Vicarious liability is a legal doctrine that holds one party responsible for the actions of another party. This concept is often applied in the context of employer-employee relationships, where an employer can be held liable for the wrongful acts committed by an employee while performing their job duties. For instance, if an employee causes harm to another person through negligence while carrying out their work responsibilities, the employer may be held accountable for the damages.
This legal principle ensures that victims have a means of obtaining compensation from those who are in a better position to pay and who have the ability to control the behavior that led to the harm.
Vicarious liability in the context of data protection law involves holding an organization responsible for data breaches or privacy violations committed by its employees or agents while performing their duties. Here are the correlations between situations where vicarious liability applies and data protection law:
We have set out various situations where vicarious liability applies and outlined situations where Vicarious Liability applies in Data Protection Law.
<aside> 💡
Looking for expert guidance on data protection compliance?
At MZIZI Africa, we specialize in helping organizations navigate the complexities of data protection laws, including Kenya’s Data Protection Act 2019. Whether you need assistance for cross-border data transfers, training your teams on compliance, or developing robust data protection strategies, our consulting and training services are here to support you. Let us help you stay compliant and protect your business.
📧Contact us today at [email protected] to learn more.
</aside>
The most common scenario. If an employee, while acting within the scope of their employment, commits a tort (e.g., negligence, defamation), the employer can be held liable. For example, if a delivery driver causes an accident while making deliveries, the employer may be responsible for any resulting damages.
Example: An employee of a company mishandles personal data, leading to a data breach. Under many data protection laws in Africa, the employer (company) can be held liable for the employee's actions.
Implication: Companies must ensure employees are properly trained in data protection practices and implement robust security measures to mitigate risks. Employers are accountable for ensuring that their employees comply with data protection laws.
Some DataHub Determinations
In the case of Pauline Muhanda t/a Mudeshi Muhanda & Company Advocates vs. Safaricom PLC, the company was not held vicariously liable for the actions of its employees conducted outside their job scope.
In contrast, in John Onkangi vs. National Bank of Kenya Ltd & Anor, the bank was held liable for the actions of its employees and the breach of data protection regulations.
Lastly, in James Kabiru vs. Safaricom PLC & Guarantee Trust Bank Kenya Ltd, Safaricom was not found liable for violating the rights of the complainant when it was accused of sharing a customer's personal mobile phone number with a third party.
These cases show there can be varying interpretations of vicarious liability in Kenya, depending on the specific circumstances and the nature of the employee's actions.
This occurs when an agent is acting on behalf of a principal (e.g., a real estate agent working for a real estate company). If the agent commits a wrongful act within the scope of their authority, the principal can be held liable.
Example: A data processing company (agent) handles personal data on behalf of a client company (principal). If the data processing company fails to protect the data adequately and a breach occurs, the client company could be held liable for the agent’s failure.
Implication: Companies must carefully select and monitor third-party data processors and ensure they comply with data protection regulations. Contracts with third parties should include strict data protection clauses.