| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Laws reviewed by the court |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 9 May 2025 |
| Decided: | 7 August 2025 |
| Published: | Yes |
| Fine: | KES.250,000 |
| Parties: | Caroline Wangari Gichure vs. Outlook Index Limited |
| Case No.: | 0662 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Caroline Wangari Gichure sued Outlook Index Limited for denying access to her 2021 P9 form, hindering her KRA tax compliance. The ODPC found the former employer violated her right to access personal data under the Act. Outlook Index was ordered to pay KES 250,000 compensation.
The Complainant, Caroline Wangari Gichure, alleged that her former employer, Outlook Index Limited, denied her access to her personal data held in its custody without any justified cause. Specifically, she sought her 2021 tax deduction records (P9 form) to resolve tax compliance issues flagged by the Kenya Revenue Authority (KRA) for the years 2020 and 2021. She asserted that despite multiple attempts to engage the Respondent since November 2022—including requests to the Human Resources department and the I.T. team, as well as follow-up emails in April 2025—she received no response. The Complainant argued that this inaction hindered her ability to address the KRA queries and placed her at risk of financial penalties.
Outlook Index Limited stated that while the Complainant was employed, all staff had access to a payroll system to download P9 forms at their convenience. However, the Respondent explained that they changed their payroll system provider in 2021, and the data from the old system was not stored in the company's internal database. They initially argued that the Complainant had failed to download her 2021 P9 form before this system migration took place. During the course of the complaint, the Respondent managed to retrieve and share the form with her. Crucially, the Respondent conceded that there was no lawful basis for the initial denial of access and stated they had since improved their internal data storage measures.
The Office of the Data Protection Commissioner (ODPC) determined that as an employer who processed the Complainant's data, the Respondent was a data controller bound by the Act. The sources specify that under Section 26(b) of the Act, data subjects have an explicit right to access their personal data. Furthermore, under the Tax Procedures Act and Income Tax Act, the Respondent was legally required to maintain records of employee income and taxes for at least five years. The ODPC found that the Respondent had a legal obligation to issue the P9 certificate and was required by regulations to comply with an access request within seven days. Because the Respondent admitted to denying the Complainant the opportunity to exercise her rights without a lawful basis, the ODPC found them in violation of the Complainant's right to access her personal data.
The ODPC made the following final determination: