| Authority | ODPC – Kenya |
|---|---|
| Jurisdiction | Kenya |
| Relevant law | Data Protection Act, 2019 — ss. 25(b), 25(f), 26(a), 26(b), 58, 65; Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 — regs. 14, 16; Constitution of Kenya — Art. 31(c) & (d) |
| Type | Complaint |
| Outcome | Violation |
| Started | 8 May 2025 |
| Decided | 5 August 2025 |
| Published | Yes |
| Fine | KES 500,000 (compensation) |
| Parties | Immaculate Ndunge Kinyungu vs. Kenya Women Microfinance Bank |
| Case No. | ODPC/CIE/CON/2/3/ (094) |
| Appeal | N/A |
| Original Source | ODPC |
| Original Contributor | MZIZI Africa |
A serving police officer complained that Kenya Women Microfinance Bank processed her personal data without knowledge or consent, attaching a fraudulent KES 1,368,500 loan to her payslip. The ODPC found violations of her rights to be informed and access her data, ordering KES 500,000 compensation and issuing an Enforcement Notice.
The Complainant, a serving officer of the National Police Service, avers that in or around November 2022 she discovered unexplained deductions of KES 11,500 from her monthly salary. Upon investigation she established that a loan of KES 1,368,500 had been applied for and attached to her payslip by the Respondent without her knowledge, consent, or any prior relationship with the institution. She had never opened an account with the Respondent, never submitted a loan application, and had never participated in any step of the mandatory loan process, which — as she detailed — requires the borrower to physically attend the banking hall, submit extensive personal documentation (including a National Identity Card, KRA PIN, biometric photographs, payslip, and guarantor information), and obtain written approval from a supervising officer at her station.
Upon visiting the Respondent's offices to seek an explanation, the Complainant contends that she was refused access to the banking hall, denied any documentation showing how her personal data had been obtained or processed, and refused disclosure of the identity of the guarantors listed on the fraudulent application. She further contends that the Respondent's failure to disclose this information frustrated her attempts to identify and pursue the perpetrators of what she characterised as identity fraud, in violation of her right of access to her personal data under Section 26 of the Data Protection Act, 2019.
In its response, the Respondent admitted that its own internal investigations had confirmed the Complainant's personal data was unlawfully accessed and misused. It attributed the breach to a rogue staff member allegedly acting in collusion with a colleague of the Complainant within the National Police Service, who is suspected to have facilitated unauthorised access to her personal information and enabled the fraudulent account opening. The Respondent stated that upon detecting the breach it took corrective action: halting further processing of the loan, reversing all related transactions, refunding KES 11,500 already deducted, issuing a stop order against further payroll deductions, and closing the fraudulently opened bank account. It also initiated an internal audit to assess whether similar incidents had occurred across its branch network.
The ODPC found that the Respondent had violated Section 26(a) of the Act — the right to be informed — because the Complainant was never notified of the purpose for which her personal data was being used, either at the point of collection or at any time during processing. The post-breach remedial actions, though acknowledged as responsive, were characterised as reactive rather than preventive and did not cure the initial informational failure. The ODPC further found a breach of Section 26(b) — the right of access — because the Respondent failed to provide the Complainant with timely or meaningful information about how her data had been obtained and processed when she made inquiries, depriving her of the ability to respond effectively to the misuse and to mitigate her losses.
On the question of the Respondent's obligations as a data controller, the ODPC found violations of Section 25(b) — the principle of lawful, fair, and transparent processing — as the data was accessed and used without any lawful basis and with no transparency whatsoever. It also found a violation of Section 25(f) — the accuracy principle — because the Respondent accepted and processed a fraudulently completed account opening form without taking any steps to authenticate the applicant's identity or cross-check the documentation against official employment records. Taken together, the ODPC held that the Respondent had failed to fulfil its core data controller obligations under the Act.