A Commentary on the High Court’s decision in Ceres Tech Limited v Commissioner, Office of the Data Protection Commissioner (Judicial Review Application 25 of 2024) [2024]
In today’s digital world, your business can get into serious legal trouble for something as simple as not deleting a photo. Sounds dramatic? It’s not.
In the recent case of Ceres Tech Limited v Commissioner, Office of the Data Protection Commissioner (Judicial Review Application 25 of 2024) [2024], offers crucial lessons every entrepreneur and employer must learn.
Let’s break it down.
The Case: One Photo, Kshs. 250,000 Fine
In April 2024, Ceres Tech Limited moved to court to stop the enforcement of a determination by the Office of the Data Protection Commissioner (ODPC). Why? Because the ODPC had fined the company Kshs. 250,000 for failing to fully comply with a request to remove the images of a former employee from its Facebook page.
Here’s what happened:
The company had taken and posted photos of its employees for a marketing campaign, with their consent.
One of those employees later left and asked for his photos to be pulled down. The company mostly complied, but one image allegedly remained online. That single photo led to a complaint, an investigation, a fine, and a court case.
But the story didn’t end there.
What Went Wrong (Legally)
1. Failure to Fully Honour the Right to Erasure
Under the Data Protection Act, individuals have the right to withdraw consent and ask that their personal data be erased. The ODPC found that the company had not fully complied with this right, and that failure, even if it was one photo, was enough to amount to a violation.
2. Wrong Legal Process
Instead of filing an appeal, the correct legal path provided by law, the company went to court with a judicial review application. The court struck the case out, saying clearly: “Where the law provides for an appeal, you must follow that path. Judicial review is not a shortcut.”
Key Lessons for Businesses
1. Consent is not forever
Just because someone gave you permission once doesn’t mean they can’t change their mind. When they do, you must act, and act fast.
2. The Right to Erasure is real; and enforceable
When someone withdraws consent, your obligation to delete their data is not optional. If even one image remains, you could face complaints, penalties, or lawsuits.
3. Know your legal options and follow them
Trying to take legal shortcuts (like judicial review) when the law provides a different process will only waste your time and money. Understand the process before going to court.
What You Should Do Right Now
1. Audit your use of employee/customer data. Do you have proper consent? Have you honoured all withdrawal requests?
2. Review your take-down procedures. How fast can your team remove data upon request?
Review Your Data Policy. Does your data policy clearly outline how you go about handling withdrawal requests? Do you even have a data policy?
3. Train your team on data protection law. Especially regarding the rights of data subjects and your duties as a data controller.
4. Speak to a legal expert before suing. Always check if there’s a statutory appeals process to follow.
One photo. One mistake. One big legal headache
When it comes to data protection, respect the law, respect consent, and follow the right legal channels. That’s how you protect your business and avoid getting sued.