| Authority: |
ODPC - Kenya |
| Jurisdiction: |
Kenya |
| Relevant law: |
Legal Provisions Reviewed |
| Type: |
Complaint |
| Outcome: |
No Violation |
| Started: |
29 January 2024 |
| Decided: |
29 April 2024 |
| Published: |
N/A |
| Fine: |
N/A |
| Parties: |
Rose Emma Muthoni vs. Samasource Kenya EPZ Limited |
| Case No.: |
0187 of 2024 |
| Appeal: |
N/A |
| Original Source: |
ODPC |
| Original contributor: |
MZIZI Africa |
Contents
- Summary
- Facts
- Holding
- Comment
- Further resources
- The Decision
Summary
The Complainant alleged her personal data was processed by Samasource without consent during an employment investigation. The Respondent argued written consent was given for data on the work laptop. The ODPC found valid consent existed and processing was limited to the laptop, deeming it lawful. The complaint was dismissed.
Facts
The Complainant lodged a complaint against the Respondent, her former employer, alleging that whilst undertaking investigations against her, the Respondent processed her personal data without her consent. This alleged adverse investigation report led to her termination from employment. Key allegations made by the Complainant include:
- She had been employed by the Respondent for approximately 8 years until her termination around 24th July 2023.
- Preceding the termination, she was subjected to a disciplinary hearing regarding allegations of conflict of interest and receiving kickbacks from suppliers.
- The Respondent initiated an investigation into these allegations, which involved obtaining her laptop.
- During the inquiry, she received a report containing financial data extracted from her Mpesa account statement and her Standard Chartered Bank Kenya Limited bank account.
- The Respondent failed to comply with the principles of personal data protection, specifically concerning processing in accordance with the right to privacy, lawful, fair and transparent processing, purpose limitation, and data minimisation.
- Her right to privacy was violated by allowing a forensic company to access her personal Gmail accounts, personal bank account, and Mpesa statements without obtaining explicit consent, which directly infringed upon her privacy rights regarding her personal data.
- The unauthorised access by the forensic company without explicit consent or legal basis violated the requirement for fair and transparent processing. There was no lawful basis for accessing her personal Gmail accounts and bank statements.
- Accessing her personal Gmail accounts and financial statements went beyond the specified and legitimate purposes of the investigation, thus breaching the principle of purpose limitation.
- The forensic company accessed extensive personal information from her accounts using her laptop, exceeding what was necessary for the investigation, which breached the principle of collecting data limited to what is necessary.
- Her right to information was violated as she was not informed about how her personal data would be accessed and processed.