Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

Zahira Ninah Mwalimu complained that a cybercafé operator, Joshua Misaro, unlawfully processed her personal data, including sensitive health and family information, after she provided documents for printing. The documents were uploaded to the public Scribd platform without consent, violating the purpose limitation principle. The ODPC found the Respondent liable and ordered compensation of KES 100,000/-.

Facts

The Complainant, Zahira Ninah Mwalimu, alleged that the Respondent, Joshua Misaro, a cybercafé operator, unlawfully processed her personal data without consent or any lawful basis. Specifically, the Complainant stated that on or about 24th January 2025, she visited the Respondent's cybercafé, known as "Esla Kopi," operated by Joshua Misaro, for the limited purpose of printing certain documents. She forwarded the documents to the Respondent via WhatsApp after personally requesting her number and subsequently paid for the printing. The Complainant asserts that the documents, which included a sworn affidavit containing highly sensitive personal and family information prepared in support of her application for a legal name change, were entrusted to the Respondent for the limited purpose of printing. The Applicant claimed that the Respondent subsequently uploaded these documents onto the Scribd online platform, under the account name "Elsa Kopi," making them publicly accessible and exposing her personal data to unauthorized disclosure, thus unlawfully disclosing and publishing her personal data without consent. She also claimed that upon confronting the Respondent on 19th March 2025, he admitted responsibility for the unlawful disclosure and agreed to compensate her KES 10,000/-, although she disputed the authenticity of this agreement later. The Complainant sought appropriate remedies.

The Respondent, Joshua Misaro, furnished a statement of response denying all allegations in the complaint and putting the Complainant to strict proof. He claimed that he operates a cybercafé under the registered business name Epots Technologies and not "Esla Kopi," asserting the complaint was ill-conceived and malicious. The Respondent contended that there was no credible evidence linking him to the online publication on Scribd. He argued that his cybercafé admits all walk-in clients who access computers freely, and that the Complainant must have personally accessed one of the computers to transmit her own documents. He noted that the office WhatsApp number used to receive documents is open to the public and that documents are deleted after printing, making it impossible for him or his staff to upload them. The Respondent also disputed the authenticity of the purported agreement for payment of KES 10,000, claiming the signature was a forgery and the document invalid. He asserted that he neither owns nor has ever operated a Scribd account and only came to know of the platform after being confronted by the Complainant. Finally, the Respondent argued that the claims were defamatory, an attempt at extortion, malicious, speculative, and without legal foundation, pleading for the complaint to be dismissed.

The Office of the Data Protection Commissioner (ODPC) determined two main issues: whether the Respondent unlawfully processed the data, and whether the Complainant was entitled to remedies.

1. Unlawful Processing: The ODPC found that the Complainant engaged the services of Epots Technologies (through the Respondent) for the specific purpose of printing her documents. The purpose of processing was deemed exhausted upon issuance of the printed copies, meaning any subsequent retention or use of the documents was outside the lawful scope of the original instruction. The affidavit contained sensitive personal data relating to the Complainant's mental health, family circumstances, and religious conversion, which required a heightened standard of protection. The subsequent act of uploading the sensitive data to a public platform like Scribd constituted secondary processing that was unlawful, unfair, and lacking in transparency, with no lawful basis for the repurposing or disclosure. The ODPC found that this uploading was a blatant violation of the Act, specifically the purpose limitation principle. The Respondent's attempt to evade liability by stating that multiple clients use the same computers was deemed insufficient to discharge his statutory obligations; the ODPC stressed that the primary duty to ensure the security of personal data rests with the data controller or processor. The ODPC concluded that the Respondent, acting on behalf of Epots Technologies, bears liability for the unlawful processing of the Complainant’s personal data.
2. Entitlement to Remedies: The ODPC found that the Respondent had unlawfully processed the Complainant's personal data in contravention of the Act, and therefore, the Complainant was entitled to compensation for the damage suffered, which includes distress.

• Legal Provisions Reviewed

Holding

In consideration of all facts and evidence, the Data Commissioner made the following final determination:

1. The Respondent was found liable.
2. An enforcement notice was ordered to be issued to the Respondent.