In the case of Cyrus Mwaniki Ndungu v Moja Expressway Company ODPC Complaint No. 0264 of 2024, the Complainant was employed by the Respondent as a toll attendant and thereafter as sales personnel. The Complainant however resigned from employment on or about 17th November 2022. After resignation, on or about 5th October 2023, the Respondent illegally and unlawfully posted on its social media platforms a video depicting him as still working with them without his knowledge or express consent. The Complainant averred that despite serving and issuing of a demand letter seeking an explanation and/or an apology on why they had used their video for monetary gain, the Respondent refused to comply.
The Respondent acknowledged that the Complainant was employed from 5th July 2022 to 28th November 2022, when he voluntarily resigned. In response to the Complainant’s claim, the Respondent asserted that they were not required to obtain the Complainant’s consent to process his personal data, as such processing was justified under the terms of his employment contract.
Additionally, the Respondent stated that the Complainant had provided consent and express authority for the creation of the video in question. However, they failed to furnish a duly executed consent form as evidence of this authorization.
The Respondent further maintained that it had implemented a data retention schedule for employees, stipulating that personal data is retained for employment purposes and that employee records are kept for six years, unless a court case involving the employee arises.
Determination
In its determination the ODPC addressed the privacy concerns centred on whether the Complainant had expressly consented to tthe processing of his personal data after his resignation.
The Data Commissioner reiterated Section 30(1)(a) of the Data Protection Act, which stipulates that a Data Controller or Data Processor shall not process personal data unless they have obtained the data subject’s consent. Furthermore, Section 32(1) places the burden of proof on the Controller or Processor to demonstrate that such consent was granted.
Given that the Complainant had resigned from employment, the Respondent was required to obtain fresh consent before publishing the video containing the Complainant’s image. However, the Respondent failed to provide evidence of obtaining such consent.
Additionally, the Data Commissioner highlighted Section 37(1)(a) of the Act, which mandates that personal data used for commercial gain must be processed only with the express consent of the data subject. Commercial gain, as defined under Regulation 14(1) of the General Regulations, includes “the use of a data subject’s personal data to advance commercial or economic interests, such as promoting the sale, rental, lease, subscription, provision, or exchange of products, property, information, or services, whether directly or indirectly.”
Consequently, the Data Commissioner found the Respondent liable for processing the Complainant’s personal data without express consent.
Regulation 12 (3) of the General Regulations provides that a request for erasure should be responded to within 14 days of the request. The Complainant served the Respondent with the demand on 7th December, 2023 and the Respondent deleted the social media posts on 10th December, 2023, demonstrating compliance with the Respondent’s rights within the stipulated timelines.
The Respondent was found to have violated the Complainant’s rights by using his image without his express consent and the Complainant was awarded a compensation of Kenya Shillings Five Hundred Thousand Shillings (Kshs. 500,000).
The Respondent was found to have violated the Complainant’s rights by using his image without his express consent, and the Complainant was awarded a compensation of Kenya Shillings Five Hundred Thousand Shillings (Kshs. 500,000).
As an employer what should you do?
Establish clear consent procedures
This is applicable to both present and previous employees. Once an employee terminates their employment, despite having acquired initial consent during their employment, there is need to get further consent prior to using their data.
Consent forms should be duly executed by the current present and previous employee. The
company should ensure that they proper record-keeping management system especially in
the event that they require to seek further consent or a withdrawal has been requested.
Enhance transparency with the data subjects
In the event that an employee’s personal data is to be used, it should be ensured that there is clear communication to the employee on the purpose it will be put to.
Conduct company data protection training sessions
Conduct regular training sessions for employees and management on data protection. This creates awareness on the roles and responsibilities of members of the company, promotes best practices on data handling, familiarizes data subjects with their rights and minimizes any legal and financial risk for non-compliance.
How can we help?
At Barizi Data Privacy Services, we have a team of data privacy experts who will ensure that your organisation complies with data protection laws and further offer any required training to employees on data compliance.
By Amy Onderi
Trainee Advocate
