MasiboLaw

Book a Consultation

Platinum Credit Data Breach: ODPC Orders KSh 400K Compensation for Privacy Violation

Published by

masibolaw

on

By Precious Simiyu

In a landmark ruling, the Office of the Data Protection Commissioner (ODPC) found Platinum Credit Limited guilty of unlawfully using a data subject’s personal information. The case was brought by Mr. Waweru, who alleged repeated violations of his data privacy rights under the Data Protection Act, 2019.

The Complaint: Unauthorized Marketing and Data Use

Mr. Waweru filed a complaint citing the following issues:

  • Unsolicited Contacts: He received persistent promotional text messages and phone calls from Platinum Credit or its agents without having given prior consent.
  • Use of Personal Data: In one call, a sales representative referenced Mr. Waweru’s vehicle details and other personal information, which he had not submitted to the company.
  • No Prior Relationship: The complainant emphasized that he had never signed any agreement, submitted his data to Platinum Credit, or interacted with them.

Company’s Response

Platinum Credit denied the allegations, stating that:

  • Mr. Waweru had never been in their customer database, and
  • The telephone number used to contact him was not linked to their operations.

Legal Issues Identified by the ODPC

The ODPC framed the dispute around two primary legal issues:

  1. Whether Platinum Credit fulfilled its obligations under the Data Protection Act in processing the complainant’s personal data—particularly regarding lawful processing and compliance with core data protection principles.
  2. Whether the complainant was entitled to remedies under the Act and the regulations, based on the alleged violations.

These issues encompassed critical elements such as:

  • Consent
  • Lawful basis for data processing
  • Data subject rights
  • Corporate accountability and remedies

ODPC’s Findings and Final Decision

Following its investigation, the ODPC reached the following conclusions:

1. Absence of Consent and Unlawful Use of Personal Data

The ODPC found that Platinum Credit’s agent had accessed and used the complainant’s personal data without his consent, contrary to the requirements of the Act.

  • The company had no lawful justification for processing the data.
  • The complainant had not consented to the marketing communications.

2. Violation of Data Minimization Principle

The company collected and distributed more personal information than was necessary for its marketing objectives. This breached the principle of data minimization, which mandates that organizations only collect data relevant and limited to the purpose for which it is processed.

3. Misleading the Regulator

Platinum Credit was found to have provided false or misleading information to the Commissioner during the investigation. This constituted an offence under Section 63 of the Act, which criminalizes obstructing or misleading the ODPC.

The Commissioner specifically held that the company not only processed Mr. Waweru’s data unlawfully but also obstructed the ODPC’s investigation.

Final Orders and Penalties Issued

Based on the findings, the ODPC made the following orders:

  • Platinum Credit Limited was found liable for violating Mr. Waweru’s rights under the Data Protection Act.
  • The company was ordered to pay KSh 400,000 (Four Hundred Thousand Kenyan Shillings) to the complainant as compensation.
  • An Enforcement Notice was issued, requiring Platinum Credit to take corrective steps to comply with data protection obligations.
  • The ODPC recommended prosecution of the company’s directors for knowingly providing false or misleading information during the inquiry.

Implications for Businesses in Kenya

This case serves as a powerful reminder to businesses that non-compliance with data protection laws has serious consequences under Kenyan law. Key implications include:

Consent Is Mandatory

  • Organizations must obtain explicit, informed consent before collecting or processing personal data.
  • Marketing messages or calls must not be sent without a clear, auditable record of consent.

Limit Data Collection

  • Only collect and share personal data that is strictly necessary for a legitimate purpose.
  • Avoid collecting excessive or irrelevant personal details.

Data Subject Rights Must Be Respected

  • Organizations should have clear procedures for handling data access requests, deletion requests, and withdrawal of consent.
  • Failure to act promptly or transparently can result in legal action.

Do Not Mislead the Regulator

  • Providing false or incomplete information during an ODPC inquiry can trigger prosecution and escalate penalties.

Train Your Staff on Data Protection

  • Sales, marketing, customer service, and IT teams should receive regular training on compliance with the Data Protection Act and its regulations.

Conclusion: A Wake-Up Call for Kenyan Organizations

The Waweru v Platinum Credit case underscores the ODPC’s growing enforcement capacity and Kenya’s increasingly robust data protection environment.

Businesses operating in Kenya should take immediate steps to:

  • Audit their data collection and processing practices
  • Update privacy policies
  • Implement consent management systems
  • Train staff
  • Ensure transparency and accountability in case of regulatory scrutiny

Failure to comply could expose organizations to fines, enforcement notices, reputational damage, and even prosecution.

Is Your Business Compliant with Kenya’s Data Protection Laws?

Or Have Your Privacy Rights Been Violated?

At MasiboLaw LLP, we advise both organizations and individuals on data protection under the Data Protection Act, 2019.

👩‍⚖️ For Individuals:

Have you received unsolicited messages or calls? Was your personal information used without your consent?

📞 You may be entitled to compensation.
Our experienced data protection lawyers can help you:

  • File a complaint with the ODPC
  • Demand accountability from data violators
  • Pursue compensation for privacy violations

🏢 For Businesses:

Avoid costly fines and reputational damage. We offer:

  • Full data protection compliance audits
  • Policy drafting (privacy notices, consent forms)
  • Staff training and ODPC defense

📩 Take the first step today.
Email us at info@masibolaw.co.ke to schedule a confidential consultation.

🔒 Data privacy is your right—and your responsibility. Let us help you protect it.

Leave a Reply

Previous Post
Next Post