NAIROBI, Kenya — Kenya’s data protection regulator has recommended the prosecution of directors of LOLC Kenya Microfinance Bank Limited after finding the institution unlawfully processed a former employee’s personal data and failed to cooperate with an official investigation.
In a determination dated April 14, 2026, the Office of the Data Protection Commissioner (ODPC) ruled that the microfinance bank violated provisions of the Data Protection Act, 2019, by publishing the complainant’s personal data in public notices on its social media platforms without consent.
The decision, signed by Data Commissioner Immaculate Kassait, found that the bank failed to demonstrate any lawful basis for processing the data, as required under Sections 25 and 30 of the Act.
The complainant, a former employee, had argued that the posts—published after his resignation—warned the public against transacting with him and included his personal details.
“The Respondent did not provide the lawful basis he relied upon in processing the Complainant’s personal data,” the ODPC noted, concluding that the processing was unlawful.
The regulator further directed the bank to delete the complainant’s personal data from its online platforms within 14 days, warning that failure to comply would trigger an enforcement notice under Section 58 of the Act.
Beyond the privacy breach, the case escalated due to the bank’s non-response to a formal notification of complaint issued by the ODPC.
The regulator had requested a detailed explanation, including evidence of consent, the purpose of the publication, and mitigation measures. The bank did not respond.
This failure, the ODPC ruled, amounted to obstruction of the Data Commissioner in the exercise of her statutory powers under Section 9 of the Act. Under Section 61(b), such obstruction constitutes a criminal offence punishable by a fine of up to Sh5 million, imprisonment of up to two years, or both.
“By failing to respond to the Notification of Complaint, the Respondent obstructed the Data Commissioner,” the determination stated.
As a result, the ODPC formally recommended prosecution of the bank’s directors, marking one of the more assertive enforcement actions under Kenya’s data protection regime.
The ruling reinforces Article 31 of the Constitution, which guarantees the right to privacy, including protection against the unnecessary revelation of personal information.
It also underscores the growing willingness of regulators to hold corporate actors—and their leadership—personally accountable for data governance failures.
Legal analysts say the decision signals a shift toward stricter enforcement of data protection laws in Kenya, particularly in cases involving digital platforms and reputational harm.
The complainant had also sought compensation and deletion of the posts, though the ODPC’s ruling primarily focused on corrective action and enforcement measures.
Both parties retain the right to appeal the decision at the High Court within 30 days.
The case adds to a growing body of enforcement actions shaping Kenya’s data protection landscape, as institutions face increasing scrutiny over how they collect, process, and publish personal data in the digital age.
