Wananchi Group Limited, which owns Zuku, has been fined KES 500,000 for persistently sending promotional messages to a former customer against his explicit requests.
The Office of the Data Protection Commissioner (ODPC) has also recommended the prosecution of Zuku’s directors for obstructing the investigation into the matter.
As reported by Business Daily, the case centers around a complaint filed on November 18, 2024, by Yasin Abukar, who alleged that despite terminating his services with Zuku years prior, the company continued to send him unsolicited promotional messages.
Mr. Abukar claimed that his multiple requests—made verbally, over the phone, and via email—for the deletion of his personal data were ignored. He further reported that attempts to escalate the issue were thwarted by an invalid email address provided on Zuku’s website, rendering direct communication with the company ineffective.
In response to the complaint, Zuku stated that a thorough review of its records revealed no data deletion requests from an individual named Abukar. To verify this claim, the ODPC conducted an on-site visit to Zuku’s premises on February 11, 2025.
However, Data Commissioner Immaculate Kassait reported that her officers were denied access to both digital and manual records pertinent to the investigation, despite possessing a court-issued search warrant.
“The respondent (Zuku) was uncooperative and refused to comply with the court order granting the Office (ODPC) access to search the respondent’s premises, digital and manual records, system(s), and database(s),” Ms. Kassait stated.
This lack of cooperation impeded the ODPC’s ability to verify Zuku’s assertions, leading to the conclusion that the company’s responses amounted to mere denials.
The ODPC’s determination, dated February 15, 2025, not only imposes a financial penalty on Zuku but also recommends the prosecution of the company’s directors for obstructing the investigation.
This case highlights the stringent measures being enforced to protect consumer data under Kenya’s Data Protection Act, which mandates that organizations respect individuals’ rights to privacy and comply with data deletion requests.
The ruling serves as a critical reminder to companies about the legal obligations surrounding data management and the potential repercussions of non-compliance. As data privacy concerns continue to rise globally, Kenyan authorities are demonstrating a commitment to upholding individuals’ rights and ensuring that organizations adhere to established data protection standards.
Parties involved in this case have been granted the right to appeal the decision at the High Court within 30 days, as stipulated by the ODPC. This development marks a significant step in reinforcing data protection laws in Kenya and sets a precedent for how similar cases may be handled in the future.
For consumers, this decision offers reassurance that their concerns regarding data privacy are being taken seriously and that there are legal avenues available to address grievances.
As for businesses, it underscores the necessity of implementing robust data management practices and ensuring compliance with data protection regulations to avoid legal and financial penalties.
