Summary

Thirteen former employees of Bohemian Flowers Limited complained that the company shared their personal and next of kin data with GA Life Assurance Limited without their knowledge or consent. The ODPC found this violated their right to be informed under Section 26(a) and ordered compensation of KES 50,000 per complainant.

Facts

The complainants are former pensionable employees of Bohemian Flowers Limited. They alleged that the respondent shared their personal data and next of kin details with an insurance company without their knowledge or approval. They only became aware of this disclosure when, upon leaving employment, they were directed to clear with the insurance company as a condition of accessing their pension funds — the first indication that their data had been passed to a third party. The complainants averred that at no point during their active employment did the respondent seek or obtain their consent before disclosing their personal and next of kin details. They sought compensation for the unauthorised exposure and sharing of their information.

The respondent filed a response on 8 July 2025. It submitted that all complainants were permanent employees who had signed employment contracts containing clauses on pension scheme eligibility. It stated that each employee had voluntarily provided their personal and next of kin details prior to registration into the pension scheme, and that a consent letter signed at that stage authorised the company to share the relevant data with the insurance provider strictly for pension administration purposes. The respondent further asserted that it had internal controls ensuring compliance with the Act, and that all information sharing was lawful, fair, and transparent for a legitimate contractual purpose.

On investigation, the ODPC found that the respondent's own evidence undermined its defence. While the respondent could demonstrate consent for onboarding complainants onto the original Kenindia Assurance Limited pension scheme, it admitted that due to regulatory hurdles, it had switched pension managers to GA Life Assurance Limited — lifting the complainants' data from the Kenindia application forms and using it to register them with GA Life, without their knowledge or consent. The respondent was only able to prove consent with respect to Kenindia Assurance, not GA Life Assurance. The ODPC held that this constituted a direct violation of the complainants' right to be informed of the use to which their personal data would be put, as guaranteed by Section 26(a) of the Data Protection Act, 2019.

On the question of the respondent's broader obligations, the ODPC applied Section 25 of the Act, which requires every data controller to process personal data in accordance with data protection principles — including processing lawfully, fairly and transparently, and collecting data for explicit, specified and legitimate purposes not further processed in an incompatible manner. The respondent's conduct in lifting data from one insurance application form and using it to onboard complainants with a different insurer — particularly given that next of kin details constitute sensitive personal data — showed a clear lack of transparency and fairness. The respondent also ought to have sought fresh consent for the GA Life Assurance onboarding, having only obtained authority to share the data with Kenindia Assurance. The ODPC therefore found that the respondent had not fulfilled its obligations as a data controller under the Act.

• Legal Provisions Reviewed

Holding

• The respondent, Bohemian Flowers Limited, is found liable for violation of the complainants' data protection rights.
• The respondent is ordered to pay each of the 13 complainants KES 50,000 as compensation for the infringement of their rights under the Act.
• An Enforcement Notice shall be issued against the respondent pursuant to Section 58 of the Act and Regulation 16 of the Enforcement Regulations.
• Parties have the right to appeal this determination to the High Court of Kenya within thirty (30) days.

Comment