Data Protection Commission cracks whip - 5 Picked up for breach
The Data Protection Commission (DPC) has begun its enforcement of the data protection act.
It has begun cracking the whip and has picked up five people for questioning over their companies’ failure to comply with the Data Protection Act, 2012 (Act 843).
Those picked up, all decision-making directors, are being questioned over why among others, their companies have allegedly failed to register with the Commission as Data Controllers, while others processed personal data without the consent of their customers, by naming and shaming their clients.
Others were also said to have breached Section 82 of Act 843 which states that companies should not make collection of personal data a condition precedent to offer goods or services.
They are Hisense Group Limited, Quick Credit and Investment Microcredit Limited, Mawarko Fast Food, Agyabeng Akrasi and Co and Bemuah Royal Hospital.
After questioning, the DPC will decide which sanctions to apply and how it would be enforced, in line with the Act 843.
The directors were picked up after enforcement officers from the commission, with the assistance of the police, visited some companies which the commission had consistently sent notices reminding them to comply with the Data Protection Act.
The visits formed part of an enforcement exercise the commission started last Monday (August 14) following a public notice it sent about the action.
The Executive Director of the DPC, Patricia Adusei-Poku, explained that the nationwide enforcement exercise was necessary to protect the personal data of customers.
“We are particularly scaling up with spot checks, fines and visits to properties to establish why certain ultimate decision makers haven’t taken their obligations seriously.
“The commission is also checking whether the status quo of those who are complying are exactly what they say it is,” she said.
Data Protection Act
Ms Adusei-Poku stated that the commission had since 2018, engaged and educated defaulting companies about their obligation under the Data Protection Act.
She said prior to the start of the exercise, notices were put up in the media and 56 letters were also sent out to defaulting companies to remind them of their obligation.
“Prior to the public notices, we notified about 250 non-complying data controllers by letter quoting section 56 of the Act, which states that a person who fails to comply is breaching the Act and not complying with the law,” she said.
Section 56 letters
The executive director noted that the defaulting companies have all received such notifications but failed to adhere to the Act.
She advised the public to be wary of who they share their information with to avoid putting themselves at risk.
Mrs Adusei-Poku also urged companies to take action to comply with Act 843 to avoid reputational and financial loss through claims for compensations, fines or sanctions through the courts.
The Director in charge of Regulatory and Compliance at the DPC, Quintin Akrobotu, who spoke to journalists after the exercise, said data controllers were institutions and individuals who collected personal data to offer services.
He said they were expected to register and implement the appropriate measures to safeguard the information they collect.
He said it was the mandate of the commission to ensure that data controllers carried out their obligation of safeguarding personal data.
“We will continue to visit data controllers and ensure they are in compliance with the processing of personal data and the Act.