Commentary on Carolyne Alaka Mage v CIC General Motor Insurance and Another 

Introduction 

In today’s digital age, data protection laws have become critical to safeguarding individuals’ personal information. The enactment of the Data Protection Act in Kenya has strengthened the rights of data subjects, not only in consenting to terms and conditions but also in having a say on how their data is used and being informed of any changes in its processing. 

Background of the Case 

In this case, CIC Insurance Company was ordered to pay Kshs. 250,000 in damages by the Office of the Data Commissioner for violating a data subject’s rights. The complainant had submitted her logbook, containing personal data, to lay a claim with CIC Insurance after her vehicle was written off in an accident. However, the insurance company shared her information with a third party without informing her or obtaining her consent. 

Key Takeaways from the Decision 

• Informed consent: A data subject must be informed, and consent must be obtained before their information is shared with third parties. 

• Obligation to disclose: Data controllers are required to inform data subjects in advance if their data will be shared with third parties, including the purpose for such sharing. 

• Burden of proof: The responsibility to prove that consent was obtained from a data subject rests with the data controller before collecting or processing any personal data. 

Conclusion 

This decision highlights the critical role of data protection laws in upholding the rights of data subjects. It serves as a clear reminder to data controllers and processors to respect these rights throughout the data lifecycle—during collection, processing, storage, and disposal. Compliance with data protection laws is not optional but a legal obligation, ensuring that data is only used for its intended purpose and in line with the consent provided by the data subject.