ODPC Ruling: Proof of loss and/or damage suffered Required in Data Breach Claims

by Caxstone Kigata and Denis Mutugi | Aug 13, 2025 | Legal update | 0 comments

The ODPC has buttressed the principle of strict liability imposed on a Data Subject and the legal duty of a Data Subject to prove damage of breach for an award of compensation under the Data Protection Act: Andrew Endovo V. Standard Investment Bank (S.I.B) (Complaint No. 0697 of 2025) BACKGROUND OF THE COMPLAINTThe popular Mansa X singular email that transmogrified into a spirited ODPC Complaint has etched solid legal underpinnings in data breach complaints before ODPC. In this matter, the complainant, lodged a complaint with the Office of the Data Commissioner alleging that Standard Investment Bank (SIB) had unlawfully sent him unsolicited promotional email of the popular online trading Mansa X Special Fund without his consent and in violation of his data protection rights. He therefore sought for hefty compensation against SIB as per its previous decisions.

Upon appointing Wamae &Allen LLP to represent it in the proceedings, SIB responded as follows to the filed complaint:

    1. Pursuant to Regulation 15 of the Data Protection (Complaints Handling Procedures and Enforcement) Regulations, 2021, SIB had approached the complaint for a negotiated approach to the dispute. However, the complaint declined this adventure despite this framework provided for in the DPA.
  • The complainant had not illustrated any damage suffered, be it financial or non-financial by the single email shared with him as required under Section 65 DPA. 
  • The DPA does not impose strict liability on a Data Controller/Processors and for a Data Subject to be awarded any form of compensation, such a Data Subject has to prove the damage suffered by breach.
  1. The Data Subject has the initial burden of proving the damage suffered before the Data Controller can revert. The Complainant failed to prove any harm or damage suffered and the burden of proof could not shift to SIB.
  2. Upon being informed of the email, the Complainant’s contact details were removed from all outreach marketing and prospecting records to prevent any further unsolicited communication.
  3. A Data Subject cannot be awarded any compensation by merely claiming that there was breach of data but has to prove how he suffered from such breach. In this case, the Complainant had not proved how he suffered by receipt of a single promotional email which was erased upon receipt of the complaint.

The OPDC determination and holding

Upon considering the issues brought forth by the parties, the OPDC held inter-alia that r Section 65 of the Act requires a complainant to prove damage suffered which can be a financial loss or any form of distress as the Act does not imposes strict liability on Data Processor/Controller

The ODPC thus awarded the Complainant Kshs.50,000.00 noting that SIB had taken mitigation measures including deleting the complainant’s personal data from its database and offering an undertaking not to share further unsolicited emails to the Complainant.

CONCLUSION 

The decision has reaffirmed that compensation is not automatic as it hinges on proving actual harm or distress, however minimal by the Complainant.  A Data Subject cannot merely be awarded hefty damages by merely alleging data breach as such Data Subject has a duty to prove damage and/or harm suffered, either financial or non-financial under Section 65 of the Act before being compensated. Further where a Data Controller/Subject has mitigated the breach, the ODPC will be unlikely to award hefty damages.

This case also demonstrates that even a single unsolicited email, sent without lawful basis or adequate notice, constitutes a breach of data rights under Sections 26(a) and 26(c) of the DPA. The award of Kshs. 50,000.00 in case reflects a measured balance recognizing the breach, acknowledging the corrective action taken by SIB, and underscoring that compliance with data protection laws is not optional but essential in maintaining public trust in the digital world.

This article is provided free of charge for information purposes only; it does not constitute legal advice and should be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary as set in the article should be held without seeking specific legal advice on the subject matter. If you have any query regarding the same, please do not hesitate to contact Data Protection & ICT Department at WAICTLaw@wamaeallen.com

Loader Loading...
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

About the author

Caxstone Kigata
Partner at Wamae & Allen

Caxstone specializes in civil, employment and labour disputes, constitutional law, family law and succession, and environment and land matters. He has amassed a wealth of knowledge and experience in litigation which is evident in the successes obtained for clients. He is an active member of the Employment and Labour Relations Court Bar-Bench committee.

Denis Mutugi Njeru
Denis Mutugi
Associate

Denis Mutugi specializes in Commercial Litigation and Alternative Dispute Resolution.
Denis graduated with a Bachelor of Laws, LLB (Hons) from The University of Nairobi in 2021 and was admitted to the Roll of Advocates of the High Court of Kenya in the year 2023.
Denis has amassed a considerable wealth of experience in conducting legal research on various complex legal matters touching on Commercial, Insurance, Employment and Insolvency law and bankruptcy.

Share this

Submit a Comment

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and legal updates from our team.

You have successfully subscribed to Wamae & Allen Quarterly.

We collect this information for the purpose of identifying and communicating with you, responding to your requests/enquiries, and improving our services.