⚖ The Advocate
Privacy & Data Rights

Employer Shares Your Personal Information Without Consent

An employer or organisation discloses your personal data to third parties without your knowledge or permission

Premium intermediate 8 minutes
The Situation

What They Said

“We shared your contact details and salary information with our business partners — it is standard practice.”
Your employer, a financial institution, a healthcare provider, or another organisation shared your personal information — your ID number, salary details, address, health records, or mobile number — with third parties without asking your permission. This may have led to unwanted marketing calls, adverse credit decisions, or other harm. Many Kenyans are unaware that the Data Protection Act 2019 fundamentally changed the legal landscape, giving individuals strong rights over their personal information.
The Fallacy

Commercial Relationship Permits Unlimited Data Sharing

The organisation treats having your data — because you are an employee, customer, or patient — as authorising them to use and share it in any way they choose for business purposes. The Data Protection Act establishes a completely different framework: your data may only be collected for a specific, lawful purpose, and may only be shared with third parties if you have given explicit consent, or if one of the narrow lawful bases for processing applies. 'Standard practice' or 'business purposes' are not lawful bases for sharing without consent.

What the Law Says

Your Legal Foundation

Data Protection Act, 2019 (No. 24 of 2019)
Section 25 — Principles of Data Processing — Lawful Basis Required
“Personal data shall be processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; and not processed without a lawful basis. The lawful bases for processing include: consent of the data subject; performance of a contract; legal obligation; vital interests; public interest; and legitimate interests that are not overridden by the data subject's rights.”
Sharing your salary information with business partners for general commercial purposes does not meet any of these lawful bases without your explicit consent. The employer cannot rely on 'legitimate interests' for sensitive data like salary and identity information shared with unconnected third parties.
Data Protection Act, 2019 (No. 24 of 2019)
Section 26 — Rights of Data Subject
“A data subject has the right to be informed of the use of their personal data; to access their personal data; to object to the processing of their personal data; to have incorrect personal data corrected; and to have personal data deleted in specified circumstances.”
You have the right to demand a full account of what personal data is held about you, who it has been shared with, and on what legal basis. You also have the right to object to processing and to request deletion of data that was unlawfully shared.
Data Protection Act, 2019 (No. 24 of 2019)
Section 56 and 58 — Complaint to the Office of the Data Protection Commissioner
“A data subject who alleges a contravention of this Act may lodge a complaint with the Data Protection Commissioner. The Commissioner may investigate, mediate, issue enforcement notices, and impose fines of up to five million Kenya shillings or one percent of annual gross turnover.”
The Office of the Data Protection Commissioner (ODPC) is the enforcement body. You can file a complaint online at the ODPC portal. Fines are significant — up to KES 5 million — which gives the ODPC real leverage with non-compliant organisations. The ODPC can also order deletion of unlawfully shared data.
What Scripture Says

God's Word on This

Proverbs 25:9 (NIV)
“If you take your neighbor to court, do not betray another man's confidence.”
Scripture recognises that information shared in one context of trust — between employer and employee, between patient and doctor — carries a commitment of confidentiality. Sharing it beyond that context without permission is a betrayal of confidence. The Data Protection Act codifies this ancient principle in the digital age: information given in one relationship of trust may not be carried beyond it without proper authority.
🔒
You Know the Law — But Do You Know What to Say?
Reading your rights is one thing. Using them under pressure — calmly, correctly, in the right words — is what actually protects you. Members get the scripted rebuttal for this exact situation: what to say first, what to say if they push back, the tone to use, and the constitutional provision to cite. Practise out loud with audio until it's automatic.
Unlock This Scenario — R89/month
Identity & Dignity and Gender & Equality are free · All 17 domains from R89/month · Cancel anytime
Not ready to subscribe? Get the free checklist first.
10 South African rights scenarios — what to say, what to cite, what to refuse. Free, no card needed.
What They'll Say Next

Common Counter-Arguments

After you respond, they may push back with these arguments. Members get the full rebuttal for each.

They might say: “You signed an employment contract that includes a consent clause for data sharing.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
They might say: “The Data Protection Act only came into force recently — older data practices are exempt.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
Know Your Rights. Know Your Word.
149 South African rights scenarios — exact rebuttals, constitutional law, and Scripture. Practise out loud with audio. Free to start with 2 full domains.
Try Free — Identity & Dignity
No credit card · Upgrade anytime for all 17 domains
Think you know your rights? 5 real SA law scenarios — find out where you’re at risk.
Take the Quiz →