Emerging Principles on Sharing Personal Data with Third Parties
The sharing of personal data with third parties remains one of the most sensitive aspects of data protection compliance in Kenya. Recent determinations by the Office of the Data Protection Commissioner (ODPC) continue to highlight the conditions under which personal data may be lawfully shared and the safeguards that organisations must put in place.
Outlined below are some of the key emerging principles guiding lawful data sharing with third parties.
1. There Must Be a Lawful and Proportionate Basis for Sharing Personal
Data Personal data may only be shared where a lawful basis exists under the Data Protection Act, 2019, and where that basis is exercised in a proportionate and rights-respecting manner.
In Glenda A. Oyango v Stawika Capital Limited, the Complainant applied for a loan facility with the Respondent. Although the loan agreement did not specify exact repayment dates, the Complainant undertook to repay the loan in three instalments. Approximately one month after submitting her application, she began receiving communications from third parties who were not parties to the contractual relationship. The Respondent argued that the communications were carried out in the ordinary course of business to verify inconsistencies identified during an internal review and relied on the lawful basis of legitimate interests. The ODPC held that while legitimate interests may constitute a lawful basis for pursuing debt recovery, it must be exercised in compliance with the Act. The Commissioner noted that less intrusive means were available, including direct engagement with the Complainant. Importantly, legitimate interests must not override the fundamental rights and freedoms of the data subject, including the right to privacy and protection from reputational harm.
2. Data Subjects Must Be Informed and, Where Necessary, Give Fresh Consent Before Personal Data Is Shared
Transparency is a core requirement of lawful data processing. Where personal data is shared with new recipients or for a new purpose, data subjects must be informed and, where applicable, fresh consent must be obtained.
In Eric K. Zakayo & 12 Others v Bohemian Flowers Limited, the Complainants, former employees of the Respondent, alleged that their personal and next of kin details were shared with an insurance company without their knowledge or consent.
The Respondent explained that the employees had previously provided their personal details for purposes of sharing with the original insurer, Kenindia Life Assurance Company, the insurance company administering the scheme. However, following 2 www.mutie-advocates.com regulatory challenges faced by Kenindia, the Respondent transferred the scheme to another insurance provider based on guidance from the Insurance Regulatory Authority.
The ODPC found that the Respondent used personal data obtained under the original insurance arrangement to onboard the employees to the new insurance provider without informing them or obtaining fresh consent. The Data Commissioner held that the Respondent was required to notify the Complainants and obtain fresh consent prior to processing and sharing their personal data with the new insurer.
3. Parental Consent Is Mandatory Before Sharing a Minor’s Personal Data
Children’s personal data attracts enhanced protection under the Data Protection Act, and parental or guardian consent must be obtained before such data is shared with third parties.
In Everlyn Lavuha Muigita v Nova Pioneer Limited, the Complainant alleged that the Respondent shared her child’s personal data with third parties, including a foreign embassy and travel agents, for visa processing purposes without her consent.
The ODPC found that the Respondent failed to demonstrate that parental consent had been obtained prior to the sharing of the minor’s personal data. As a result, the Data Commissioner held that the Respondent had unlawfully processed the child’s data and awarded the Complainant KES 500,000 as compensation.
4. Data Sharing Must Be Governed by Appropriate Data Sharing or Data Processing Agreements
Where personal data is shared with third parties acting as data processors, the relationship must be governed by appropriate contractual arrangements.
In Maina Kimaru v Premier Credit Limited, the court held that where a data controller engages third parties to process personal data on its behalf, it must enter into data processing agreements that clearly define the scope of processing, roles and responsibilities, and data protection obligations of the parties.
This principle underscores the importance of formalising data sharing arrangements to ensure accountability and regulatory compliance.
5. Disclosure of Personal Data Pursuant to a Court Order Is Lawful
Personal data may lawfully be disclosed where the processing is necessary to comply with a court order or other legal obligation.
In Shakunt R. Shah v Prime Bank Limited, the Respondent shared the Complainant’s personal data with the executors of a deceased person’s estate pursuant to a court order.
The ODPC held that compliance with a court order constitutes a lawful basis for processing and sharing personal data, provided the disclosure is limited to what is strictly required by the order.
6. Employers Are Vicariously Liable for Unlawful Data Sharing by Employees Acting in the Course of Employment
Organisations may be held vicariously liable where employees unlawfully share personal data while acting within the scope of their employment.
In John Onkagi v National Bank of Kenya Limited & Keysian Auctioneers, the Complainant alleged that the Bank shared his 3 www.mutie-advocates.com bank account details and loan statements with auctioneers without his consent. The Bank argued that the disclosure was carried out by an employee in breach of its internal policies.
The ODPC held that the employee was acting within the scope of his employment when the data was shared. As there was a direct link between the employee’s actions and the transmission of the Complainant’s personal data, the Bank was found vicariously liable for the employee’s conduct.
Conclusion
These decisions reinforce that data sharing is not merely an operational or commercial decision. It is a regulated activity that requires careful assessment of the lawful basis, transparency, proportionality, and accountability. Organisations that fail to embed these principles into their data governance frameworks may find themselves exposed to regulatory enforcement, financial liability, and reputational damage.
