ODPC Determinations on the Use of Customer Images for Marketing
The Office of the Data Protection Commissioner (ODPC) recently issued a determination following an investigation into the data processing practices of by Capital Sacco Limited.
Background to the Investigation
The investigation was initiated by the ODPC on its own motion following concerns that the SACCO was processing customers’ personal data, particularly images, without complying with the requirements of the Data Protection Act, 2019.
Specifically, the investigation examined whether the SACCO had been publishing customers’ images on its website and social media platforms for promotional purposes without notifying the individuals concerned (including minors) and without obtaining their consent.
As part of the investigations, the Data Commissioner requested the SACCO to provide details including:
- A formal response to the allegations of unlawful data processing
- The lawful basis relied upon to process customers data
- Details on how the SACCO complies with the duty to notify data subjects
- Mechanisms in place to enable data subject to exercise their rights
- Mitigation measures adopted in the event of breaches of data protection rights.
The SACCO’S Response
In response, the SACCO stated that in processing customer images, it relied on consent, legal obligation and the vital interests of the data subjects as the lawful bases for processing.
The SACCO further stated that it had implemented mechanisms to enable data subjects to exercise their rights under the Act including opt-out mechanisms and granted voluntary and free access to data stored.
It also stated that its processing of customer data was guided by the principles of fairness, lawfulness and transparency.
In addition, the SACCO indicated that it had introduced mitigation measures such as consent forms, complaint forms, stop-out messages and request for information statements, to promote compliance with the Act.
The Data Commissioner’s Findings
Following its investigation, the Data Commissioner established that:
- The SACCO owned the subject website and a Facebook page on which the images were published
- The SACCO collected and processed images of both adults and minors
- The images were published on its website and Facebook page for commercial and promotional purposes.
Determination
The Data Commissioner held that:
- Contrary to sections 30 of the Act, the SACCO failed to demonstrate that it had obtained valid consent from the data subjects. In particular, it did not provide any consent forms confirming the authority to use the images for commercial purposes.
- Contrary to section 33 of the Act, the SACCO did not demonstrate that it had implemented age verification mechanisms before collecting, processing or publishing images of minors for commercial purposes.
- The SACCO also failed to demonstrate how it fulfils the duty to notify data subjects about their rights, the nature of the data being collected, the purpose of processing, third party disclosures and the consequences of withholding data. This violated the principles of Data Protection under section 25(a), (b), (c), (d) and (e) of the Act.
- The SACCO also failed to demonstrate that its processing of personal data, particularly images for commercial purposes, complies with the statutory requirements under the Act.
- The SACCO could not demonstrate that it incorporates age verification mechanisms prior to collection, processing and further use of minor’s images for commercial purposes.
- Consequently, the Data Commissioner issued an Enforcement Notice against the SACCO.
