Telecommunications Kenya Ltd (ODPC Complaint 1125 of 2025)

Introduction

In today’s increasingly digital workplace, conversations that once happened behind closed doors now commonly take place over recorded calls. But what happens when those recordings are captured, or shared without proper consent? A recent decision by the Office of the Data Protection Commissioner (ODPC) sheds important light on this issue.

This article takes a closer look at the case of Andrew Alston vs Liquid Telecommunications Kenya Ltd, a dispute that underscores the strict obligations employers and organizations must follow when recording calls involving personal data.

Background: When a “Routine Call” Becomes a Data Protection Battle

Imagine being invited to a consultation call with HR to discuss your exit from employment. Emotions run high, sensitive information is shared, and in the middle of the conversation, an automated message informs you that the call is being recorded, despite no prior notification.

You object. HR assures you the recording will be deleted. But one year later, the same recording appears as evidence against you in an arbitration proceeding by a sister company abroad. You incur additional legal costs to have the evidence expunged.

This is exactly what happened to Andrew Alston, an employee of Liquid Telecommunications Kenya Ltd from 2014 to 2024. After being retrenched, he participated in an exit discussion call. The call was recorded without proper notice or consent. Although he immediately objected and requested deletion, the company retained the recording, claiming “legitimate interest” because he had threatened arbitration.

The recording was later transferred to a Mauritius-based sister company and used in arbitration proceedings, prompting Mr. Alston to file a complaint with the ODPC.

Key Issues Before the ODPC

The ODPC examined three major questions:

1. Did the company comply with its obligations under the Data Protection Act (DPA) and its regulations?
2. Were the complainant’s data protection rights violated?
3. Was the complainant entitled to any remedies?

1. Compliance with the Data Protection Act

The ODPC scrutinized three key compliance aspects: duty to notify, lawful basis, and purpose limitation.

a. Duty to Notify

The employer argued that the automated message during the call was sufficient notification. The ODPC disagreed.

Under Section 29 of the DPA, a data controller must inform the data subject:

• That their data is being collected
• The purpose of the collection
• Whether it will be shared
• The security measures in place

The complainant was never told why the call was being recorded, nor who would access it. The automated notice fell far short of the legal notification threshold.

b. Lawful Basis for Processing

Liquid Telecom claimed the call was recorded for “evidentiary purposes.” While the DPA permits processing for lawful reasons, such purposes must be communicated to the data subject.

The company failed to disclose the lawful basis to the complainant. As a result, the processing had no valid legal foundation.

2. Violation of data subject rights.

The ODPC found multiple breaches of Andrew Alston’s rights under Section 26 of the DPA, including:

• Processing without consent
• Failure to inform him of the purpose of the recording
• Denial of his right to erasure, since the recording was retained for over a year despite his deletion request

The decision made it clear: inaction on a deletion request is a direct violation of a data subject’s statutory rights.

3. Remedies awarded.

Having established that the complainant’s rights were violated, the ODPC:

• Awarded Ksh. 700,000 in compensatory damages
• Issued an enforcement notice against the respondent

This ruling reinforces the ODPC’s growing resolve to impose tangible consequences for non-compliance.

Key takeaways for employers, HR teams, and organisations

1. Data protection compliance is mandatory, not optional: – Any collection or processing of personal data, call recordings included, must strictly follow the law.
2. Consent remains the gold standard: – Unless an exception applies, data subjects must give clear, informed consent.
3. Notification must be meaningful: – Simply stating “this call is being recorded” is inadequate under the DPA. Organizations must explain the purpose, recipients, and safeguards.
4. Claims of “legitimate interests” must be communicated: – You cannot retroactively justify unlawful processing by invoking legitimate interests.
5. Deletion requests must be honoured promptly: – Ignoring such a request exposes an organization to legal and financial consequences.

Conclusion.

This case is a crucial reminder that call recordings constitute personal data. Organizations must handle them with transparency, caution, and full respect for data subject rights.

If your business records call, whether for training, internal review, or evidentiary purposes, it is time to review your data protection policies. The cost of non-compliance is now clearer than ever.