Your data rights as a customer and avenues for remedy

Compliance with the Kenya Data Protection Act can help build more trusting relationships with your customers and the public. PHOTO | SHUTTERSTOCK

Dear Cathy,

I read your article on data protection last week where you advised on the steps that businesses can take to safeguard client data. As a consumer, what rights do I have and what should I do if these rights are breached?

-Benard

Dear Benard, your inquiry is very timely as it is Customer Service Week so happy customer service week! As I had mentioned in the previous article, Kenya has robust legislation on data protection and is reputed to be the best in Africa.

Kenya definitely has a data protection legislation that matches up global standards, given that our law is similar to the European Union law on data protection. Kenya has also set up structures and a regulator who is already doing a good job of enforcing data protection rights in the country.

The question is, what are these rights exactly? Under the law, you are defined as a data subject, that is, a person who gives out their data to a third party for either handling or processing. Customers are one of the biggest data subjects and they have certain rights.

To have a broader understanding of data rights, it is good to know that data protection is not only covered under data protection laws but also under other laws like the Constitution and consumer protection. The data laws just further cement existing data subject rights.

First, the Constitution gives you a right to privacy and perhaps this is the most important foundation on data privacy. Even prior to the existence of the data protection laws, the Constitution already protected customers from having their privacy breached.

In one case, a doctor was held liable for sharing a patient’s HIV status with the patient’s employer. Based on the HIV-positive status of the patient, the employer terminated the employee. The court found this to be a breach and awarded general damages to the patient/employee.

Under consumer protection laws, you are also protected to some extent. However, the data protection laws provide a more detailed mechanism setting out your rights and the obligations suppliers have to protect your data.

First, is that you must give consent before your data is taken or processed. This consent must be clear and be in writing.

The consent includes an authorised use section where the supplier has to state the purposes for which he will take your data and also handle or process it.

For example, you may give out your phone number and other personal details such as your address, age and so on. The supplier cannot use this data outside of the consented top use.

For example, he cannot give this data to third parties or use it for other purposes such as research or marketing without your consent.

If your supplier is say a financial institution, can they give your details to a debt collector without consent? The loan application forms probably cover that and should be carefully read.

Your photo should therefore not be taken without consent and even if you consent, they must state for which purpose they will use your photo.

You have the right to object to the use of your data and can even request for the deletion of your data. A supplier is obligated to give you your data when requested to do so.

There are several remedies available. One is to make a complaint with the regulator. You can also seek monetary awards through a court process where you will be awarded general damages as compensation.

The award shall be determined by the court.

Ms Mputhia is the founder of C Mputhia Advocates | [email protected]