taxnews.ey.comPrint

30 October 2025

Kenya Data Protection Commissioner reiterates employers must secure employees' explicit consent to use their images commercially

  • Upcoming Office of the Data Protection Commissioner (ODPC) inspections make this a good time for employers to review their practices around commercializing employee data, particularly in light of a 12 January 2025 ODPC ruling that employers must obtain explicit consent from employees before using their images for commercial purposes.
  • The ruling stems from a complaint alleging that an employee's image was used without consent in marketing materials, highlighting that the burden of proof rests on the employer to demonstrate that consent was obtained.
  • Employers are required to implement clear and transparent consent mechanisms and ensure that employee agreements expressly address the use of personal data for commercial purposes.
  • Businesses should review and update their employee agreements to include provisions for consent, ensuring documentation is readily available to comply with data protection regulations and protect against potential legal liabilities.
 

Executive Summary

In light of upcoming nationwide inspections by the Kenya Office of the Data Protection Commissioner (ODPC) to assess compliance across various sectors, it is timely and prudent for employers to review their practices regarding the commercialization of employee data.

In a decision issued on 12 January 2025, in response to Complaint No. 1618 of 2024, the ODPC underscored the necessity of obtaining explicit consent from data subjects prior to utilizing their data for commercial purposes.

The right to privacy is enshrined in Article 31 of the Constitution of Kenya and is further reinforced by the Data Protection Act of 2019. A core principle of data protection is that consent must be obtained from the data subject, and the consent must be clear, unequivocal and informed. The ODPC is responsible for safeguarding personal data and providing remedies to data subjects whose information has been processed in contravention of these legal requirements.

Detailed discussion

Complainant's case

In October 2022, the complainant (an individual) filed a complaint alleging that the respondent (a solar power company) had utilized his image without consent for marketing and commercial purposes at some point during that year. Specifically, the complainant contended that his image was featured in marketing flyers without his explicit approval. He had made attempts to seek clarification from the respondent's officials regarding the unauthorized use of his image but allegedly received no response. The complainant provided evidence, including the marketing flyers and email correspondence with the respondent, to support his claim.

Respondent's case

The respondent asserted that the complainant was employed as their field agent responsible for conducting sales. They claimed that the images in question were captured in the field and were utilized in marketing flyers to enhance the visibility of their field agents.

Furthermore, the respondent indicated that, after the Data Protection Act 2019 was enacted, the company revised the field agent agreement and distributed it to its field agents; the revised agreement included a photo-consent form for the collection and processing of images aimed at improving the visibility of the field agents. However, the complainant had not received this revised agreement, as he was no longer engaged in sales for the respondent. Additionally, the respondent asserted that it had ceased printing flyers featuring the complainant's image.

ODPC's determination

The ODPC determined that the respondent used the complainant's photograph for commercial purposes without obtaining explicit consent. At the time the photograph was taken, the complainant was acting as the respondent's sales agent. Under Section 37(1) of the Data Protection Act 2019 and Regulation 14(1) of the Data Protection (General) Regulations 2021, personal data cannot be used for commercial purposes without express consent or authorization under a written law.

The Act requires consent to be express, unequivocal, freely given, specific and informed. The burden of proof rests on the data controller or processor to demonstrate that consent was obtained. In this case, the respondent failed to provide evidence showing that the complainant's consent had been secured. Consequently, the ODPC ruled that the respondent had violated the complainant's rights by using his personal data for financial gain without authorization and ordered the respondent to compensate the complainant 500,000 Kenyan shillings (KES500k).

This ruling reinforces the requirement for businesses to implement clear and transparent consent mechanisms when processing personal data for commercial purposes and highlights the legal risks associated with noncompliance.

Conclusion

This ODPC decision highlights the importance of obtaining consent from data subjects regarding the collection, processing and utilization of their data. It is essential for Data Processors and Data Controllers (defined here) to ensure that explicit consent is secured from data subjects for all categories of data they handle.

It is also prudent for employers to review and revise employee agreements as necessary, to include explicit provisions on the use of personal data for commercial purposes, and to ensure that employees sign to acknowledge their understanding and consent.

Moreover, this consent must be documented in a manner that can be readily presented as evidence. Businesses should regularly audit these records to ensure they remain up to date and accessible for compliance purposes. The emphasis on consent is not merely a legal requirement; it is a fundamental principle that protects the rights and privacy of individuals' data.

* * * * * * * * * *
Contact Information

For additional information concerning this Alert, please contact:

Ernst & Young (Kenya), Nairobi

Ernst & Young LLP (United Kingdom), Pan African Tax Desk, London

Published by NTD’s Tax Technical Knowledge Services group; Carolyn Wright, legal editor

Document ID: 2025-2192

 

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting or tax advice or opinion provided by Ernst & Young LLP to the reader. The reader also is cautioned that this material may not be applicable to, or suitable for, the reader's specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The reader should contact his or her Ernst & Young LLP or other tax professional prior to taking any action based upon this information. Ernst & Young LLP assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

 

Copyright © 1996 – 2025, Ernst & Young LLP

 

All rights reserved. No part of this document may be reproduced, retransmitted or otherwise redistributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP.

 

EY US Tax News Update Master Agreement | EY Privacy Statement