Data Protection Alert: Jurisdiction of the Data Protection Commissioner and who is a Data Subject
Legal Alerts

Data Protection Alert: Jurisdiction of the Data Protection Commissioner and who is a Data Subject


The High Court in Mwangi & Another Vs. Naivasha County Hotel T/A Sawela Lodges: Petition E003 of 2021 [2022] KEHC 10975 (KLR) established that the Petition was barred by the doctrine of exhaustion because the issue of using personal data without the Petitioners’ consent is extensively covered in the Data Protection Act thereby within the jurisdiction of the Data Protection Commissioner.

Resultantly, pursuant to section 8 (1) (a) and (f) of the Data Protection Act, the Office of the Data Protection Commissioner (ODPC) has been tasked with implementing and enforcing the Act and; receiving and investigating complaints regarding infringements of rights accorded under the Act. It’s upon this premise that complaint 677 of 2022: Allen Waiyaki Gichuhi & Charles Wamae Vs.  Florence Mathenge & Ambrose Waigwa; was received.

The Complaint

The 1st Respondent sent the firm’s documents to herself and the 2nd Respondent via email; which allegedly violated the complainants’ rights as data subjects and contained their trade secrets and intellectual property. The documents supposedly included pleadings, supporting documents, affidavits, applications, submissions, legal opinions, bank statements and invoices. The complainants perceived this as a breach of section 72 of the Data Protection Act which bars data controllers and processors from unlawfully disclosing personal data to third parties.

The Response

The Respondents’ case was based on the following points:

1st Respondent

  1. The Data Protection Commissioner (DPC) lacked the jurisdiction to hear matters pertaining to infringement of intellectual property.
  2. The Complainants were forum shopping in a bid to stop her from suing the managing partner.
  3. At the time of filing their response, the firm had not registered as a data controller and/or processor, hence, the Act couldn’t be applied retrospectively.
  4. The 1st Respondent was an employee, not a data controller or processor.
  5. The documents in question were public documents since they fell within the meaning of public documents as defined by section 79 of the Evidence Act, Cap 79 Laws of Kenya; having been filed in court.
  6. Some of the complainants’ clients were legal persons hence not data subjects as defined by the Act.
  7. Submissions were an advocates marketing language, not personal data.
  8. Legal opinions contained mere analysis of the law and were transformed into pleadings hence did not constitute personal data.
  9. The documents shared to the 1st Respondent’s email were not shared to a third party. The purpose of sending herself the documents via email was to necessitate working from home during the COVID-19 pandemic; a fact the Complainants were aware about.

2nd Respondent

The multiplicity of complaints filed by the Complainants in different fora violated the sub judice principle and was likely to undermine the parties reaching an amicable settlement.

The Decision

The DPC confined her jurisdiction to protection of personal data alone. She also found that the Complainants were not entitled to any remedy as they had not demonstrated a breach of the Act. The complaint was dismissed for the following reasons:

  1. The Complainants failed to produce all the documents, thus, the DPC wasn’t able to ascertain the kind of data contained in the documents so as to establish whether personal or sensitive data was indeed disclosed.
  2. The Complainants failed to demonstrate that their data protection rights regarding their own personal or sensitive data had been violated, in their capacity as data subjects.
  3. Some of the data in question related to legal persons and not natural persons, hence, they were not data subjects for purposes of the Act.
  4. Certain matters referred to in the complaint, were reported cases whose information, including sensitive data, were available at Kenya Law Report. As such, they were public records thus there was no breach of the Act.
  5. The complaint was made on behalf of a third party, yet there was no authorization showing that the complainant had the authorization to act on their behalf.

Key Take Aways:

  1. From the definition of personal data and data subject, it is evident that a data subject must be a natural person. Therefore, a complaint made to the DPC for breach of the Act can only be made by an individual and not an entity.
  2. There is no relationship between handling data and registration of data controllers or processors. The mere fact that one has not been registered as a data controller or processor doesn’t preclude them from making a complaint under the Data Protection Act.
  3. The jurisdiction of the DPC is restricted to protecting personal data and does not extend to protecting intellectual property rights.
  4. Documents that are in the public domain are considered public records hence sharing of such documents does not constitute a breach of the Act.
    • Documents forming the acts or records of judicial officers, High Court or any other court or tribunal are public records. The same applies to court decisions pronounced in open court. (Section 79 of the Evidence Act, Cap 80 Laws of Kenya and the Schedule of the Public Archives and Documentation Service Act, Cap 19 Laws of Kenya).
    • Petitions to parliament are considered public records. (Section 6 of the Petitions to Parliament (Procedure) Act, 2012 and the Schedule of the Public Archives and Documentation Service Act, Cap 19 Laws of Kenya).
  5. Documents publicized on websites and newspapers are in the public domain hence sharing them does not constitute a breach of the Act. This is because section 45 (b) of the Act permits the processing of sensitive personal data which has been made public by the data subject.
  6. Where a complaint has been made on behalf of a third party, the complainant must show that they have authorization to act on behalf of that third party.
  7. In the case of sharing documents, for one to allege breach of the provisions of the Act, they must demonstrate that the same was shared between the parties who allegedly breached the Act.

Food for Thought:

Where one discloses the contents of a case that has been classified as sensitive and is being heard in camera, will that constitute a breach of the Act? Examples include divorce cases, child custody cases and defilement cases.

Leave feedback about this

  • Informative
  • Educational
  • Inspiring
  • Professional


Add Field


Add Field
Choose Image