| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal provisions reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 6 March 2025 |
| Decided: | 2 June 2025 |
| Published: | Yes |
| Fine: | KES.150,000.00 |
| Parties: | Abdul Karim Osiche vs. Fin Africa T/A Trustgro SCA Limited |
| Case No.: | 320 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Abdul Karim Osiche claimed Fin Africa staff shared his pay slip and statements with a bank email group without consent, breaching privacy. Fin Africa admitted the unauthorized, inadvertent disclosure. The ODPC found them liable for violating Osiche’s right to be informed of the data use. The Data Commissioner ordered Fin Africa to pay KES 150,000 compensation.
The Complainant lodged a complaint asserting that his personal information was unlawfully shared by a Respondent staff member via email with a third-party contact center, specifically a bank. The Complainant contended that this unauthorized disclosure constituted a breach of his right to privacy. The personal information disclosed included his employment contract, pay slip, bank account statement, and an M-Pesa loan statement. The disclosure was reportedly made to an email group comprising over ten colleagues, which allegedly caused the Complainant severe professional and reputational damage. He highlighted that he suffered undue embarrassment and emotional distress due to this violation of data protection laws. The Complainant argued that the sharing of his private and confidential information occurred without his consent to a common email address accessible by multiple unauthorized recipients . The remedies sought included a declaration that the Respondent violated his right to privacy, an order compelling the Respondent to cease further sharing, general damages for emotional distress, reputational harm, embarrassment, and damage to his professional image, and exemplary and punitive damages to deter future similar violations.
The Respondent submitted a response to the allegations via a letter dated 16th April 2025. In their reply, the Respondent conceded that the unauthorized disclosure occurred as a result of a staff member's inadvertent error during the follow-up process for a loan repayment . They characterized the breach as unintentional . Crucially, the Respondent acknowledged that the email did contain sensitive personal data and that the incident contravened Sections 25 and 43 of the Data Protection Act . The Respondent informed the Office that they had taken immediate remedial steps, including requesting the employer to delete the email and initiating a review of internal communication protocols . Furthermore, they emphasized preventive measures, such as staff retraining, revision of data protection policies, and the introduction of email alerts for outgoing messages containing personal or sensitive data .
The ODPC noted that the Respondent had admitted sharing the Complainant's personal data without his consent, meaning the disclosure itself was not contested . The central issue for determination was whether a violation of the Complainant’s rights under the Act had occurred .
The ODPC found that the facts presented confirmed the Respondent’s staff had disclosed the Complainant’s personal data via email to a third-party bank contact center . Based on the evidence, the ODPC determined that the Complainant was not informed in advance of the disclosure or the intended use of his data, nor was he provided with the identity of the third party receiving the information . This failure to communicate deprived the Complainant of the opportunity to exercise control over his personal data or object to its processing or disclosure .
The Data Commissioner thus concluded that the Respondent violated Section 26(a) of the Data Protection Act by failing to inform the Complainant of the use to which his personal data would be put . Regarding remedies, the ODPC reviewed the Complainant's request for a formal apology, but found that issuing a formal and written apology is not among the remedies contemplated under Regulation 14(3) of the Enforcement Regulations . The Office confirmed that compensation is provided for under Section 65 of the Act for damages suffered due to contravention, including damage not involving financial loss, such as distress .
The Data Commissioner made the following final determination: