookLM, makes it easier to access and engage with the wealth of information available on the platform

Have a Listen | Truehost Nuking Data and the Right of Access

👩🏾‍🏫 Training & Advisory

Practical, down-to-earth advice and training through Compliance Workshops to build on your team's knowledge. Microlearning Courses available via the MZIZI Africa LMS.

Email: info@mzizi-africa.com

________________________________________________________________

Follow DataHub on LinkedIn, Twitter or check us out online.

DataHub is a free to use to use resource by MZIZI Africa