The Office of the Data Protection Commissioner (ODPC) has ruled that Zuku Fibre Kenya, operated by Wananchi Group (Kenya) Limited, breached the Data Protection Act by failing to delete a former customer’s personal data upon request.  

The case was filed by Yasin Abukar, who claimed he continued receiving promotional messages from Zuku Fibre despite terminating his relationship with the company years ago. Repeated requests to have his data erased—via phone calls, emails, and verbal communication—were allegedly ignored.

An ODPC investigation found that the email address provided on Zuku Fibre’s website for data protection inquiries was inactive, making it difficult for Abukar to exercise his right to data deletion. Despite Zuku’s denial of receiving formal deletion requests, the ODPC found evidence that the company continued processing Abukar’s data and obstructed the investigation.

The regulator ruled that Zuku Fibre violated Sections 26 and 40 of the Data Protection Act by failing to honor Abukar’s data deletion request, unlawfully processing his personal data, and providing an invalid contact channel for data protection inquiries.

“The right to data deletion is fundamental, and organizations must comply with the law or face the consequences,” the ODPC stated.

Zuku Fibre now faces potential penalties, including fines and legal action, with the ODPC expected to issue enforcement measures.