LOLC Microfinance Bank Directors Face Kenya Data Case

In Short

Kenya’s Office of the Data Protection Commissioner (ODPC) has recommended prosecuting directors of LOLC Microfinance Bank. The move follows a complaint about how the lender handled a former employee’s personal data.

What Happened

In an April 14 decision reported by TechCabal, the ODPC found that LOLC Microfinance Bank unlawfully processed personal data. The regulator said the bank published the former employee’s data in public notices without consent or another lawful basis.

Personal data is information that can identify someone, like a name, phone number, or ID number. Consent means the person agreed to the use, and a lawful basis means the organisation had a valid legal reason to use it.

The ODPC ordered the bank to delete the data within 14 days. The case escalated because the bank did not respond to a formal notice asking for its legal justification, proof of consent, and details of any corrective action.

The ODPC said the lack of response amounted to obstruction, meaning blocking or frustrating a regulator’s investigation. It then recommended prosecution of the bank’s directors under Kenya’s Data Protection Act.

TechCabal reported the offence can carry a fine of up to KES 5 million, a prison term of up to two years, or both.

Why It Matters

This decision signals tougher enforcement in Kenya’s data protection regime. It suggests the ODPC is willing to push beyond corrective orders and target personal liability when leadership ignores regulatory processes.

For banks, digital lenders, and fintechs handling sensitive customer and employee records, the takeaway is clear. Data compliance now includes responding quickly to regulator inquiries, documenting consent, and limiting public disclosures.

The complaint was filed in January 2026 after the former employee alleged the bank published his personal data after he resigned, warning the public not to transact.