ESTHER MAREKA SUING ON BEHALF OF M.N (MINOR) vs. HENNER GMC
1. Introduction
The case is in respect to the complainant, Esther Mareka suing on behalf of her minor son M.N against Henner GMC, on the use of her son’s personal data during a training session without her knowledge or consent. This action is against the Data Protection Act, 2019 provisions.
Table of Contents
2. Nature of Complaint
The complainant’s son’s personal data was used during a training session without her knowledge or consent. The complainant alleged that the respondent sent an erroneous guarantee payment email concerning the hospitalization of her son in Uganda, which caused great confusion as she was not aware of her son being hospitalized while she was away in another country.
3. Analysis of Evidence
Complainant’s Position
- Received an email from the Respondent’s official email address concerning the hospitalization of her son in Uganda on diverse dates in June 2023
- At the time of the alleged hospitalization, she was away in another country attending a conference, causing great confusion
- Reached out to the Respondent who confirmed that her son’s data had been used during a training session in Uganda
- Provided email correspondence and demand letters sent through her advocates
Respondent’s Defense
- Confirmed that contrary to their internal processes, they carried out a training and test using the Complainant’s son’s name, date of birth, and member ID
- Stated that the rest of the details were fictitious and the training generated an erroneous guarantee payment email
- Acknowledged the error and apologized immediately through emails and took measures to ensure the healthcare provider deleted the details
- Relied on legitimate interest under Section 30 to improve the quality of services as the lawful basis
- Argued that no health data was broadcasted and no real risk of harm occurred, therefore no compensation was warranted
4. Issues for Determination
- Whether there was an infringement of the minor’s rights under the Act
- Whether the Respondent fulfilled its obligations under the Act
- Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations
5. Final Determination
The Data Commissioner found:
- The Respondent used the minor’s personal data during a training session without obtaining parental consent.
- The Respondent relied on “legitimate interest” to improve services as the lawful basis, which was not sufficient for processing a minor’s data.
- The Respondent failed to notify the ODPC of the data breach despite the erroneous use of real personal data.
- The Respondent’s actions caused confusion and distress to the Complainant regarding her son’s hospitalization.
Orders:
- Compensation of Ksh 800,000 to the Complainant.
- An Enforcement Notice is issued against the Respondent.
- Right of appeal to the High Court within 30 days.
6. Significance and Impact
Minors’ Data Protection
- Reinforces the stringent requirements under Section 33 for processing children’s data, requiring parental consent and protection of the child’s best interests
- Establishes that consent for insurance purposes does not extend to training or other purposes
Legitimate Interest and Data Processing
- Clarifies that “improvement of services” cannot be the basis of legitimate interest under Section 30 when it involves minors’ data
- Data controllers cannot rely on legitimate interest to justify processing minors’ data for purposes unrelated to the original collection
Broader Impact: This determination addresses a critical gap in Kenya’s data protection framework regarding the protection of minors’ data. It establishes that organizations cannot use children’s personal data for training or testing purposes without explicit parental consent. This ruling will require healthcare insurers and other organizations handling minors’ data to implement robust safeguards.

