OPPO Kenya’s Sanction; a wake up call for Nigerian organizations.

Hi There,

Happy New Year! Welcome to the first episode of Privacy Notes in the year 2023!

On December 21, 2022 Kenya’s Office of the Data Protection Commissioner (ODPC) issued its first penalty notice against Oppo Kenya as a result of neglect and/or default to comply with an enforcement notice issued against it.

In November, the ODPC issued an enforcement notice against Oppo Kenya (the “Company”) for violating a complainant’s privacy by using their photo on the company’s Instagram account (stories) without the complainant’s consent. Oppo Kenya will be expected to pay a penalty of 5 million Kenya Shillings (approx $40,433 USD).

Likewise in October 2022 Nigeria’s own body, Nigeria Bureau of Data Protection (NDPB) issued additional compliance requirement notice to Data Controllers which demanded that;

  • Data Controllers read and understand the NDPR – as it applies to various situations and persons involved in data processing;
  • Develop and implement a Privacy Policy that is consistent with the NDPR 2019;
  • Notify employees, customers and online visitors of the organisation’s Privacy Policy;
  • Designate at least one or two members of staff as Data Protection Contacts (DPCs), who may, after training, become Data Protection Officers (DPOs) of their organisations;
  • Forward the names of the DPCs (not more than three) to the Bureau for a free Induction Course in Data Protection Regulation Compliance for Nigeria and the ECOWAS. Where an organisation has already appointed a DPO, the contact details of the DPO should be forwarded to the NDPB via email to info@ndpb.gov.ng and a hard copy should be submitted to the NDPB at its office, 5 Donau Crescent, Maitama Abuja;
  • Mandate service providers (agents, licensees, contractors etc.) to comply with the NDPR 2019;
  • Notify the NDPB of the technical and organisational measures it is taking for data privacy and protection).

The deadline was originally set for November 25, 2022 but has now been extended till January 20, 2023. Organisations are encouraged to take steps outlined above and if they fail to duly notify NDPB  of the technical and organisational measures they are taking for data privacy and protection by January 20, 2023, will be removed from the NaDPAP (National Data Protection Adequacy Programme) Whitelist. The Notice also states that where applicable, a penalty of up to 2% of Gross Annual Revenue may be imposed for NDPR violations.

It remains to be seen if the NDPB will slap major fines like we have seen with Kenya for instance.

Till next edition, stay compliant!

Leave a Reply

Your email address will not be published. Required fields are marked *