Hello!
Welcome to Issue 003 of 2026 of the DataHub Weekly, your digest of fresh decisions from Kenya's Office of the Data Protection Commissioner (ODPC), with the compliance lessons that matter to your organisation.
This week: five new determinations, spanning fitness and wellness, private landlord-tenant relations, fintech, geospatial data infrastructure, and utilities. Four respondents were found liable. One walked away with a dismissal, despite a finding of unlawful processing.
That last result deserves attention. Because the lesson from the one that was dismissed is not that the respondent did nothing wrong. It is that it moved fast enough, and documented it.
01 | Kassam vs. Nadiano Wonder World Fitness Center & Spa - ODPC Complaint No. 0567 of 2025 — VIOLATION Award: No compensation | Enforcement Notice issued
02 | Kang'ethe vs. Analo - ODPC Complaint No. 0867 of 2025 — VIOLATION Award: KES 30,000
03 | Nyaga vs. Incredo Finance - ODPC Complaint No. 0958 of 2025 — VIOLATION Award: KES 500,000
04 | Anonymous vs. Regional Centre for Mapping of Resources for Development (RCMRD) - ODPC Complaint No. 0568 of 2025 — DISMISSED (unlawful processing found; enforcement withheld) Award: N/A
05 | Korir vs. Thika Water and Sewerage Company - ODPC Complaint No. 0917 of 2025 — VIOLATION Award: KES 250,000 + Enforcement Notice
Amaan Kassam vs. Nadiano Wonder World Fitness Center & Spa Complaint No. 0567 of 2025 | Decided: 15 July 2025
What happened and what the ODPC found:
A former client of a Nairobi fitness centre began receiving unsolicited WhatsApp marketing messages in 2025, nearly nine years after his membership ended in 2016. He made repeated requests to stop. The sender ignored him. He escalated to the ODPC. The messages continued even after he informed the sender that the matter had been referred to the Commissioner.
The ODPC found violations across multiple fronts: the respondent had never informed the complainant that his data would be used for marketing; failed to honour his right to object; continued processing long after the service relationship had lapsed, in breach of the purpose limitation and storage limitation principles; and sent marketing messages without any opt-out mechanism, as required by the Data Protection (General) Regulations, 2021. The ODPC rejected the respondent's attempt to disclaim responsibility by attributing the messages to staff personal devices, finding that the commercial content of those messages, promoting the respondent's own services, kept them squarely within the respondent's accountability. An enforcement notice was issued. No compensation was ordered, though the determination does not explain why.
The compliance lesson:
Former customers do not fall out of scope when they stop paying you. Their data does not become yours to keep indefinitely, and it certainly does not become available for marketing without fresh consent. If your organisation holds contact details of past clients, whether from five months ago or five years ago, ask yourself: what is the lawful basis for retaining this data today? What is the basis for using it to communicate? If you cannot answer both questions clearly, you have a problem.
If your staff communicate with customers using personal devices or personal numbers, your organisation is still accountable for those communications when they promote your business. Do not build your compliance argument on a chain of informal outreach you were simultaneously benefiting from.