Hello!

Welcome to Issue 001 of 2026 of the DataHub (Africa Data Protection) Weekly - your digest of fresh decisions from Kenya's Office of the Data Protection Commissioner (ODPC), with the compliance lessons that matter to your organisation.

This week: five new determinations, spanning horticulture, healthcare, retail, agribusiness, and fintech. Four respondents were found liable. One walked away with a full dismissal.

The difference between those outcomes tells you almost everything you need to know about where data protection compliance stands in Kenya right now.

THIS WEEK'S CASES AT A GLANCE

01 | Kabuyefu & 12 Others vs. Bohemian Flowers Limited ODPC Complaint No. 0752 of 2025 — VIOLATION Award: KES 50,000 × 13 complainants (KES 650,000 total)

02 | Langat vs. AGC Tenwek Hospital ODPC Complaint No. 0966 of 2025 — VIOLATION Award: KES 250,000

03 | Kamau vs. Michael's Bouquet ODPC Complaint No. 0688 of 2025 — VIOLATION Award: KES 500,000

04 | Wanjiku vs. Farmers Choice Kenya Limited ODPC Complaint No. 0841 of 2025 — DISMISSED (No Violation) Award: N/A

05 | Onyango vs. Stawika Capital Limited ODPC Complaint No. 0840 of 2025 — VIOLATION Award: KES 50,000 + Enforcement Notice

CASE 01 — THE PENSION SWITCH THAT COST KES 650,000

Bohemian Flowers Limited vs. 13 former employees ODPC Complaint No. 0752 of 2025 | Decided: 23 August 2025

What happened and what the ODPC found:

Thirteen former employees of Bohemian Flowers Limited complained that the company shared their personal and next of kin data with GA Life Assurance Limited without their knowledge or consent. The ODPC found this violated their right to be informed under Section 26(a) and ordered compensation of KES 50,000 per complainant.

The compliance lesson:

If your organisation uses third-party service providers - insurers, payroll processors, pension managers, cloud platforms - and you switch providers, you need fresh consent from every person whose data moves with you. Review your data sharing agreements every time you change suppliers.

Read more here →

CASE 02 — A PATIENT'S PHONE NUMBER IS NOT A MARKETING LIST

Erickson Kipkirui Langat vs. AGC Tenwek Hospital ODPC Complaint No. 0966 of 2025 | Decided: 29 September 2025

What happened and what the ODPC found:

A hospital patient complained that AGC Tenwek Hospital repurposed his phone number, collected solely for registration and bill payment, to send him unsolicited marketing messages without his consent. The ODPC found violations of purpose limitation, lawful basis, and commercial use provisions, ordering compensation of KES 250,000 and an enforcement notice.

The compliance lesson:

Every piece of personal data you hold was collected for a specific reason. That reason is the boundary of what you can do with it. If you want to use customer or patient contact details for marketing, you need a separate, specific consent for that purpose — obtained at the time of collection or before you send the first message. And whatever you do: respond to the ODPC. Silence does not help you.

Read more here →

CASE 03 — AN INSTAGRAM DEAL IS NOT A LIFETIME LICENCE

Everlyne Wangui Kamau vs. Michael's Bouquet ODPC Complaint No. 0688 of 2025 | Decided: 21 August 2025

What happened and what the ODPC found:

A Kenyan brand influencer complained that Michael's Bouquet used her image on print media and pull-up banners across multiple shopping malls, well beyond the agreed three-month Instagram campaign and without her express consent. The ODPC found violations of the commercial use and consent provisions of the Act and ordered KES 500,000 in compensation.

The compliance lesson:

If you work with influencers, models, brand ambassadors, or anyone whose image features in your marketing — get a written agreement that specifies the exact platforms, formats, and duration of use. If you want to extend the campaign or use the content in a new medium, go back and get fresh written consent. Keep records of both. This applies to social media, print, billboards, brochures, and any other format where a real person's image or likeness is identifiable.

Read more here →

CASE 04 — HOW TO WIN A DATA PROTECTION COMPLAINT

Faith Wanjiku Waruru vs. Farmers Choice Kenya Limited ODPC Complaint No. 0841 of 2025 | Decided: 7 September 2025

What happened and what the ODPC found:

A woman complained that Farmers Choice Kenya Limited used her image in commercial advertisement brochures without her prior consent. The respondent provided evidence of a paid contractual engagement. The ODPC found the use of the complainant's image constituted lawful processing under Section 30 of the Act and dismissed the complaint.

The compliance lesson:

This case is not just about what Farmers Choice did right at the time of the engagement — it is about what they were able to prove afterward. A signed consent form. Payment records. An internal review process. A documented response to a removal request. These are not bureaucratic formalities. They are the evidence that separates a dismissal from a KES 500,000 liability. Build the paper trail before you need it.

Read more here →

CASE 05 — YOU CANNOT CALL A BORROWER'S EMPLOYER TO CHASE A DEBT

Glenda Achieng Onyango vs. Stawika Capital Limited ODPC Complaint No. 0840 of 2025 | Decided: 8 September 2025

What happened and what the ODPC found:

A loan borrower complained that Stawika Capital Limited disclosed her personal data to unauthorized third parties, including her employer, without prior notice or lawful basis. The ODPC rejected the respondent's legitimate interest defence, found the disclosure unlawful, and ordered compensation of KES 50,000 plus an enforcement notice against the respondent.

The compliance lesson:

For lenders, digital credit providers, buy-now-pay-later platforms, and anyone with receivables: "legitimate interest" is not a licence to contact employers, family members, or colleagues when a borrower is in arrears. The ODPC will apply a proportionality test. Direct, private communication with the borrower must be exhausted first. If you use a debt collection agency, you are responsible for ensuring they comply with the Act too.

Read more here →

THE WEEK IN ONE PARAGRAPH

Five sectors. Five cases. One pattern: organisations that collect personal data lawfully are losing control of it the moment it moves - to a new provider, a new channel, a new medium, or a third party acting on their behalf. The ODPC is building a clear body of case law, sector by sector, and compensation awards are climbing. The organisations that will weather this regulatory environment are not the ones with the best lawyers on speed dial - they are the ones with signed consent forms in their files, documented processes on their servers, and a culture of asking "do we actually have permission to do this?" before they act.

Full case digests - including the legal provisions analysed, the full holding, and editorial commentary - are available at www.dataprotectionafrica.com produced by the MZIZI Africa team.

Read the Full Digest

Until next week,

The DataHub Africa Team Produced by MZIZI Africa

________________________________________________________________

DataHub | Building Africa’s Legal Intelligence Hub for Data Protection

Follow DataHub on LinkedIn, Twitter or check us out online.

DataHub is a free to use to use resource by MZIZI Africa