BENSON ADIE vs. SEQUOIA HEIGHTS INTERNATIONAL SCHOOL
1. Introduction
The case involves the Complainant, Benson Adie, alleges that the Respondent, Sequoia Heights International School, unlawfully processed his personal data to register and promote the school as its principal without his consent, violating the Data Protection Act, 2019.
Table of Contents
2. Nature of Complaint
The respondent is alleged to use complainants name and photo on the school’s official website as the principal without his consent to seek approval from the Ministry of Education as the principal of the school without following due procedure. The complainant provided his credentials for an employment purpose that did not materialize.
3. Analysis of Evidence
Complainant’s Position
- Adduced a School Registration Assessment Report dated 24th August 2023 showing his name as the principal
- Provided links to the school’s official website and Facebook page displaying his image and referencing him as principal
- Submitted a demand letter to the Respondent, which went unaddressed
Respondent’s Defense
- Denied using the Complainant’s credentials to seek Ministry approval
- Claimed it was not aware of the websites and Facebook account allegedly operating under its name
- Argued that the burden of proving the allegations lay with the Complainant
- Attached a report showing credentials of the officers it claimed to have used
4. Issues for Determination
- Whether the Respondent fulfilled its obligations under the Act
- Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations
5. Final Determination
The Data Commissioner found:
- The Respondent, Sequoia Heights International School is hereby found liable for using the Complainants’ image for commercial gain without their knowledge and consent thereby violating his rights as envisaged in the Data Protection Act No. 24 of 2019.
- The Respondent is hereby ordered to compensate the Complainant a sum of Kshs. Five Hundred Thousand Shillings only (Kshs. 500,000).
- Parties have the right to appeal this determination to the High Court of Kenya within thirty (30) days.
6. Significance and Impact
Employer-Applicant Data Protection
- Clarifies that personal data provided during job applications cannot be repurposed for commercial use if employment does not materialize
- Establishes that data controllers must cease processing personal data once the original purpose (e.g., recruitment) is concluded
Consent and Burden of Proof
- Reinforces that the burden of proving consent lies with the data controller or processor, not the data subject
- Sets a clear precedent that “express consent” under Section 37(1)(a) is non-negotiable for commercial use of personal data
Digital Footprint and Organizational Accountability
- Holds organizations accountable for all digital platforms operating under their name, including websites and social media accounts
- Disproves claims of ignorance regarding online presence—ownership and control of digital assets attract legal responsibility
Post-Complaint Remedial Actions
- Clarifies that pulling down infringing content after a complaint does not absolve liability for the initial violation
- Emphasizes that proactive compliance is required, not reactive damage control
Broader Impact: This determination warns employers against repurposing recruitment data for commercial use without explicit, informed consent. It reinforces the ODPC’s investigative authority to independently verify claims. Organizations must embed robust data protection protocols in recruitment and marketing. Regular audits of digital presence and clear consent mechanisms are now non-negotiable.

