Summary

A loan borrower complained that Stawika Capital Limited disclosed her personal data to unauthorized third parties, including her employer, without prior notice or lawful basis. The ODPC rejected the respondent's legitimate interest defence, found the disclosure unlawful, and ordered compensation of KES 50,000 plus an enforcement notice against the respondent.

Facts

The complainant filed her complaint on 10 June 2025. She stated that on or about 1 April 2025, she applied for a loan facility with Stawika Capital Limited. The loan agreement did not specify due dates for repayment instalments, creating ambiguity regarding the repayment schedule, though the complainant had undertaken to repay within three monthly instalments. On or around 14 May 2025, the complainant received communication from third parties not privy to the contract — communication premised on information that was only in the possession and control of the respondent. This disclosure was made without informing her or providing prior notice and without any lawful basis. As evidence, she submitted an extract of an email that was sent to unauthorised third parties on 16 May 2025. The complainant argued that the respondent's disclosure was neither necessary for the performance of the contract nor authorised under any provision of the Act and therefore constituted an unlawful and unauthorised interference with her right to privacy.

The respondent filed its response on 31 July 2025. It acknowledged that the complainant was its client, having applied for and obtained a loan facility pursuant to a Loan Agreement dated 1 April 2025. It submitted that Clause 2 of the agreement provided that the borrower acknowledged and agreed to be bound by the applicable terms and conditions, published on its website and accessible to all clients prior to loan disbursement. In response to the unauthorised disclosure allegation, the respondent contended that all communication undertaken was in the ordinary course of business and solely for purposes of verifying inconsistencies identified during an internal review of the complainant's facility application, undertaken in pursuit of legitimate business interests, in the lawful enforcement of the contract, and in compliance with its internal regulatory and operational procedures. It categorically denied disclosing the complainant's personal data to any unauthorised third parties. The respondent confirmed that the loan facility matured on 30 June 2025 and remained outstanding.

The ODPC found that the complainant's name and associated financial information, shared in connection with her default, constituted personal data as defined in Section 2 of the Act. It applied Section 25, which requires all data controllers and processors to ensure that personal data is processed lawfully, fairly, and in a transparent manner, collected for explicit and specified purposes, and processed in a manner consistent with those purposes. The ODPC rejected the respondent's legitimate interest defence. While acknowledging that debt recovery may constitute a legitimate interest, the ODPC held that the purpose must still be exercised in a manner compliant with the Act. The respondent had less intrusive alternatives available, including direct communication with the complainant. Disclosure of the complainant's personal information to her employer carried risks of reputational damage, humiliation, and potential employment consequences that were disproportionate and excessive compared to the respondent's interest. The ODPC found that the harm and risk to the complainant's rights and freedoms far outweighed any purported commercial interest of the respondent, and that legitimate interest could not, in any event, override the complainant's fundamental right to privacy. The respondent's disclosure was therefore found to be unlawful, unfair, and unauthorised under the Act.

• Legal Provisions Reviewed

Holding

• The respondent, Stawika Capital Limited, is found liable for unlawful disclosure of the complainant's personal data to third parties.
• The respondent is ordered to pay the complainant KES 50,000 as compensation.
• An Enforcement Notice is issued against the respondent.
• Parties have the right to appeal this determination to the High Court of Kenya within thirty (30) days.

Comment

This decision is an important contribution to the ODPC's developing jurisprudence on the legitimate interests ground under Section 30(1)(f). The ODPC's reasoning — that legitimate interest cannot override a data subject's fundamental right to privacy, and that less intrusive alternatives must be considered before disclosing personal data to an employer — closely mirrors the balancing test applied under GDPR Article 6(1)(f) in European jurisdictions. Lenders, microfinance institutions, and mobile loan providers should take note: contacting borrowers' employers or family members for debt recovery purposes is unlikely to survive scrutiny as a proportionate exercise of legitimate interest, and may attract both compensation orders and enforcement notices. The case also underlines that terms and conditions published on a website do not, by themselves, constitute adequate notice or consent for data sharing beyond the direct relationship between the parties.