Kenya’s data protection regulator has moved to escalate action against directors of LOLC Microfinance Bank, recommending prosecution after the lender failed to respond to an official inquiry into its handling of personal data.
In a decision dated April 14, the Office of the Data Protection Commissioner (ODPC) found that the bank unlawfully processed a former employee’s personal information by publishing it in public notices without consent or a valid legal basis. The regulator has also ordered the bank to delete the data within 14 days.
The case highlights a tougher enforcement approach under Kenya’s data protection framework, where penalties are increasingly extending beyond corporate fines to potential personal liability for company executives who ignore regulatory processes.
According to the ODPC, LOLC Microfinance Bank did not respond to multiple requests seeking justification for the publication of the data, proof of consent, or details of corrective measures.
“By failing to respond to the Notification of Complaint, the Respondent obstructed the Data Commissioner in the exercise of her powers,” the regulator said.
That non-cooperation led the ODPC to recommend that the bank’s directors be prosecuted for obstruction under the Data Protection Act. If pursued, the offence carries penalties of up to KES 5 million ($38,700), a prison term of up to two years, or both.
The complaint was filed in January 2026 by a former employee who alleged that his personal data was published after he left the company, alongside a warning advising the public against transacting with him.
The regulator formally requested the bank’s response in March, but said no reply was received, leaving it unable to establish a lawful basis for the publication.
LOLC Microfinance Bank, established in 2022, operates in Kenya as part of the LOLC Group, a Colombo-listed financial services company expanding across African lending markets with a focus on underserved individuals and small businesses.
While most previous ODPC rulings have centred on fines or orders to delete data, this case signals a shift toward enforcement that also targets non-compliance with investigations themselves.
The bank has been directed to remove the disputed data within 14 days or face further action, and it retains the right to appeal the decision in the High Court within 30 days.
The outcome now depends on whether prosecutors act on the ODPC’s recommendation, a move that could set a precedent for how far personal accountability extends under Kenya’s data protection laws.
