| Authority | ODPC – Kenya |
|---|---|
| Jurisdiction | Kenya |
| Relevant law | Data Protection Act, 2019: ss. 8(1)(f), 9(1)(a), 18(1), 25(a), 25(b), 25(c), 25(d), 25(e), 26, 29, 30, 33, 37, 56, 57, 58; Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021: regs. 11, 14, 16; Data Protection (General) Regulations, 2021: regs. 4(1), 13(2)(b) & (c), 14(2)(b) |
| Type | Suo Moto Investigation |
| Outcome | Non-Compliant (Enforcement Notice issued) |
| Started | 24 March 2025 |
| Decided | 9 January 2026 |
| Published | Yes |
| Fine | N/A (Enforcement Notice issued; no monetary award) |
| Parties | ODPC (suo moto) — Capital Sacco Limited, Meru (Respondent) |
| Case No. | ODPC/SM/0010/2025 — ODPC/CIE/CON/2/3/205 |
| Appeal | N/A |
| Original Source | ODPC |
| Original Contributor | MZIZI Africa |
The ODPC initiated a suo moto investigation into Capital Sacco Limited, a Meru-based credit facility, following public interest concerns about its use of customer and minor images for commercial marketing without consent, and failure to notify data subjects of their rights. The ODPC found multiple violations and issued an Enforcement Notice.
On 24 March 2025, the ODPC instituted a suo moto investigation — ODPC/SM/0010/2025 — into Capital Sacco Limited, a credit financing facility in Meru that processes high volumes of personal data from loan-seeking clients. The investigation was triggered by public interest concerns about the respondent's personal data processing activities, specifically its indiscriminate classification and use of customer images — including images of minors — for promotional and marketing purposes on its website and Facebook page, without notifying data subjects, obtaining their consent, or informing them of their rights. The ODPC also noted concerns that the respondent retained personal data for undefined periods without implementing adequate safeguards. The ODPC notified the respondent of the investigation via a letter dated 24 March 2025 (Ref: ODPC/CIE/CON/2/1/(175)) and conducted a site visit on 14 October 2025.
The respondent submitted a response on 30 October 2025 (Ref: CSL/CEO/2025/65). It averred that it was duly registered as a data controller (Certificate No. 110-****-DA40). It stated that it relies on legal obligation, vital interests, and consent as lawful bases for processing, and claimed consent was sought from mature adults for use of their images and from parents/guardians for processing minors' personal data, particularly for social media platforms such as Instagram. It submitted that it complied with lawfulness, fairness, and transparency principles by informing data subjects of collection purposes and data use, and that it had implemented mechanisms — including opt-out forms, complaints forms, application forms, and requests for information statements — to enable data subject rights.
The ODPC's site visit and analysis of evidence established that while the respondent was registered as a data controller, it collected and processed images of adults and minors for commercial purposes by publishing them on its website and Facebook page, and no proof of consent was provided. The ODPC found the respondent failed to demonstrate compliance with section 25 data protection principles; failed to establish that it had obtained freely given, informed, and explicit consent from individuals or, in the case of minors, from their parents or guardians, in accordance with section 32; failed to demonstrate age verification mechanisms prior to collecting and processing minors' images for commercial purposes; and failed to show how it fulfilled its duty to notify data subjects of their rights, the nature of data collected, the purposes of processing, third-party disclosures, and the consequences of withholding data — in violation of sections 25(a), (b), (c), (d) and (e) and section 29 of the Act. The ODPC further found that publishing images of data subjects on a website and Facebook page for direct marketing constituted use of personal data for commercial purposes under Regulation 14(2)(b) of the General Regulations, requiring express consent under section 37, which the respondent was unable to demonstrate. The special concern about minors was addressed under section 33 of the Act and Regulations 13(2)(b) and (c) of the General Regulations, which prohibit marketing profiling of children and require parental notification of processing risks and safeguards. An Enforcement Notice was issued under section 58 of the Act.
This is the ODPC's tenth published suo moto investigation (ODPC/SM/0010/2025) and, alongside the earlier Alphax Academy determination, confirms that the Commissioner is actively using own-motion powers against financial services entities that process customer data at scale without adequate consent frameworks. Two aspects of this determination are particularly significant for the SACCO and microfinance sector. First, the ODPC found that displaying customer images on a website and Facebook page constitutes direct marketing within the meaning of Regulation 14(2)(b) of the General Regulations — extending the "commercial use" analysis beyond traditional advertising to routine social media presence. Second, the ODPC's focus on the absence of age verification mechanisms before collecting and processing minors' images is a direct signal to financial institutions that process family accounts or junior membership categories: parental consent documentation is not optional, and system-level age verification is expected.