| Authority: | ODPC |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal provisions reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 27 June 2025 |
| Decided: | 25 September 2025 |
| Published: | Yes |
| Fine: | KES.250,000 |
| Parties: | Bosco Otieno vs. Betika Kenya |
| Case No.: | No. 0986 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Bosco Otieno complained that Betika Kenya unlawfully restricted his right to account deletion by demanding his national ID and three months’ M-Pesa statements. The ODPC found the financial statement requirement excessive and a violation of data minimisation principles. Consequently, Betika was ordered to pay KES 250,000 compensation.
The Complainant, Bosco Otieno, alleged that on 26th June 2025, he initiated a request via email for the permanent deletion of his betting account. He asserted that the Respondent, Betika Kenya, unlawfully restricted this right by conditioning the deletion on him providing a copy of his national identity card and three months’ worth of M-Pesa statements. The Complainant argued that these demands were unnecessary and intrusive, especially as such information was not required during his initial account registration. He contended that the request violated the principles of data minimisation and purpose limitation, serving as an obstruction to his statutory right to erasure and creating a risk of personal data misuse.
Betika Kenya acknowledged the deletion request but maintained that the requested documents were necessary to comply with regulatory obligations under the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA), 2009. The Respondent argued that account closure constitutes a "transaction" requiring customer due diligence, including the verification of identity and the source of funds, to mitigate risks associated with money laundering and impersonation. Furthermore, the Respondent claimed that its privacy policy and terms and conditions—which the Complainant accepted upon registration—clearly provided for the submission of these documents during account closure.
The Office of the Data Protection Commissioner (ODPC) evaluated whether the Respondent's demands satisfied the principles of lawful processing under the Act. While the ODPC found that requesting a national ID was a reasonable and proportionate measure for identity verification, it determined that the "blanket demand" for three months’ of financial statements was excessive and inconsistent with data minimisation. The Commissioner noted that financial statements contain wide-ranging personal information unrelated to the narrow purpose of account deletion.
The investigation confirmed the Complainant's account had been active for six years without being flagged for suspicious activity; therefore, the Respondent failed to demonstrate a "risk-based" necessity for such intrusive financial data. Consequently, the ODPC found that the Respondent had unlawfully obstructed the Complainant’s right to erasure by imposing hurdles unrelated to the deletion request, thereby violating Sections 25, 26, and 40 of the Act.
In the final determination dated 25th September 2025, the Data Commissioner ruled as follows: