Data Protection Determinations

We provide highlights of data protection determinations published by various Data Regulators across Africa.

Kenya

Roma School was penalized for non-compliance with the Data Protection Act after publishing a minor's image online without consent. Roma School challenged the penalty, arguing they hadn't received the initial Enforcement Notice due to improper service. The court found the electronic service of the notice to be valid, upholding the penalty and the ODPC's actions. Read more on DataHub

This case concerns a digital credit provider, Credit Watch Investment Limited, which listed individuals as guarantors for loans without obtaining their consent. When the borrowers defaulted, Credit Watch contacted the guarantors demanding repayment. The court found this to be a violation of the Data Protection Act, 2019, specifically the right to be informed about data use. The court upheld the ODPC's decision and the awarded compensation. Read more on DataHub.

Nigeria

Tokunbo Olatokun sued Polaris Bank for breaching his right to privacy by sending unsolicited marketing emails after he closed his account and instructed them to stop. Polaris Bank argued they were permitted to send marketing emails under CBN guidelines. The court ruled in favour of Olatokun, stating that Polaris Bank violated his right to privacy under the Nigerian Constitution and Data Protection Act, awarding him damages. Read more on DataHub

South Africa

This enforcement notice, issued by the Information Regulator of South Africa on 6 November 2024, cites the Department of Basic Education (DBE) for breaching the Protection of Personal Information Act (POPIA) by publishing matriculation examination results in newspapers without consent. The notice details multiple specific violations of POPIA, primarily concerning unlawful processing of personal information. The DBE is ordered to cease this practice immediately for 2024 results and implement a consent-based system for future publications, with strict deadlines and potential penalties for non-compliance. Read more on DataHub

Access Easy-to-Read Summaries of Determinations in Africa

Quiz

Q1: Can you store sensitive work documents on your personal email?

Answer Options:

A) Yes, as long as you delete them after use.

B) No, it increases security risks and may violate data protection policies.

C) Only if your manager approves it.

D) Yes, but only for backup purposes.

✅ Correct Answer: B – Always use secure, authorized channels to protect sensitive data.

Explanation:

Storing sensitive work documents on personal email poses security risks, including unauthorized access, data breaches, and non-compliance with data protection laws. Organizations require secure, authorized channels to ensure data confidentiality and integrity. Using personal email can also bypass security controls, making it harder to track and protect sensitive information.

Compliance Survey | Challenges in implementing a data driven approach to compliance.

The Privacy Lens | Featured Article

Key Takeaways from Kenya’s Precedent-Setting Ruling on Cross-Border Data Transfers

In November 2024, the High Court of Kenya issued a landmark ruling that jolted the compliance world awake, spotlighting the critical importance of adhering to data protection laws when transferring sensitive personal data beyond Kenya’s borders. This ruling is a game-changer for organizations handling personal data in Kenya, setting a precedent that reverberates across industries.

The court provided long-overdue clarity on Section 48 of the Data Protection Act 2019, making it unequivocally clear that obtaining prior approval from the Data Commissioner is mandatory when transferring sensitive personal data outside Kenya—regardless of whether the data subjects have provided consent or whether any complaints have been raised.

---

This is a summary of a blog article appearing on the DataHub | The Privacy Lens, A Blog. You can read the full article for a more detailed analysis by clicking on the link below.

Read the Article: Key Takeaways from Kenya’s Precedent-Setting Ruling on Cross-Border Data Transfers.

New Segment | Audio Notes Podcast

DataHub now features Audio Notes. This new feature, powered by NotebookLM, aims to make it easier to access and engage with the wealth of information available on the platform | The Audio Notes Podcast

Access Data Protection knowledge & resources, for free

Check out Africa-focused data protection resources: datahub.africa which includes:

• AI Policies & Case Tracker

• Country data laws and factsheets

• Data Protection decisions and summaries

• Data Protection Blog & Podcast

Tailored data protection training

Practical, down-to-earth Compliance Workshops to build on your team's knowledge. Contact us to find out more.

Email: info@mzizi-africa.com

No-nonsense reviews, advice and support

Like a chat about data protection issues you're facing? Get in touch and Margaret or Isaac will arrange a meeting.

Email: info@mzizi-africa.com

Access Africa-focused Data Protection Resources, for Free

Follow DataHub on LinkedIn, Twitter or check us out online.

DataHub is a free to use data-focused resource by MZIZI Africa