Introduction.
The right to object to processing is absolute where the processing is for direct marketing purposes. Under section 26 of the Data Protection Act, 2019 data subjects may object to the processing of all or part of their personal data. Upon receiving such a request, data controllers and processors must comply within 14 days, unless they can demonstrate compelling legitimate interests that override the data subject’s interests, or where the processing is necessary for the establishment, exercise, or defence of a legal claim.
In the case between Benson Odiwuor Otieno vs. Digital Regenesys Limited, ODPC Complaint No. 1903 of 2024 the Office of Data Protection Commissioner (ODPC) Complaint underscored the importance of data controllers and processors respecting and upholding data subjects’ rights when processing personal data for direct marketing purposes.
Background
The Complainant lodged a complaint with the ODPC alleging that the Respondent had been sending unsolicited promotional messages without his knowledge or consent. He further stated that, despite expressly objecting to the processing and issuing a cease-and-desist notice, the Respondent continued to send the promotional messages. Upon receiving the complaint, the ODPC notified the Respondent and requested a response to the allegations, together with the relevant information. The Respondent failed to respond, and as a result, the allegations remained uncontroverted.
Issues for Determination.
The ODPC identified the following issues for determination:
- whether the Complainant’s data was lawfully processed; and
- whether the Complainant was entitled to any remedies under the Act
Determination
In assessing the lawfulness of the processing, the ODPC relied on Section 30 of the Data Protection Act, which sets out the lawful bases for processing personal data. As the Respondent failed to respond to the complaint despite being afforded the opportunity, the ODPC concluded that the Respondent had no lawful basis for processing the Complainant’s personal data.
The Complainant sought compensation and the permanent erasure of his personal data from the Respondent’s systems. The ODPC ordered the Respondent to delete the Complainant’s personal data, cease all further contact with him, and provide proof of erasure to the Office within seven days of the determination. The ODPC further issued an Enforcement Notice against the Respondent and awarded the Complainant Kshs. 200,000 in compensation.
Conclusion
This determination reinforces the ODPC’s firm position on the protection of data subjects’ rights, particularly in direct marketing. The case highlights the obligation of data controllers and processors to obtain valid consent, honour objections to processing, and respond promptly to regulatory inquiries. It also demonstrates that failure to engage with the ODPC may result in adverse findings, enforcement action, and monetary penalties. Overall, the decision underscores the importance of accountability and compliance in all personal data processing activities.
