Toggle navigation

Case scenarios

Control, rather than possession, of personal data is the determining factor here. The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).

Control, rather than possession, of personal data is the determining factor here. The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).

It is possible for two separate organizations to be data processors of the same data. Taking the example of, one organization running the analytics whereas another organization storing the data – both are data processors of the data.

Similarly, the same organization can be both a data controller and data processor. Taking the example one step further, if our analytics provider runs a customer’s data through its systems, the provider will be the processor of that data. However, the analytics provider may hold any number of other data sets, perhaps which it uses in its analytics tools. If the analytics provider is entitled to determine the way in which that other data is used, it will be the controller of that data.


  1. if you have outsourced a number of tasks whereby personal data is involved and the company you outsourced it to is too busy and needs to find another company for one specific task (or finds that cheaper as happens so often in so many business areas)as a controller you must know and approve that. This also goes when there are (even temporary)
  2. A bakery has many employees. It signs a contract with a payroll company to pay the wages. The bakery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees’ data. The bakery is the data controller and the payroll company is the data processor.
  3. A company/organization offers babysitting services via an online platform. At the same time another organization has a contract with another company allowing one of the companies to offer value-added services. Those services include the possibility for parents not only to choose the babysitter but also to rent video games that the babysitter can bring. Both companies are involved in the technical set-up of the website. In that case, the two companies have decided to use the platform for both purposes (babysitting services and video games rental) and will very often share clients’ names. Therefore, the two companies are joint controllers because not only do they agree to offer the possibility of ‘combined services’ but they also design and use a common platform.
  4. The HR department of your organization (the controller) has methods to process personal data of candidates and employees that need to be protected and used. Some of those HR data processing data activities (or all of them or anything in-between)could be outsourced. The company you outsource to then is a processor.
  5. Your marketing team processes personal data of a potential and existing customer. When it works with an email marketing company or agency, for instance, that uses these data for campaigns, the latter are processors.

Are you a controller?

I decided to collect or process the personal data.

I decided the purpose of the processing.

I decided what personal data should be collected.

I decided which institution/Agency/Individual to collect personal data about.

I obtain a commercial gain or other another benefit the processing, except for any payment for services from another controller.

I processing the personal data as a result of an offering a service to the data subject.

Are you a processor?

I am following instructions from someone else regarding the processing of personal data.

I was given the personal data by a customer or similar third party, or told what data to collect.

I do not decide to collect personal data from individuals.

I do not decide what personal data should be collected from individuals.

I do not decide the lawful basis for the use of that data.

I do not decide what purpose or purposes the data will be used for.

I do not decide whether to disclose the data, or to whom.

I do not decide how long to retain the data.

I may make some decisions on how data is processed, but implement these decisions under a contract with someone else.

Lost file by Data Processor

Salma was in the middle of a legal battle in regards to a succession matter. She had engaged Ndege Co Advocates to represent her in this matter. During the duration of the case Salma realized that the law firm was not giving her matter the necessary attention and therefore sought new legal representation, however, she found out that the file was lost by her former Advocate. The file contained sensitive medical documents which related to their husband’s illness which was caused by medical negligence. The loss of the file had implications for a case Salma had sought to take in relation to the medical negligence. Salma was distressed due to the loss of the file in particular as it contained such sensitive data.

Salma brought the complaint to the Data Commissioner.

  1. Identify the problem in this scenario
  2. What are the issues in this case?
  3. What action would you recommend the Commissioner to take and why?

Philomena was a client who disclosed personal data to a company XYZ with a view to availing of their services. Her data was subsequently lost and she was mistreated by the company in that they disregarded her concerns and refused to engage with her in relation to the lost data. The data included her name, address, phone number and bank details and the loss of same caused her much stress and anxiety.

  1. Identify the problem in this scenario
  2. What are the issues in this case?
  3. What action would you recommend the Commissioner to take and why?

Patapata insurance company refused to pay out on foot Abunwasi’s policy on the basis that he had not disclosed certain data on his policy form. He sought a Data Subject Access Request to take up a copy of the insurance policy. Pursuant to the Data Protection Act the controllers are obliged to comply with such a request within a 7 days’ time limit. If they fail to comply they are in breach of the Act. The insurance company in this case did not furnish the requested policy for some 22 months.

Discussion Questions

  1. Identify the problem in this scenario
  2. What are the issues in this case?
  3. What action would you recommend the Commissioner to take and why?

Jane brought an allegation that her personal medical data held by her Embaramba General Practitioner was disclosed to a third party. The third party was an insurance company that sought data pertaining to her shoulder injury and had a consent form signed by her to allow her G.P. to release any “relevant medical data”. The G.P. concerned furnished a full copy of her file to a third party which disclosed other sensitive medical data, none of which were related to the shoulder injury.

Following the investigation of Jane’s complaint and having carried out investigations into the matter the Data Protection Commissioner, seeks your advice on the following?

Discussion Questions

  1. The non-compliant issues you can identify in this scenario
  2. What action would you recommend the Commissioner to take and why?

Almasi brought a complaint about her employer having read her emails and having printed out her emails from her personal email. She had been employed in her position for the previous eight years and on attending at the building at 3 a.m. due to an alarm activation, a possible break-in, she discovered a print-out from her personal email account on her employer’s desk. Other emails were also printed out from our client’s work computer. Since Almasi did not print out those emails herself it was therefore clear to her that her employer had accessed her personal email account.

The following day she took the printout of the emails to her employer and asked for an explanation. No explanation was forthcoming and later that day she received a call and was informed that she should stay away from work until such time as the Board of Management had time to discuss her matter.

The matter was reported to the Office of the Data Protection Commissioner.

Discussion Questions

  1. Identify the problem in this scenario
  2. What are the issues in this case?
  3. What action would you recommend the Commissioner to take and why?

James’ Employer requested a psychological assessment be carried out on him to determine his ability to return to the workplace after a period of absence on sick leave. The person concerned had received a copy of the medical report in question from the medical practitioner who carried out the assessment and considered the contents to be inaccurate. The person concerned then requested that the report be rectified to reflect what she considered to be an accurate description of the circumstances. However, the data controller, a consultant psychiatrist, reverted stating that it was not possible to make the kind of alterations to the independent medical assessment that had been sought.

Discussion Questions

  1. Identify the problem in this scenario
  2. What are the issues in this case?
  3. What action would you recommend the Commissioner to take and why?

Amboko complained regarding the use of CCTV footage by his employer in a disciplinary process against him. In his complaint he informed the Data Commissioner that while employed as a security officer, his employer had used his personal data, in the form of CCTV footage, to discipline and ultimately dismiss him. The complainant stated that he had not been given prior notification that CCTV footage could be used in disciplinary proceedings.

In the course of the investigation, the employer informed the Data Commissioner that Amboko had worked as a night officer assigned to client premises, and had been required to monitor the CCTV system for the premises from a control room. The employer’s position was that, upon being assigned to the premises in question, the complainant had been asked to read a set of “Standing Operating Procedures” which indicated that CCTV footage could be used in an investigative process concerning an employee. The employee had also been asked to sign a certificate of understanding to confirm that he had read and understood his responsibilities. The employer maintained that the CCTV system in place at the premises was not used for supervision of staff as there was a supervisor at the premises during office hours between Monday and Friday.

The employer informed the investigators that it was the complainant’s responsibility, as the sole night security officer on duty at the premises, to monitor the CCTV system for the premises from the control room. The requirement to have a night security officer on duty in that control room for that purpose was a term of the employer’s contract with its employee.

The employer also informed Data Commissioner that the complainant had later admitted in an email, that the reason for these absences was that the complainant had gone into another room so that they could lie down on a hard surface in order to get relief from back pain arising from a back injury.

Discussion Questions

  1. Identify the problem in this scenario
  2. What are the issues in this case?
  3. What action would you recommend the Commissioner to take and why?

A complaint was filed by two individuals who each claimed that their personal data had been unlawfully disclosed when it was broadcast on “pichachat”, an instant messaging and multimedia mobile application.

The complainants, who were friends, informed the Data Commissioner that they had each submitted their CV with a cover letter to a particular retailer, in person, by way of application for employment with that retailer. The applications had been made by the complainants on the same day and had been received by the same employee of the retailer. Later on the same day the complainants had learned from a third party that a photograph showing both cover letters was appearing on “Pichachat” with a message drawing attention to similarities in the cover letters. It was the complainants’ common understanding that the employee of the retailer to whom they had submitted their CVs had taken this photograph and posted it to “Pichachat”.

During the course of investigation of these complaints, it was established that the employee of the retailer to whom the complainants had handed their CVs and cover letters had been recently notified by the retailer of the termination of their employment. Contrary to the retailer’s policy and the terms of their contract of employment, the employee had a mobile phone on their person during work hours and had used it to take a photograph of both the cover letters and to post it to “Pichachat”. The retailer informed the investigators that the employee was aware that this action was contrary to their contract of employment and the actions of the employee were done in circumstances where the employee was about to leave their employment. The retailer insisted that, in this instance, there was nothing further it could have done to prevent this incident from occurring.

In her decision, the Commissioner found that the retailer, as the data controller had violated the complainants’ rights under the Data Protection Act.

  1. Do data controllers have an obligation to ensure that their employees comply with data protection law?
  2. How can they achieve this if they do have an obligation
  3. What is the course of action the Data Commissioner will take?

Victoria filed a complaint after she had received unsolicited marketing telephone calls from Tembea Limited after she had previously asked the company not to call her again. The complainant was a customer of Tembea Limited and she informed the Data Commissioner that the calls promoted Tembea Limited products. She advised that when the company first called her she had asked that her details be placed on the “Do Not Call” list as she did not wish to receive any further marketing calls. She stated that when the company called her again she repeated that she wanted her details to be placed on the “Do Not Call” list but despite her two requests she had received a further unsolicited marketing telephone call to her mobile phone.

During the investigation of this complaint, Tembea Limited informed the Officers that due to human error the complainant’s account was not updated correctly to record the “Do Not Call” requests. It confirmed that the complainant’s details had since been removed from the marketing database and it apologised for any inconvenience caused to her.

  1. What Important lessons can we draw from this scenario?
  2. What ought the Controller/Processor to ought to do to avoid such incidences?

Mercy has been receiving unsolicited marketing text messages from MZ Living Furniture despite having, on three previous occasions, requested them to stop. The complainant informed the ODPC that she had made a purchase from the company in the past.

As part of the investigation of this complaint, The ODPC asked MZ Living Furniture to show evidence of the consent of the complainant to receive marketing text messages in the first instance. Also sought an explanation as to why her requests to opt-out had not been actioned.

In response to the queries, MZ Living Furniture stated that, in respect of marketing customers sign into the company’s terms and conditions printed on the back of receipts. It drew attention to one of the terms and conditions to the effect that customer information would be retained by the MZ Living marketing department and would be added to its database to be used for mailing lists and text messages. In relation to the complainant’s opt-out requests not being complied with, MZ Living Furniture explained that there had been a changeover of service providers and the new service provider had a different method for opting out. It claimed that it was totally unaware that the opt-out facility was not working until it received the ODPC investigation letter. It assured the ODPC that the opt-out issue had now been resolved and it said that it had sent an apology to the complainant.

  1. Discuss the issue of consent in this scenario
  2. What Important lessons can we draw from this scenario?
  3. What ought the Controller/Processor to ought to do to avoid such incidences

Mercy was employed by Merceline to work at her premises. On or about 25th May 2019, Mercy fell ill and was admitted at a hospital facility. While at the hospital, the Doctors conducted a series on tests on her, among them being an HIV test. While at the hospital, Mercy was given admission forms where she appended her signature on the consent/admission form prior to testing. No pre-test or post-test counselling was done.   Thereafter, the Doctor disclosed the results of the tests publicly, despite Mercy being admitted in a ward with other patients, which caused Mercy to suffer emotional and psychological distress. The Doctor also disclosed her status to Mercy’s Human Resource Department without the Mercy’s consent. As a result of these actions, Mercy suffered physically, emotionally and psychologically.


  1. Whether consent was given?
  2. Whether the disclosure of Mercy’s status by the Hospital was justified?
  3. What category of personal data was disclosed in this case?
  4. Give recommendation on how the scenario should have handled


Data Breach at an Online Retailer

FagiaWote operated a retail and online shop. The organisation had been notified by a customer that their credit card was used in a fraudulent transaction without their knowledge which they believed arose from their provision of payment details online to the organisation.FagiaWote had engaged an expert third party to conduct an analysis of its website. It was determined that the payments system on the website had been compromised by malware for the previous 6-8 weeks. The malware copied data entered by customers during the online payment stage to an external destination.

Upon investigation it was discovered that:-

  • No contract or service level agreement existed between the Fagiawote and the company contracted to handle the payment system.
  • No steps were taken to ensure that the said company was compliant with technical security and organisational measures.

In Light of the above

  1. What are the noncompliant issues?
  2. Advise the ODPC what course of action to take
  3. Discuss the minimum requirements for agreement between controllers and processors

Kamal was an employee of a state body he filed a complaint in relation to the alleged unfair processing of his personal data. The complainant stated that, in the course of a meeting, he had been advised that his manager had requested access to data from his security swipe card in order to compare it with his manually completed time sheets. The complainant explained that this had been carried out without any prior consultation with him or his line manager. By way of background, the complainant informed the investigating Officers that the security swipe cards used by the employees were for accessing the building and secured areas only, and were not used as a time management/attendance system.

The ODPC sought an explanation from the body concerned as to how it considered that it had complied with its obligations under the Data Protection Acts in the processing of the complainant’s personal information obtained from his swipe-card data. The ODPC also advised that it had sight of the relevant section of its staff handbook and noted that there was no reference to the swipe card being used for the purpose of checking attendance.

The ODPC received a response explaining that the swipe-card data relating to the complainant was handed over to the complainant’s manager in good faith on the basis that it was corporate rather than personal data. The organisation also confirmed that it checked the staff handbook and any other information that may have been circulated to staff regarding the purposes of the swipe card and that there was no mention of the use of swipe cards in relation to recording time or attendance. It advised that the focus of the information circulated with regard to swipe cards was on security and access only.

After consideration of the response received, along with the content of the complaint, the organisation concerned was informed that as per the Data Protection Acts were breached when the employee’s swipe-card details were provided to his manager to verify his working hours.

Discussion Questions

  1. Identify the problem in this scenario
  2. What are the issues in this case?
  3. What action would you recommend the Commissioner to take and why?

JMZ Bank allegedly had disclosed personal data and account information in relation to a mortgage on a property owned by the complainant to a third parties. Upon commencing an investigation of the matter by writing to JMZ Bank, outlining the details of the complaint. The ODPC received a prompt response from JMZ Bank, which stated that the complainant and the individual who received his personal data were joint borrowers on certain loan facilities and that it was during the course of email communications with the other individual in respect of that individual’s loan arrears that the personal data relating to the complainant was disclosed to two third parties. JMZ Bank admitted that this was an error on its part and stated that it was unfortunate that it had occurred. It went on to explain that, in dealing with the queries raised by the other individual in respect of his arrears and entire exposure to JMZ Bank, the relationship manager also included information on all arrears in respect of that individual’s connections, which included the complainant. The staff member concerned expressed his regret at the incident and JMZ Bank confirmed that the staff member was reminded of its procedures with regard to data protection and the need to be vigilant when dealing with the personal data of customers.

Discussion Questions

  1. What are the issues in this case?
  2. Discuss the organizational and Technical Measures that should be in place to avoid such instances
  3. What action would you recommend the Commissioner to take and why?

A member of a credit union complained in relation to the alleged disclosure of his loan and savings information by the credit union to his daughter. By way of background, the complainant explained that he was a guarantor on a credit union loan to his daughter. He received a letter from the credit union to inform him of difficulties that his daughter was experiencing with her loan. The purpose of the letter was to call on him, as the loan guarantor, to pay the balance of monthly repayments. He outlined that the letter was addressed to him and that it contained his membership number along with his savings and loan details, including balance outstanding. Soon afterwards, his daughter called to his house with a copy of the same letter as the credit union had also sent it to her. The complainant said that he considered this disclosure of his financial information to be a gross violation of his privacy.

Discussion Questions

  1. Identify the problem in this scenario
  2. What are the issues in this case?
  3. What action would you recommend the Commissioner to take and why?

The Office received a notification from a data controller, in accordance with the Notification of Personal Data Breach. The notification alerted the Office to the fact that data relating to a large number of students had been discovered on a website that was unrelated to the data controller. The data related to the 2020 academic year.

The Office began an investigation of the matter. The data controller advised the investigation team that the information disclosed on the website included the name, email address and password of the student. The investigation team confirmed that there was no financial or sensitive data involved.

The data controller engaged an external security company to carry out its own investigation into the security breach.

Due to the passage of time, there were no server logs showing when or by whom the data had been uploaded to the website. However, the data controller was able to identify that the data published matched a file created for testing purposes earlier. This file was then sent to a third-party service provider who was engaged in developing a management system for the data controller. The file was sent via unsecured email.

The third-party service provider informed the data controller that while there was a relationship between their staff and the website on which the data was published, they had conducted a very thorough review of the matter and could find no evidence to show that the file had been posted onto the website due to an act of omission on their part.

Upon evaluation of the information showed that the data controller, when creating student accounts, used generic passwords when generating the student accounts. The password was the date of birth of the student. While students could change their passwords, they were never advised to change them.

While it could not be determined exactly how the data appeared on the website, it was evident that there had been a breach of the Data Protection Acts, in that appropriate security measures were not in place to prevent the unauthorised disclosure of personal data.

During investigation it was also found that the use of live data for testing purposes was not in accordance with data-protection best practices. Where live data is being used by an organisation for testing purposes, there would have to be a strong justification for such use and the ODPC was not aware of any justification applicable in this particular case.

Discussion Questions

  1. Identify the problem in this scenario
  2. What are the issues in this case?
  3. What action would you recommend the Commissioner to take and why?

Company X is an ICT foreign company incorporated in the U.K. Recently, the company decided to expand its services to Africa and specifically, Kenya. It identified a gap in the health industry and specifically, most Kenyans could not access healthcare conveniently. Company X decided to incorporate an entity in Kenya which would provide the E-health services to its Kenyan clients. They have approached you to give a legal opinion on how to go about this.

Please advise the company on the following:

Company X has requested you to audit their Data Protection Act compliance status for the group and to provide an advisory that will enable them to comply with all the Data Protection Laws and regulations for all the departments and across all operations.

A parent put in a subject access request to view the medical records of their child. The Medical facility Lawyers informed the legal representative for the child’s family that the access request raised matters of serious importance to their client and that they wished to be absolutely sure of their position prior to making a formal reply. During the Data Commissioner’s investigation, they exchanged correspondence on several occasions with the medical facility Lawyers. The Medical facility Lawyers acknowledged that their client owed statutory obligations under the Data Protection Acts but stated that their client also owed several other conflicting obligations which needed to be reconciled properly with all the persons concerned before they were able to comply with the access request. In later correspondence, The ODPC was told that the request had raised a fundamental problem for the medical facility concerning the information gathered by them both physically and electronically and that the opinion of Senior Counsel was required. This was accepted in good faith on the basis that such advice would be forthcoming promptly. In a further letter, the medical facility Lawyers informed The ODPC that genuine difficulties had arisen because of the circumstances thrown up by the access request and that the medical facility was anxious not to have any adverse precedents set in relation to the confidentiality issue between doctors and patient.

  1. Discuss the issues in this scenario?
  2. Discuss the balance between data subjects’ rights and other competing vital interests?
  3. Make recommendations on how the Data Commissioner can go about this issue

Bonafya, the hotel chain, hit the headlines in June when a third-party company called sunaform that managed Bonafya’s customer surveys and competitions discovered unauthorised access to its server data which included files related to Bonafya. The breach was thought to have been via a phishing attack.

In a press statement, Bonafya said: “We were notified by Sunaform of the incident on Friday 29 June 2018. Details that could have been stolen include customer names, email addresses, mobile phone numbers, date of birth and/or gender. Payment details and passwords have not been affected.”

A letter to customers, by Bonafya’s chief executive Officer, warned users of its online service to be on the lookout for spam e-mails and included details of a specific spam e-mail that some customers had received. The letter also assured customers that the company had not sold users’ personal data to anyone else and informed them that the incident has been reported to the Information Commissioner.

  • Identify lessons from the reporting of the breach?

On 22nd August, Zain was reported to have suffered a potential data breach. Names, addresses and “in some cases” date of births and phone numbers “may have been accessed”, Zain said. The company issued a statement that there was no evidence its systems had been compromised, however, it believed criminals had got customers’ email addresses and passwords from other websites “and then used those credentials to access accounts on our website”.

Zain said it had notified directly all customers which it believed had been affected and went on to state that criminals had tried to extort a ransom from the company.

  • Discuss the potential holes that still exist in the cyber-security of businesses after the Data Protection coming into force.