Allen Waiyaki Gichuhi & 1 other vs Florence Mathenge & 1 other

Complaints Detail

Complaints

Allen Waiyaki Gichuhi & 1 other vs Florence Mathenge & 1 other

Country: Kenya
Court:
Sources: ODPC Complaint No. 677 of 2022
Tags: Data Protection,Privacy,Breach

Applicants: Allen Waiyaki Gichui and Charles Wamae

Respondents: Florence Mathenge and Ambrose Waigwa.

The applicants submitted a complaint to the ODPC on 21st July 2022, the basis of which was third-party data sharing contrary to the provisions of the Data Protection Act. The applicants complaint suggested that the 1st respondent shared and disclosed personal and sensitive information to a third party (2nd Respondent) without the consent of the data subjects and applicants. Further, the third party in question was not entitled to any communication sent as he was no longer an employee of the law firm associated with the applicants. The ‘personal and sensitive’ information shared through documents by the 1st respondent to the 2nd respondent included court pleadings of cases handled by the applicant's law firm Wamae & Allen Advocates.

The applicant's further complaint was that the 1st respondent shares the firm's trade secrets and intellectual property with the 2nd respondent without authorization noting that the sharing was in breach of sec 72 of the Data Protection Act. The following issues of determination were identified:-

  • Jurisdiction of the ODPC in determining issues raised by the applicants/complainants.
  • Whether there was a breach of the Data Protection Act.
  • Whether the complainants are entitled to any remedy under the Data Protection Act.

The ODPC determined that it has jurisdiction to hear the complaint as presented since the complaints were founded within the scope of the Data Protection Act and within its mandate to determine issues on data protection. The ODPC could not sufficiently identify any breach of data protection according to the claims established in the complaint because the complainants failed to produce shared documents to enable the Data commissioner to ascertain whether the documents contained personal and sensitive data.

The applicant's complaint was dismissed as a result of the above findings by the ODPC with the applicants being granted leave to appeal the matter.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.