37
2019
Data Protection
No.
(b) fails to provide assistance or information requested
by the Data Commissioner;
(c) refuses to allow the Data Commissioner to enter
any premises or to take any person with them in
the exercise of their functions;
(d) gives to the Data Commissioner any information
which is false or misleading in any material aspect,
commits an offence and is liable on conviction to a
fine not exceeding five million shillings or to imprisonment
for a term not exceeding two years, or to both.
62. (1) If the Data Commissioner is satisfied that a
person has failed or is failing as described in section 58, the
Data Commissioner may issue a penalty notice requiring
the person to pay to the Office of the Data Commissioner
an amount specified in the notice.
(2) In deciding whether to give a penalty notice to a
person and determining the amount of the penalty, the Data
Commissioner shall, so far as relevant, have regard—
(a) to the nature, gravity and duration of the failure;
(b) to the intentional or negligent character of the
failure;
(c) to any action taken by the data controller or data
processor to mitigate the damage or distress
suffered by data subjects;
(d) to the degree of responsibility of the data
controller or data processor, taking into account
technical and organisational measures;
(e) to any relevant previous failures by the data
controller or data processor;
(f) to the degree of co-operation with the Data
Commissioner, in order to remedy the failure and
mitigate the possible adverse effects of the failure;
(g) to the categories of personal data affected by the
failure;
(h) to the manner in which the infringement became
known to the Data Commissioner, including
whether, and if so to what extent, the data
controller or data processor notified the Data
Commissioner of the failure;
Penalty notices.
!