“Safaricom Fined Sh250,000 for Unauthorized use of Customer ID”, February 28, 2025

A landmark ruling has seen Safaricom and Becton Dickinson (BD) fined Sh.250,000 each for unlawfully using a customer ID. This case highlights the growing importance of Kenya’s Data Protection Act and its enforcement. The incident reveals gaps in corporate data practices and sets a precedent for accountability. The case arose when Catherine Murithi, an employee of Becton Dickinson (BD), submitted her national ID and personal documents as part of her onboarding process on August 16, 2021. BD requested her to convert her personal Airtel line into a corporate Safaricom number, following company policies. However, after terminating her employment on September 30, 2024, BD shared her ID with Safaricom to transfer the line back to her name—without informing her. Safaricom processed the request without obtaining Murithi’s consent or verifying her authorization. Feeling that this action violated her rights, Murithi filed a complaint with the Office of the Data Protection Commissioner (ODPC)…

Data Commissioner Immaculate Kassait investigated the complaint and found both Safaricom and BD guilty of violating the Data Protection Act. The violations included:

1. Ignoring Consent Requirements: BD transferred Murithi’s data without her explicit consent.
2. Lack of Transparency: Safaricom failed to inform her about the data transfer.
3. Unlawful Data Processing: Both entities mishandled her personal information, infringing on her privacy.

Each company was fined Sh.250,000, totaling to Sh.500,000, signaling the seriousness of data privacy violations. Commissioner Kassait emphasized that organizations must adopt robust data protection measures to avoid such breaches…