In or around August 2024, one Richard Wafula had a wedding and held the wedding reception at one Hotel Tobriana.
In October 2024, Mr Wafula lodged a complaint with the Office of the Data Protection Commissioner (ODPC) against the hotel, complaining that the hotel had obtained images and videos of himself, his wife and their wedding guests, and published then on their social media pages, without the consent of the people in the images.
The ODPC asked the hotel to respond to the allegations and to provide, among other things, “an elaborate representation of how data subjects can exercise their rights in relation to data protection” and “mitigation measures adopted or being adopted to address the complaint to the satisfaction of the Complainant and to ensure that such occurrence mentioned in the complaint does not take place again.”
The hotel did not respond to the complaint.
The Complainant had written a demand letter asking the hotel to remove the said posts. The hotel did not remove the posts. In fact, according to the determination, as at the time the ODPC was issuing the determination, the posts were still up.
The ODPC found that:
The hotel violated the Complainant’s right to erasure of personal data.
The hotel failed to inform the Complainant –
– of his rights with regard to the use of the images and
– of the fact that it intended to use the images for marketing and
– of the measures in place to protect privacy.
The hotel used personal data for commercial purposes without obtaining express consent from the Complainant or the data subjects.
The ODPC directed the hotel to remove the Complainant’s images from its social media pages within fourteen days of the service of the determination.
The ODPC ordered the hotel to pay the Complainant Kenya Shillings Seven Hundred and Fifty Thousand (KShs. 750,000/-) as compensation.
Lessons
1) The obvious lesson is not to use people’s images without their express, prior consent, preferably in writing.
2) If you handle people’s data, put in place data protection measures, and have them documented.
3) I’m not sure why the hotel did not respond to the Complainant or to the ODPC, but I suspect the outcome would probably be better for the hotel had they responded.
Many of the cases handled by the ODPC that end up being costly to the data handlers go that way not because of technical issues, but because of failure to have or follow proper procedure.
If you need help setting up proper policies and procedures to protect your clients’ data and your purse, please get in touch.
You can find the ODPC Determination here. (PDF. Opens in new tab)