| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 3 March 2025 |
| Decided: | 31 May 2025 |
| Published: | Yes |
| Fine: | KES.50,000 |
| Parties: | Millicent Achieng Obor vs. Muranga University of Technology |
| Case No.: | 0308 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
The Complainant alleged Murang'a University unlawfully processed her email address for over four years, sending repeated, unsolicited emails despite numerous requests to cease processing and remove her data, violating her right to object. The ODPC found the University liable for continued processing without justification.
The core of the complaint was that the University violated the Complainant’s right to object to the processing of her personal data. As a result, she continued to receive repeated, unsolicited emails over an extended period, which incorrectly suggested she was a student of the institution.
The Complainant stated that she had made several requests to the University to stop processing her data, yet the University continued to do so without a lawful basis and in disregard of her explicit objections. She added that despite her repeated attempts, the University neither acted on her requests nor acknowledged them. The Respondent later provided a statement of response to the Office of the Data Protection Commissioner (ODPC). Following an internal review, the University established that the Complainant’s email address had been included in student data received for a student placed to pursue a Diploma at the University.
The University acknowledged that although the student associated with the email address had been formally placed, she never actually reported to campus. Despite this, her data remained active in the system. The Respondent attributed the prolonged processing to gaps in its mechanisms for handling unsubscribe or data-removal requests. The University noted that once it received the official complaint from the ODPC, it removed the Complainant’s data and began sensitizing staff on the data minimization principle.
The ODPC’s investigation centered on whether the Respondent had met its obligations under the Data Protection Act, including whether it had processed data obtained from KUCCPS strictly for placement and enrollment purposes. As a data controller, the University failed to meet its statutory duties under Sections 25 (principles of data processing) and 41 (technical and organizational safeguards). It was required to ensure lawful, fair, and transparent processing, and to correct or erase inaccurate data without delay.
The University’s continued processing of the Complainant’s personal data despite multiple unsubscribe requests breached the principles of data minimization, accuracy, and storage limitation under Section 25. Although the Respondent conceded that the Complainant had repeatedly requested removal of her data, it failed to take action. Because she never enrolled, her email address was wrongly treated as belonging to an active student, resulting in continued retention and processing of data that the University knew to be inaccurate. This amounted to a violation of the Complainant’s right to object to processing under Section 26(c). The University’s failure to implement effective technical and organizational measures to address such requests promptly and reliably also constituted a breach of Section 41 of the Act.
The Data Commissioner found that the Respondent had violated the Complainant’s right to object under Section 26(c) of the Act . In light of the violation, the Respondent was found liable .
The final determination ordered the following remedies: