Nickson Mudii v. Arrow Facilities Ltd

Cases Detail

Cases

Nickson Mudii v. Arrow Facilities Ltd

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,image rights,commercial use,employee rights

Case Summary

The case involves a complaint filed by Nickson Mudii against Arrow Facilities Ltd and revolves around the unauthorised use of personal images for commercial gain, highlighting the importance of data protection and privacy rights in the workplace. Nickson Mudii claimed that while working as a team supervisor for Arrow Facilities Management, his image was taken without his consent during a photo shoot in August 2019. He later discovered that these images were published on the company's website for commercial purposes without any compensation provided to him. In response, Arrow Facilities Ltd stated that the photo shoot where the images were taken was part of the employees' ordinary course of duties. They mentioned that all employees, including Nickson Mudii, were informed about the purpose of the photographs being used for marketing and that there was mutual agreement during the meeting. Arrow Facilities Ltd also highlighted that they complied with Nickson Mudii's request to remove the images from their website after he raised concerns. The case further discusses the legal basis of the complaint, citing Article 31 of the Constitution of Kenya 2010, which provides for the right to privacy. It also mentions the Data Protection Act, 2019 and the role of the Data Protection Commissioner in handling such complaints. Both parties have taken steps towards compliance with data protection regulations, with Arrow Facilities Ltd engaging privacy experts and reviewing documentation to ensure data privacy provisions are included.

Issues for determination

The issues for determination in this case include:

  1. Whether the complainant's image was taken and published on the company's website without his consent.
  2. Whether the use of the complainant's images for commercial purposes, specifically in advertising the cleaning services of the company, violated his rights.
  3. Whether the company provided sufficient compensation to the complainant for the use of his images.
  4. Whether the actions of the company regarding the removal of the images from the website after the complainant's request were in compliance with data protection regulations.
  5. Whether both parties have taken adequate measures to ensure compliance with the Data Protection Act, 2019 and related regulations.
  6. Whether there was a breach of the right to privacy as outlined in Article 31 of the Constitution of Kenya 2010.

Determination

The determination in this case was that the complainant's image was indeed taken and published on the company's website without his express consent. It was found that the images were used for commercial purposes, specifically in advertising the cleaning services of the company, without providing any compensation to the complainant. The respondent company, upon receiving a demand notice from the complainant, complied by removing the images from the website. The determination highlighted the importance of protecting individuals' privacy rights and ensuring compliance with data protection laws.

Analysis

The complaint was filed by Nickson Mudii against Arrow Facilities Ltd regarding the unauthorised use of his personal images for commercial gain. The case revolves around the events that occurred during a photo shoot on 3rd August 2019, where Nickson Mudii, while working as a team supervisor for Arrow Facilities Management, had his images taken without his express consent. These images were later published on the company's website for marketing purposes without providing any compensation to Nickson Mudii. The determination of the case found that the complainant's rights were infringed upon as his images were used for commercial gain without his permission. Despite the company's assertion that there was mutual agreement among employees for the use of the photographs for marketing purposes, the lack of explicit consent from Nickson Mudii was a key factor in the determination. Furthermore, the case highlights the legal basis of the complaint, citing the right to privacy as outlined in Article 31 of the Constitution of Kenya 2010 and the Data Protection Act, 2019. 

From the Complainant's perspective, he claims that his images were used without his express consent and without receiving any compensation. He asserts that he was photographed during a work-related activity but did not agree to the use of his images for marketing the company's services. This raises valid concerns about the protection of personal data and the right to privacy, as outlined in the Data Protection Act of Kenya.

On the other hand, the Respondent argues that the Complainant was aware of the photo shoot and the intended use of the images for marketing purposes. They state that all employees, including the Complainant, consented to the photography during a debrief session. Additionally, the Respondent highlights that they complied with the Complainant's request to remove the images from their website and have taken steps to ensure compliance with data protection regulations.

One aspect to consider is the importance of informed consent when using individuals' images for commercial purposes. While the Respondent claims that the Complainant was aware of the photo shoot's purpose, the issue of explicit consent for the specific use of images remains crucial in data protection regulations. The case underscores the need for clear policies and procedures regarding the collection and use of personal data within organisations.

Furthermore, the response from the Respondent regarding their efforts to comply with data protection laws and engage with legal experts to review their documentation and include data privacy provisions demonstrates a proactive approach to addressing the complaint. However, the incident raises questions about the initial handling of personal data and the importance of ensuring that employees fully understand and consent to the use of their images.

In conclusion, the case highlights the complexities surrounding data protection, consent, and privacy rights in the digital age. It underscores the significance of transparent communication, clear policies, and adherence to data protection regulations to prevent similar disputes in the future. Both parties' perspectives offer valuable insights into the challenges of balancing business interests with individual privacy rights in the context of data processing and marketing activities.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.