Summary

Edwin Makio Kanu complained that Alleyways Beer Garden Limited published his image on its Facebook page without consent following his visit on 24 July 2025. The ODPC found the respondent failed to obtain the express consent required for commercial use of personal data and ordered payment of KES 500,000 compensation.

Facts

The complainant alleged that on 24 July 2025 he visited the respondent's premises and made payments via Mpesa. Later that same day, at 15:41 hours, Alleyways Beer Garden posted images of the complainant on its official Facebook page without his knowledge, consent, or authorisation. These images were subsequently circulated and widely shared across social media. The complainant — a Busia County Assembly employee and a family man — contended that the unauthorised publication caused him significant distress, embarrassment, and a sense of violation of his privacy, and that his likeness had been exploited for the respondent's commercial benefit without any form of compensation or acknowledgment. On 28 July 2025, through his advocate, he wrote a demand letter to the respondent regarding the alleged infringement.

The respondent did not file a written response to the ODPC's notification of complaint dated 15 September 2025 (Ref: ODPC/CIE/CON/2/1(653)). During a site visit conducted by the Office, the respondent's managing director orally claimed that consent had been obtained verbally from the complainant, and confirmed that the images had been removed once the respondent was notified of the complaint. Despite being advised during the investigation to provide supporting evidence of the alleged oral consent and a formal response, the respondent remained unresponsive throughout.

The ODPC identified two issues for determination: whether the respondent obtained express consent from the complainant to process his personal data for commercial purposes, and whether the complainant was entitled to remedies. On the first issue, the Office applied the definition of personal data under section 2 of the Act, finding that the complainant's face and likeness are clearly identifiable, satisfying the threshold for personal data. The Office then applied the consent framework under section 30(1)(a) and the conditions of consent under section 32 of the Act, noting that consent must be express, unequivocal, free, specific, and informed, and that the burden of proof lies on the data controller.

On the respondent's claim of oral consent, the ODPC held that where consent is obtained orally, it must be reduced into writing or recorded electronically and a record kept. The respondent failed to demonstrate it had obtained explicit consent prior to using the complainant's personal data for purposes beyond those originally stated at collection. The Office further applied section 37(1) of the Act and Regulation 14(1) of the Data Protection (General) Regulations, 2021, finding that the respondent's use of the complainant's image on its Facebook page to advertise, promote, and market its services constituted commercial use of personal data within the meaning of the Act — requiring express consent that was not obtained. The ODPC therefore found a violation on issue (i) and directed compensation of KES 500,000 under section 65(1) and (4) of the Act, read with Regulation 14(3)(e) of the Enforcement Regulations, having regard to the nature and extent of the violation, the harm occasioned, and the need to uphold accountability.

• Legal Provisions Reviewed

Holding

• The respondent is found liable for unlawful processing of the complainant's personal data for commercial purposes without express consent, in violation of sections 30(1)(a), 32, and 37(1) of the Data Protection Act, 2019
• The respondent is ordered to pay the complainant compensation of KES 500,000 (Kenya Shillings Five Hundred Thousand Only)
• Parties have the right to appeal this determination to the High Court of Kenya within thirty (30) days of the date of determination

Comment

This case reinforces the ODPC's consistent position that oral consent is insufficient for commercial use of personal data without a contemporaneous written or electronic record — a burden that falls squarely on the data controller. The respondent's failure to produce any documentary record of consent, combined with its persistent non-responsiveness to the investigation, left the Office with an uncontroverted factual record. The KES 500,000 award, consistent with other image-use determinations, signals that the ODPC is treating commercial exploitation of personal data without consent as a category warranting meaningful compensation regardless of the apparent scale of the respondent.