I Only Shared Their Information With a Partner Company — Is That Illegal? Understanding Consent, Data Sharing & Third-Party Risk

Introduction

Last year, we were approached by the CEO of a fast-growing health tech startup. They had partnered with a private lab to offer discounted testing to their users. To make the process seamless, the startup shared names, phone numbers, and national ID numbers of customers with the lab, without informing users.

A few months later, complaints started pouring in. Customers were being cold-called by other medical providers and insurance agents. Some assumed the app had sold their data. Trust collapsed. Ratings dropped. And one user, a lawyer, filed a complaint with the Office of the Data Protection Commissioner (ODPC).

The startup never thought they were doing anything wrong. "We didn't sell the data. We just shared it to make service delivery easier."

But the law doesn't hinge on intentions it turns on consent and transparency.

What We Know

The Data Protection Act, 2019 is clear:

Before you share someone's personal data with a third party, you must:

• Inform the person why and with whom their data is being shared.
• Obtain consent if the data is not being processed under another lawful basis (e.g., a legal obligation).
• Limit the use of the data to the original purpose for which it was collected.
• Ensure the third party has proper data protection measures in place.

Violating these principles can lead to enforcement action by the ODPC, including fines, orders to cease processing, and civil liability.

What We See

The mistake of sharing user data with third parties—without informing the data subjects—is disturbingly common.

We've worked with:

• A logistics company that shared drivers' personal data with insurance providers for "value-added services" without notifying them.
• A retail chain that passed on customer purchase data to a loyalty program partner, assuming it was "marketing" and exempt from consent.
• An e-learning platform that used students' emails and phone numbers to build a WhatsApp-based affiliate network—without updating its privacy policy.

The pattern is always the same: it starts as a growth strategy or operational shortcut, but it ends in reputational damage and legal consequences.

Mistakes Clients Make Before Speaking to a Lawyer

Business owners and data controllers often assume:

• "We're not selling the data, just collaborating."
• "The data is already public—so consent isn't needed."
• "As long as it's in the privacy policy, that's enough."
• "They clicked 'I agree' once, so we can share their data indefinitely."
• "The partner is also bound by confidentiality, so we're safe."

But under Kenyan law, none of these assumptions are safe unless backed by documented, informed, and purpose-specific consent or another valid legal basis.

The Emotional Toll of Getting It Wrong

We've seen founders experience panic when ODPC complaints are filed. Customer relationships fracture. Partners withdraw. Employees grow fearful about internal data practices. In some cases, internal whistleblowers report practices to the regulator—forcing the company to defend decisions made informally or without legal review.

Compliance mistakes, especially those involving customer data, quickly shift from a legal concern to an existential business risk.

Ethical Grey Zones That Don't Make It Into Textbooks

• If a customer agrees to a service, does that include agreeing to marketing from partners?
• Is it okay to share customer data with a third party performing a backend function (like delivery), if no direct consent is obtained?
• Can data be "shared" under a data processing agreement, or is that still outsourcing liability?

Legally, the line between a "data controller" and a "data processor" matters. Ethically, the line between operational efficiency and privacy violation is even harder to draw. Kenyan SMEs often skip legal reviews and privacy impact assessments due to cost or speed and it's these shortcuts that invite regulatory scrutiny.

Systemic Problems in Data Sharing Practices

The biggest problem we see is the lack of data mapping and role clarity. Many businesses don't know:

• Who they're sharing data with,
• Why they're doing it,
• Whether the third party qualifies as a "processor" or a separate "controller,"
• Or whether consent was ever obtained.

There's also a pervasive belief that data protection is a "big company" issue. In fact, many of the ODPC's enforcement actions have targeted small and medium-sized businesses.

Reflective Conclusion: Your Customer's Trust is the Real Asset

Whether you're a fintech, a health tech startup, a logistics provider, or an e-commerce brand, your business is built on trust. Trust that when people give you their information, you'll use it responsibly.

Sharing data doesn't have to be illegal. But it must be done lawfully, transparently, and with respect for individual rights.

Before you share personal data with any third party, ask:

• Have we told our customers this will happen?
• Do we have a lawful basis for the sharing?
• Have we assessed the risks and documented the purpose?
• Is our partner equally compliant?

Don't wait until someone files a complaint.

The question isn't whether your business is ready for compliance.

The question is whether your customer relationships can survive the cost of non-compliance.

MEN Advocates LLP
We help companies draft data sharing agreements, conduct risk assessments, and respond to ODPC complaints. Let us help you protect what matters most—your reputation and your customers' trust.