Summary

A hospital patient complained that AGC Tenwek Hospital repurposed his phone number, collected solely for registration and bill payment, to send him unsolicited marketing messages without his consent. The ODPC found violations of purpose limitation, lawful basis, and commercial use provisions, ordering compensation of KES 250,000 and an enforcement notice.

Facts

The complainant lodged a complaint with the ODPC on 2 July 2025. He alleged that he had provided his phone number to AGC Tenwek Hospital exclusively for the purposes of hospital registration and payment of medical bills. Notwithstanding this limited purpose, the respondent subsequently sent him an unsolicited marketing message using the same number. The complainant contended that this amounted to an unlawful repurposing of his personal data for direct marketing without his express consent, in violation of the Data Protection Act, 2019. The respondent was notified of the complaint on 15 August 2025 and requested to provide its response, supporting documentation, any agreement authorising the use of the complainant's data for marketing, and details of mitigation measures taken.

The respondent failed entirely to submit a response to the notification of complaint. Pursuant to Regulation 11(2) of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021, the ODPC proceeded to determine the complaint on the basis of the complainant's uncontroverted allegations.

The ODPC found that the respondent's continued processing of the complainant's personal data for marketing purposes — without prior notice or disclosure of such intended use — constituted an infringement of the complainant's right to be informed under Section 26(a) of the Act. The ODPC further held that by diverting the complainant's phone number from its original billing purpose to marketing communications, the respondent had engaged in processing incompatible with the initial purpose of collection, in breach of the purpose limitation principle under Section 25(c). The ODPC noted that Section 30 requires processing to be based on a lawful ground, the most relevant of which in this context would have been the complainant's explicit consent — of which no evidence existed. Under Section 32, the burden of proving consent rests on the data controller; the respondent failed to discharge this burden. Finally, the ODPC applied Section 37(1), read together with Regulation 14(1)(c) of the Data Protection (General) Regulations, 2021, which explicitly prohibits using personal data for commercial purposes without consent and identifies sending electronic marketing messages as constituting commercial use. The respondent's conduct fell squarely within the definition of prohibited commercial use.

• Legal Provisions Reviewed

Holding

• The respondent, AGC Tenwek Hospital, is found liable for unlawful processing of the complainant's personal data for purposes beyond the initial reason for collection.
• The respondent is ordered to pay the complainant KES 250,000 as compensation.
• An Enforcement Notice is issued against the respondent pursuant to Section 58 of the Act and Regulation 16 of the Enforcement Regulations, compelling the respondent to erase all data relating to the complainant and furnish proof of same.
• Parties have the right to appeal this determination to the High Court of Kenya within thirty (30) days.

Comment

The relatively high compensation award of KES 250,000 may reflect the ODPC's concern about the respondent's complete failure to engage with the complaint process. Healthcare providers occupy a position of particular trust in relation to patients' personal data, and this case signals that hospitals and clinics that collect contact details for clinical or administrative purposes must take care not to repurpose those details for marketing without a fresh, specific consent. The case is also a reminder that non-response to an ODPC notification is not a neutral choice: the ODPC will proceed to determine complaints on the basis of uncontroverted allegations.