Happening Now: NTV KENYA LIVE | Senate Proceedings
Many migrant workers in the informal sector miss out on social protection programmes, such as public health cover, making them vulnerable.
A Nairobi-based human resources and recruitment consultancy firm has found itself on the wrong side of the data regulator after sharing a client’s Curriculum Vitae with a third party without her express consent.
As a result, the Office of the Data Protection Commissioner has directed the firm, Brites Management Services Limited, to compensate the aggrieved with Sh262,500 for the breach.
On October 7, 2024, Margaret Manyange, who was seeking a job as a Legal Assistant, submitted her CV to the HR agency. Four days later, the firm invited her for an interview. Months passed.
Then, on June 18, 2025, she received another message from Brites inviting her to yet another interview for the same position. A follow-up phone call from one of the firm’s agents confirmed the same.
However, according to Ms Manyange, the notice was short, and she informed the agency she would not be able to attend. Two weeks later, she received a call from a law firm that said it was interested in engaging her as a legal assistant and mentioned that it had received her CV from Brites.
However, that didn’t sit well with Ms Manyange.
Caused her 'inconvenience and emotional distress'
Ms Manyange says she had not authorised Brites to share her CV with that law firm. On October 9, she lodged a complaint with the data regulator, accusing the recruitment agency of causing her inconvenience and emotional distress by sharing her personal information without prior notice or consent.
In its response to the regulator, Brites defended its actions, explaining that its core business is recruitment and that it places candidates with prospective employers on behalf of its clients. The firm also submitted a candidate agreement form signed by Ms Manyange.
However, the contents of that agreement were specific to commission-sharing arrangements with a named employer.
In reviewing the matter, the Data Commissioner noted that even with the agreement in place, Brites was still required to inform Ms Manyange that her CV would be shared with the law firm.
“A data subject has the right to be informed of the use to which their personal data is to be put. In this case, the Complainant had a right to be informed that her personal data would be shared with prospective employers, prior to the actual processing. The Complainant stated that she only consented to the sharing of her personal data with one specific prospective employer,” the Commissioner observed.
The regulator went further to state that; “The Respondent did not demonstrate that the Complainant was informed that her personal data would be shared with any other entity. Based on the above, this Office finds that the sharing of the Complainant's personal data with third parties without informing her first, constitutes a direct violation of the Complainant's right to be informed of the use to which her personal data is to be put.”
The Data watchdog also faulted Brites for failing to establish a lawful basis for sharing the CV.
“The Respondent was obligated to establish a lawful basis for the processing of the Complainant's personal data, particularly the lawful basis for sharing her personal data with third parties. The Respondent did not establish any lawful basis for the sharing of the Complainant's personal data with other third parties. The automated email response that indicates that they do recruitment on behalf of prospective employers does not demonstrate a lawful basis for processing,” the Commissioner stated.
According to the Commissioner's ruling, Ms Manyange only discovered that her CV had been circulated when she received an interview invitation from a third party. She maintained that she had not consented to such sharing beyond what had been mutually agreed.
The regulator also dismissed the firm’s argument that general email notifications were sufficient to alert her to the fact that her information might be shared.
“The Respondent did not provide any evidence to demonstrate that they fulfilled this duty to notify as stipulated in Section 29 of the Data Protection Act. The purported emails to the Complainant containing links to the Respondent's website did not fulfil the aforementioned requirements,” the ruling read.
In determining the appropriate remedy, the Office considered the infringement of Ms Manyange’s right to be informed and the unlawful processing of her personal data.
“In this context, the Respondent is hereby ordered to pay Sh262,500 for the infringement of her rights and for the unlawful processing of her personal data,” the Commissioner directed.
Beyond the compensation, Brites was also ordered to formally register with the Office of the Data Protection Commissioner as a data handler.
Follow our WhatsApp channel for breaking news updates and more stories like this.
