MasiboLaw

Book a Consultation

Zuku Fibre Fined KSh 500,000 for Privacy Breach: What Kenyan Businesses Must Learn

Published by

masibolaw

on

By Precious Simiyu

In a landmark enforcement decision, the Office of the Data Protection Commissioner (ODPC) has fined Wananchi Group Kenya Limited, trading as Zuku Fibre, KSh 500,000 for violating the privacy rights of a Kenyan citizen. The ruling underscores the growing weight of data protection compliance in Kenya under the Data Protection Act, 2019 and signals serious consequences for businesses that mishandle personal data.

As a firm specialising in data protection law and regulatory compliance, we break down what this decision means for your business—and how to stay on the right side of the law.

🚨 The Complaint Against Zuku Fibre

The complaint was lodged by Mr Abukar , who reported that Zuku Fibre had continued to process and retain his mobile number despite multiple requests for deletion. Crucially, the complainant was not an active customer and had never consented to the continued use of his personal information for marketing purposes.

Zuku acknowledged the number was linked to a previous account holder but failed to act on the erasure request promptly, prompting legal action.

⚖️ Legal Breaches Identified

The ODPC found that Zuku Fibre violated two critical rights under Kenya’s Data Protection Act:

1. Right to Erasure

Every data subject has the right to request the deletion of their data when it is no longer necessary for the purpose for which it was collected. Zuku violated this right by continuing to store and use the complainant’s mobile number without a lawful basis.

2. Right to Object to Processing

Data subjects can object to the processing of their data—particularly for direct marketing. Zuku Fibre ignored this objection and continued sending unwanted communications.

Additional violations included:

  • Lack of valid consent for data use
  • Unlawful processing of personal data
  • Obstruction of a lawful search warrant issued by the ODPC

🧾 ODPC Orders and Penalties

As a result of its findings, the ODPC issued several enforceable directives:

  • Immediate Data Deletion: Zuku was ordered to erase all personal data of the complainant and cease communications within 7 days.
  • Compensation: The company was fined KSh 500,000 payable to the complainant.
  • Criminal Proceedings: The ODPC recommended the prosecution of Zuku directors for obstructing lawful investigation procedures.

💼 Why This Matters for Your Business

This ruling serves as a wake-up call to all companies handling personal data in Kenya.

Key Legal Lessons:

  • 📌 Obtain informed, explicit consent before collecting or using personal data.
  • 📌 Respect erasure and objection requests promptly and in full.
  • 📌 Avoid obstructing ODPC investigations—this could lead to criminal liability.
  • 📌 Implement clear data governance frameworks to ensure compliance and reduce legal risk.

✅ Need Help with Data Protection Compliance?

Whether you’re a Digital Credit Provider, a telecom company, or a growing startup processing customer data, we can help you:

  • Draft compliant privacy policies and consent forms
  • Respond to data subject requests appropriately.
  • Handle ODPC investigations or complaints.
  • Conduct internal data protection impact assessments (DPIAs)

📩 Contact MasiboLaw LLP at info@masibolaw.co.ke to protect your business from costly fines and reputational damage.

Leave a Reply

Previous Post
Next Post