!
No.
38
Data Protection
2019
(i) to the extent to which the data controller or data
processor has complied with previous enforcement
notices or penalty notices;
(j) to adherence to approved codes of conduct or
certification mechanisms;
(k) to any other aggravating or mitigating factor
applicable to the case, including financial benefits
gained, or losses avoided, as a result of the failure
(whether directly or indirectly);
(l) to whether the penalty would be effective,
proportionate and dissuasive.
63. In relation to an infringement of a provision of this
Act, the maximum amount of the penalty that may be
imposed by the Data Commissioner in a penalty notice is
up to five million shillings, or in the case of an undertaking,
up to one per centum of its annual turnover of the
preceding financial year, whichever is lower.
Administrative
fines.
64. A person against whom any administrative action
is taken by the Data Commissioner, including in
enforcement and penalty notices, may appeal to the High
Court.
Right of appeal.
65. (1) A person who suffers damage by reason of a
contravention of a requirement of this Act is entitled to
compensation for that damage from the data controller or
the data processor.
Compensation to a
data subject.
(2) Subject to subsection (1)—
(a) a data controller involved in processing of
personal data is liable for any damage caused by
the processing; and
(b) a data processor involved in processing of personal
data is liable for damage caused by the processing
only if the processor—
(i) has not complied with an obligation under the
Act specifically directed at data processors; or
(ii) has acted outside, or contrary to, the data
controller’s lawful instructions.
(3) A data controller or data processor is not liable in
the manner specified in subsection (2) if the data controller