Introduction
With its enactment in 2019, the Data Protection Act (the Act) established the framework for implementing Articles 31(c) and 31 (d) of the Constitution of Kenya 2010, which provide for the right to privacy and outlaw the unauthorised disclosure of personal information. The Act provides the lawful confines within which personal data is processed and subsequently, the compliance requirements for all data controllers and data processors. Failure to comply with the stipulated requirements poses financial and reputational risks that could be avoided, as discussed in this blog.
Compliance requirements
There are many requirements imposed upon data processors and data controllers to ensure compliance with the Act and the Data Protection (General) Regulations, 2021 (the regulations). Firstly, section 18 of the Act requires data controllers and data processors to be registered by the Office of the Data Protection Commissioner (ODPC). The only legal or natural persons exempt from mandatory registration under section 13(2) of the Data Protection (registration of data controllers and data processors) Regulations, 2021 are those with an annual turnover or revenue below 5 million shillings and 10 employees or fewer. Nevertheless, the third schedule to these regulations requires organisations providing services such as CCTV systems, betting, education, healthcare, hospitality, property management, financial services, service providers, direct marketing, transport, processing of genetic data, and canvassing of political support to be registered as data controllers or data processors, as the case may be.
Furthermore, section 30 of the Act obliges the data processors and controllers to obtain free, prior and informed consent from the data subject before processing their data. The High court in the case of Republic v Tools for Humanity Corporation (US) & 8 others; Katiba Institute & 4 others (Exparte Applicants); [2025] KEHC 5629 (KLR), herein after referred to as, the World Coin case, held that consent should be free, specific, informed, without any coercion and that the data subject must be fully aware of the data being collected and the processing purposes for the collected data. Additionally, data processors and controllers must obtain the data subject’s consent before transferring their data outside Kenya.
Moreover, section 41 of the Act requires data processors and data controllers to put in place data protection measures to ensure appropriate safeguards are implemented. Firstly, they are required to conduct a data protection impact assessment (DPIA) if the nature of the data being processed poses a high risk to the data subject’s rights due to its scope, context and purposes. Moreover, they should implement a robust risk management framework to identify and address risks to the collection and processing of personal data. They should also have systems that can encrypt personal data to ensure confidentiality and are resilient, allowing data restoration in case of a breach. It is also important to note that data processors and data controllers are required to notify data subjects of any breach within 72 hours.
The non-compliance effect: An analysis of key decisions by the ODPC
The ODPC is obliged to ensure compliance with the Act’s requirements. Section 9 of the Act gives the ODPC the power to conduct investigations suo moto or on a complaint made by a data subject or a third party. After the investigations, the ODPC has the power to summon any witnesses to assist in further investigations and to impose administrative fines for non-compliance with the requirements of this Act. The ODPC has been vigilant in enforcing the provisions of the Act, as shown by the decisions discussed below.
In N****O*** Versus Malibu Pharmacy, ODPC Complaint No. 0280 of 2024, the complainant averred that the respondent had revealed her diagnosis to unauthorized third parties by writing it on the medical package and insurance form without her consent. The ODPC held that disclosing her medical diagnosis on the packaging breached her data privacy rights and the principle of data minimisation, as writing her diagnosis on the packaging was excessive for delivery purposes. Subsequently, Malibu Pharmacy was ordered to compensate the claimant in the amount of Kshs. 700,000 for unlawful sharing of the complainant’s sensitive health data without their consent. The ODPC also issued an enforcement notice to the respondent, requiring them to comply with the Act’s requirements and to correct their data-handling procedures.
The ODPC has also penalised organisations for sharing unsolicited marketing information with data subjects. In Kevin Kiprotich Rono v SBM Kenya, ODPC Complaint No. 0372 of 2024, the complainant stated that the respondent had been sending him emails containing promotional messages despite his many requests and calls to stop, as he was not their customer. The ODPC held that the respondent breached the complainant’s right to object to processing his personal data as stipulated in the Act because the respondent had not heeded the complainant’s request to stop receiving the promotional emails. The respondent was ordered to compensate the complainant Kshs. 450,000 for unlawful processing of the complainant’s data.
Many organisations have faced the brunt of the ODPC for using personal data for marketing purposes without the data subject’s consent. In Victor Kibet Sele v Hotel Waterbuck Limited, ODPC Complaint No. 0478 of 2024 the complainant, a receptionist in Hotel Waterbuck Limited, alleged that the respondent was using his image on their website for commercial marketing purposes without his consent. The ODPC considered that section 2 of the Act defines consent as “any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject”. The ODPC held that, based on its investigations and the evidence presented, the respondent did not obtain the complainant’s consent as required by the Act before using his image for commercial purposes and was subsequently ordered to compensate the complainant for Kshs. 500,000. Similarly, in Fatuma Hadi Ali suing on behalf of J.A.A (Minor) v Nova Pioneer Kenya Limited ODPC Complaint No. 502 of 2024, the respondent was ordered to compensate the complainant Kshs. 950,000 for using a minor’s image to advertise the school without the parents’ knowledge and consent as required by section 33 of the Act.
The ODPC has also made it clear that employers are vicariously liable for non-compliance caused by their employees. This assertion was upheld in John Onkangi v National Bank of Kenya Limited and Keysian Auctioneers, ODPC Complaint No. 1766 of 2023 wherein the complainant averred that the 1st respondent’s employee had shared his bank account details and loan statement with a third party and the 2nd respondent without his consent. The 1st respondent admitted that their employee had shared the complainant’s personal data with an unauthorized third party, but stated that the employee had acted in breach of the company’s staff confidentiality policy and sought that their employee be held liable. In dismissing this argument, the ODPC held that the 1st respondent was vicariously liable for the acts of its employee, and an enforcement notice was issued against the 1st respondent to ensure that its staff uphold data privacy obligations.
Conclusion
The Act has ensured that the ODPC is not a toothless bulldog; rather, it has given the ODPC the requisite powers to enforce the Act’s provisions and subsequent regulations, as shown by the decisions discussed above. It is therefore critical for any organization to ensure compliance with the Act and subsequent regulations to avoid hefty penalties from the ODPC that could otherwise be avoided. Additionally, compliance with the Act protects an organization’s reputation and grants it a competitive advantage over peers, which subsequently translates into increased revenue.