The effect of the 90-day period for deciding on complaints submitted to the Office of the Data Protection Commissioner in Kenya

Paul Ogendi

Paul Ogendi

Dr Paul Ogendi is a lecturer at the University of Nairobi, Faculty of Law-Kisumu Campus. He is also an Advocate of the High Court of Kenya.

The Allen Waiyaki Gichuhi S.C. versus Data Protection Commissioner (2023) case dealt with the effect of the Office of Data Protection Commissioner (ODPC) determining a complaint submitted to it outside the 90-day period set by the Data Protection Act (DPA).

The applicants’ employee had shared confidential information about the personal and sensitive data of its clients. On 20 July 2022, the applicants filed a complaint with the ODPC. On 6 January 2023, the ODPC made its decision – well beyond the 90-day period set by the DPA. The ODPC dismissed the complaint because the documents shared by the complainants’ ex-employee to a third party related to corporate and not natural persons, and were part of the public record. The applicants then approached the High Court for a remedy to the ODPC’s determination. Justice Chigiti ruled in their favour.

The 1st interested party raised a preliminary objection that the applicants had no authority to seek judicial review orders on behalf of their clients. The judge found that the applicants could file the case because even though legal persons cannot lodge complaints with the ODPC, in this case they were partners in a law firm and were therefore natural persons.

However, the judge failed to address various pertinent issues:

  • He should have satisfied himself that the personal data related to a data subject who was a natural and not a legal person.
  • He should have addressed the issue of agency. The applicants were natural persons or partners in a law firm, but can a lawyer/legal office holding personal data belonging to a third-party data subject be protected by the enforcement provisions of the DPA? Put differently, can a law firm such as the one belonging to the applicants rely on the DPA to protect personal data lawfully placed in their possession? Whose privacy will they be protecting? There is thus a need to examine the privacy interests of institutions in relation to personal data they hold on behalf of their clients. The DPA seems to deal with this issue as a personal data breach. The data controller must notify the Data Commissioner within 72 hours of becoming aware of the breach. The data processor must notify the data controller of any breach and where possible within 48 hours of becoming aware of such a breach. The data controller is then expected to write to the data subject within a reasonable time.
  • The Act appears to suggest that the data subject must act on his or her own behalf. It seems that other institutions including law firms cannot use the ODPC complaint procedure – only the data subject. Law firms who may be categorised as data controllers can only access the notification and communication of breach provisions of the DPA. As this was not addressed in Court, it is a lost opportunity.
  • Who can lodge a complaint with the ODPC? The judge noted that it should be a natural and not a legal person, but he should have stated that the data subject should file the initial complaint at the ODPC and, if aggrieved, then approach the High Court.


The judge relied mainly on the provision for a 90-day period for determining complaints to decide the case, which was in favour of the applicants as the ODPC decision was rendered outside the 90-day timeline. Consequently, he issued an order compelling the respondent to readmit the complaint filed by the applicants, with that investigation to be completed within 30 days of the date of readmission.

This suggests two things: (1) the complaint process at the ODPC is highly regulated; and (2) the timeline for rendering a decision must be strictly adhered to. Failure to make a decision within 90 days prevents the ODPC from deciding on the matter. This has important implications, especially in resource-deficient settings. The ODPC cannot wait for parties to act within their timelines. They can investigate and decide on issues with or without the assistance of the parties. The ODPC should thus act immediately if a complaint is filed.

The orders issued by the judge are, however, troubling. While it is acceptable that an order be issued to quash the initial decision of the ODPC and direct the matter to be readmitted for determination, it is problematic that the judge ordered that the fresh investigations be completed within 30 days of the date of readmission. The DPA has no such requirement and it is unclear why this was prescribed by the judge.

The judiciary is a critical institution that is supposed to interpret the law and clearly communicate the law through its decisions. Where there is an opportunity to do so, it should critically consider all issues and ensure that it clarifies the law.