| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 15 and 23 July 2024 |
| Decided: | 12 October 2025 |
| Published: | Yes |
| Fine: | KES.1,100,000 |
| Parties: | Adeline Munee Munguti & Larry Obindi Sisei vs. Mint Villas Limited T/A Mint Villa Housing |
| Case No.: | ODPC Complaint No. 1059 of 2024 as consolidated with ODPC Complaint No. 1106 Of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Complainants alleged Mint Villas Limited used their personal data (ID, KRA PIN, photo, etc.) to register a company without consent. The Data Protection Commissioner found the Respondent liable for violating data rights and obligations. The Respondent was ordered to pay KES 550,000 compensation to each Complainant.
The Complainants, Adeline Munee Munguti and Larry Obindi Sisei, lodged complaints with the Office of the Data Protection Commissioner (ODPC). They alleged that the Respondent, Mint Villas Limited T/A Mint Villa Housing, used their personal data to register a company called Twinfalls City Management Public Limited Company without their authorization, knowledge, or consent.
The Respondent is stated to be a developer and owner of a development known as Twin falls City. The Complainants had purchased houses there. Upon purchasing the units, the Respondent acquired their personal data, including ID card and number, KRA number, passport photo, signature, postal and physical address, phone number, bank account details, and email address. The Complainants asserted this data was solely for the sale and purchase of homes, and any other use required express consent.
They were later elected as estate officials by their neighbours and were to meet with the Respondent. The Respondent sent emails requiring them to register an email address for an intended company, and attached company registration forms (CR1, CR2, CR8, etc.) for execution. The Complainants averred that they did not sign these documents and no one followed up. However, on 14th December 2023, Twin Falls City Management Public Limited Company was incorporated by Mint Hub and the Respondent, with the Complainants and other estate officials listed as registered directors and shareholders. A copy of the CR12 was produced as proof. They asserted they neither signed any document nor provided consent for their personal data to be used for registering a public company, and the Respondent failed to adequately consult them beforehand.
They sought explanations from the Respondent through correspondence but received no satisfactory response regarding how their personal details and consent were obtained. The Complainants stated that details like ID number, KRA PIN, Passport Photo, Phone Number, Email address, Postal address and signature are required for company registration and were processed without the requisite consent. Copies of CR-1 and CR-2 forms were produced. They averred their personal and sensitive data were not processed according to the principles of Section 25, 26, and 30 of the Data Protection Act. They alleged the Respondent used their personal data for non-consented purposes shortly after seeking their signatures via email and before they could respond.
They also alleged the Respondent did not notify them as per Section 29 of the Act to allow them to exercise their right to object under Section 36. After they raised the issue, the Respondent allegedly abandoned the first company and registered another called "Twinfalls Home Owners Company Public Limited Company". The Complainants stated the Respondent went silent after registering the company in their names without consent. They prayed for several remedies, including an investigation, retrieval of their data and prevention of further unauthorized use, legal action against the Respondent, mechanisms to ensure future notification and consent, and compensation for emotional distress, reputational damage, and unauthorized data use.
The Respondent was non-responsive and did not respond to the Notification of Complaint filed against it. Consequently, the allegations levelled against the Respondent remain uncontroverted.
The ODPC analysed the complaints and reviewed the documents submitted by the Complainants.
The issues for determination were: whether there was a violation of the Complainants' rights under the Act, whether the Respondent fulfilled its obligations under the Act, and whether the Complainants were entitled to remedies.
The ODPC found that the Respondent did not inform the Complainants that their personal data (names, ID numbers, KRA PINs, passport photos, phone numbers, email addresses, postal addresses and signatures) would be used to register a company. This was a violation of the Complainants' right to be informed of the use to which their personal data would be put under Section 26(a) of the Act, as the data was initially collected only for house purchase purposes. No evidence was provided by the Respondent to indicate otherwise or prove lawful signing of company registration forms. The ODPC concluded the Complainants' right to be informed was violated.
The ODPC found the Respondent is a data controller under the Act and has obligations . The Respondent had an obligation under Section 25(c) (purpose limitation principle) to ensure personal data is collected for explicit, specified, and legitimate purposes and not processed in a manner incompatible with those purposes . The Complainants' data was collected for house purchase but processed without consent for company registration, which is contrary to this principle. The Respondent ought to have sought fresh consent .
The Respondent had a duty to notify the Complainants under Section 29. This includes informing them of their rights (Section 26), the fact of data collection, the purpose of collection, and security measures. The Respondent failed to notify them of the intention to use their data for company registration or the security measures in place.