| Authority | ODPC – Kenya |
|---|---|
| Jurisdiction | Kenya |
| Relevant law | Data Protection Act, 2019 — ss. 2, 8(f), 30(1)(a), 32(1), 32(2), 32(4), 56(1), 65(1), 65(4); Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 — regs. 4, 11, 14(2), 14(3)(e); Data Protection (General) Regulations, 2021 — reg. 4; Constitution of Kenya, 2010 — Art. 31(c) & (d) |
| Type | Complaint |
| Outcome | Violation |
| Started | 29 May 2025 |
| Decided | 26 August 2025 |
| Published | Yes |
| Fine | N/A |
| Parties | Chrispus Hedrick Namuye vs. Bliss Park Hotel |
| Case No. | ODPC/CIE/CON/2/3(114) |
| Appeal | N/A |
| Original Source | ODPC |
| Original Contributor | MZIZI Africa |
Bliss Park Hotel publicly posted the complainant's national ID — containing his full name, ID number, and phone number — across regional Facebook groups after he failed to settle a dinner bill, falsely branding him a fraudster. The ODPC found processing without valid consent, ordered post deletion, but declined to award compensation.
The complainant visited Bliss Park Hotel on 1st January 2025 with a friend for a New Year's dinner, incurring a bill of KES 3,450. Unable to pay via mobile banking due to a technical fault, he communicated the issue to the hotel's Operations Manager, who agreed to retain his National ID and Driving Licence as security until the following day. On 2nd January 2025, a family emergency — his grandmother's hospitalisation in Kisumu — caused him to go offline and miss the hotel's attempts to contact him.
Acting on what it characterised as a prior agreement, the hotel on 4th January 2025 uploaded copies of the complainant's National ID — bearing his full name, ID number, and phone number — to multiple Facebook groups serving the Busia region, including Busia County Youth Agenda, Samia Daily News, and Bunge la Busia County, publicly branding him as a fraudster. The complainant settled the outstanding bill in full on 5th January 2025, after which the posts were removed. Despite payment, the respondent declined to issue an apology or remove any residual defamatory content, and continued to contact the complainant via persistent phone calls and WhatsApp messages.
The respondent's position was that the complainant had explicitly agreed, as a condition of the arrangement, that if payment was not made by close of business on 2nd January 2025, the hotel would be at liberty to post his name, phone number, and ID number on regional Facebook groups to trace him. The respondent characterised this as a consensual arrangement and noted that posts were removed as soon as payment was received.
The ODPC found that whatever arrangement existed did not constitute valid consent within the meaning of the Act. Applying section 32(4) and Regulation 4 of the Data Protection (General) Regulations, 2021, the Office noted that consent cannot be freely given where it is presented as a non-negotiable condition of a transaction or where a data subject is unable to refuse or withdraw without detriment. The complainant was compelled to assent to public disclosure of his personal data to settle a debt — his purported consent was given under duress. Furthermore, the respondent did not issue any written notice or explain the risks of disseminating personal data on public platforms, and could not demonstrate that consent was express, specific, and informed as required under section 2 of the Act.
The ODPC concluded that the respondent violated sections 30(1)(a) and 32(1) of the Act by processing the complainant's personal data without a lawful basis. Although section 65(1) and 65(4) of the Act and Regulation 14(3)(e) of the Enforcement Regulations empower the Commissioner to order compensation for damage — including distress — the Office declined to issue a compensation award, citing the circumstances of the case without providing further reasoning.