Kenya’s data watchdog has ruled against Wananchi Group Limited, which operates as Zuku, ordering the company to pay Ksh500,000 in compensation to a former customer for repeatedly sending him promotional messages long after terminating his subscription.
The Office of the Data Protection Commissioner (ODPC) determined that Zuku violated the complainant’s rights by failing to erase his personal data, as required under the Data Protection Act.
The company also ignored his right to object to the processing of his personal data for marketing purposes. Tthe ODPC found that Zuku failed to provide an effective system for customers to exercise their data protection rights, as the mechanism outlined in its privacy policy was nonfunctional.
Repeated Complaints Ignored
The complainant revealed that despite ending his relationship with Zuku years ago, the company continued to send him unsolicited messages. He made multiple requests—via phone calls, emails, and verbal communication—asking the company to delete his information from its databases. However, Zuku failed to act.
Frustrated by the lack of action, he escalated the matter by formally emailing Zuku on November 16, 2024, using the address listed on their website. However, his message was undelivered because the email address was invalid.
The complainant stated that these repeated unsolicited messages caused him significant inconvenience and distress. He also argued that Zuku’s failure to address his concerns undermined trust in the company’s ability to handle customer data responsibly.
Violation of Data Protection Laws
In its ruling, the ODPC emphasized that the complainant had been denied the ability to exercise his right to object to the processing of his personal data and his right to have misleading data erased. The determination cited Section 26(a) and Section 26(e) read with Section 40(1)(b) of the Data Protection Act, 2019, as the legal basis for these violations.
“The complainant contends that Zuku’s ongoing retention and misuse of his personal data violate his rights under the Data Protection Act, including the right to erasure and the right to object to the processing of personal data for marketing purposes. He believes that keeping his personal information unnecessarily increases the risk of unauthorized access or misuse, exposing him to potential fraud or identity theft,” the ODPC ruling stated.
Continued Violations Even After Filing Complaint
Even after filing a formal complaint with the ODPC, the complainant continued to receive messages from Zuku. On December 15, 2024, he received an email from Wananchi Group titled “Service Auto Suspension Notification,” further proving that the company had ignored his request to delete his data.
As evidence, the complainant submitted proof of his previous data deletion requests, including the unsuccessful attempt to contact the company through its website-listed email address.
ODPC Orders Ksh500K Compensation and Data Deletion
After reviewing the case, the ODPC ruled that Zuku had violated the complainant’s right to control his personal data. The regulator found that the company lacked an effective system to allow customers to exercise their data protection rights, as its privacy notice contained nonfunctional mechanisms.
As a result, the ODPC ordered Zuku to:
- Compensate the complainant with Ksh500,000.
- Delete his personal data from its systems.
- Stop all communication with him.
- Provide proof of compliance within seven days of the ruling.
Both Zuku and the complainant have the right to appeal the decision at the High Court of Kenya within 30 days.
This ruling sets a strong precedent for data privacy enforcement in Kenya, highlighting the importance of companies respecting customer data rights and ensuring proper mechanisms for handling opt-out requests.
With data privacy laws becoming more stringent, companies must ensure they have functional systems for customers to manage their information. Failure to comply could result in hefty fines and reputational damage.
For consumers, this case highlights the importance of standing up for data privacy rights. If a company continues to misuse personal information, legal action can lead to accountability and compensation.
