| Authority | ODPC – Kenya |
|---|---|
| Jurisdiction | Kenya |
| Relevant law | Data Protection Act, 2019: ss. 2, 8(1)(f), 30(1)(a), 32(1), 37(1), 56, 65(1), 65(4); Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021: regs. 4(3), 11, 14(2), 14(3)(e), 15(8); Data Protection (General) Regulations, 2021: reg. 14(1) |
| Type | Complaint |
| Outcome | Violation |
| Started | 7 August 2025 |
| Decided | 16 December 2025 |
| Published | Yes |
| Fine | KES 500,000 (compensation) + deletion order within 14 days + conditional Enforcement Notice |
| Parties | Caroline Wanjiku Kioni vs. The Nairobi Hospital |
| Case No. | ODPC/CIE/CON/2/3 (177) — ODPC Complaint No. 1147 of 2025 |
| Appeal | N/A |
| Original Source | ODPC |
| Original Contributor | MZIZI Africa |
A patient at The Nairobi Hospital was covertly recorded by staff while receiving medical care during her admission in September 2024. The recording was used in a promotional advertisement displayed on the hospital's internal digital screens without her consent. The ODPC found unlawful commercial use and ordered KES 500,000 compensation plus deletion of all related content.
The complainant, represented by advocates pursuant to Regulation 4(3) of the Enforcement Regulations, lodged a complaint on 7 August 2025. She alleged that during her admission to The Nairobi Hospital — from which she was discharged on 23 September 2024 — a member of the respondent's staff covertly recorded her while she was receiving medical care. She stated that the recording was made without her knowledge or any form of consent. She further alleged that the respondent subsequently used the unauthorised recording in a promotional advertisement displayed on the hospital's internal digital screens, in which her image and likeness were used to market the hospital's services. The promotional video included commentary by the respondent's Senior Nurse endorsing the quality of care provided at the facility, again without the complainant's consent or prior knowledge. The complainant sought an order for immediate takedown and cessation of any further use or display of the video, and an order for compensation.
The respondent responded on 24 September 2025. It stated that on 17 September 2024 the complainant had been involved in a videography exercise sanctioned by the organisation, and that prior to capturing and using her images and recordings, consent was explicitly sought, freely given, and obtained without coercion. The respondent further characterised the images as being solely for educational purposes and only for hospital consumption. It stated that upon receipt of the complainant's demand letter, it ceased use of the content immediately and removed all related material from its internal television screens without delay.
The ODPC analysed the consent framework under section 2 of the Act — which requires consent to be express, unequivocal, free, specific, and informed — and section 32(1), which places the burden of proof on the data controller to establish that the data subject consented to processing for a specified purpose. The ODPC found that the respondent's assertion that consent had been explicitly obtained was unsupported: no documentary proof was adduced. The respondent did not produce a signed consent form, a consent record, or any other evidence demonstrating that the complainant agreed to be recorded or to the subsequent use of that recording. The ODPC accordingly found that the respondent did not discharge its burden of proof under section 32(1). The ODPC further applied section 37(1) of the Act and Regulation 14(1) of the General Regulations, finding that using the complainant's image in a promotional advertisement — even on internal digital screens — to market the hospital's services constituted use of personal data to advance the respondent's commercial and economic interests, requiring express consent that was not obtained. The complainant's right to compensation under section 65(1) and (4) was engaged, with the ODPC noting that damage under the Act includes non-financial harm such as distress. KES 500,000 was awarded. In addition, the respondent was directed to delete all advertisements containing the complainant's personal data from all its online platforms and provide proof of deletion to the ODPC within fourteen (14) days. Failure to comply would automatically trigger the issuance of an Enforcement Notice.
This case also proceeded through an attempted alternative dispute resolution (ADR) process. After the respondent requested mediation under section 9(1)(c) of the Act and Regulation 15 of the Enforcement Regulations, the complainant agreed to attempt ADR. The process failed, and the complaint was referred back to the ODPC for determination pursuant to Regulation 15(8) of the Enforcement Regulations — which provides that where a complaint is not resolved through ADR, the Commissioner shall proceed to determine it under the Act. The determination is accordingly based on the parties' pleadings, the respondent's written responses, and the ODPC's investigation findings.