| Authority | ODPC – Kenya |
|---|---|
| Jurisdiction | Kenya |
| Relevant law | Data Protection Act 2019 ss. 25, 26(a), 26(c), 30(1)(b)(ii), 30(1)(b)(vii), 32, 41, 56; Companies Act 2015 ss. 92(1), 275A(1), 285BA; Data Protection (Complaints Handling Procedure and Enforcement) Regulations 2021, Reg. 14 |
| Type | Complaint |
| Outcome | Dismissed — No Violation |
| Started | 9 May 2025 |
| Decided | 6 August 2025 |
| Published | Yes |
| Fine | N/A |
| Parties | Simon Muoki Muindi (Complainant) vs. Cooperative Bank (1st Respondent) & Image Registrars Limited (2nd Respondent) |
| Case No. | ODPC/CIE/CON/2/3(097) |
| Appeal | N/A |
| Original Source | ODPC |
| Original Contributor | MZIZI Africa |
Simon Muoki Muindi, a shareholder of Cooperative Bank, complained that he received repeated unsolicited AGM emails from Image Registrars Limited, the Bank's virtual meeting agent, without consent. The ODPC found the Bank had a statutory obligation to notify members and Image Registrars acted under legitimate interests. Both complaints were dismissed.
The Complainant lodged a complaint on 9 May 2025 alleging that Image Registrars Limited had been sending him unsolicited emails inviting him to attend the Cooperative Bank's Annual General Meeting without his consent. He asserted that his personal data had been obtained without any prior notice, justification, or prior interaction with either respondent, and sought deletion of his data from both respondents' systems as well as monetary compensation.
The 1st Respondent (Cooperative Bank) responded on 20 June 2025. It disclosed that the Complainant was in fact a registered shareholder of the Bank holding 10 shares under Shareholder No. 102381 — a fact the Complainant had omitted from his complaint. The Bank submitted that under Section 92(1) of the Companies Act 2015, it was legally required to maintain a register of members, and under Section 275A(1) it was obligated to call an Annual General Meeting and issue notices to all entitled members. It had outsourced the management of its virtual AGMs to Image Registrars Limited on a principal-agent basis, and the Complainant, as a shareholder, was both entitled to receive the AGM notice and to receive the related customer care alerts. The Bank further averred that it had established a customer rights management process to facilitate the exercise of data rights.
The 2nd Respondent (Image Registrars Limited) responded on 9 July 2025. It confirmed the Complainant's shareholder status and stated that the Complainant's personal particulars were submitted to it by the Bank specifically to facilitate AGM services. All email and SMS notifications sent were solely to ensure shareholders were informed about AGM proceedings; they did not constitute use of the Complainant's data for commercial purposes as defined under Section 14 of the Data Protection (General) Regulations. The 2nd Respondent also acknowledged that the repeated email notifications were caused by a technical issue on its email platform, and demonstrated that the issue had been identified and resolved.
The Complainant filed a rejoinder on 28 July 2025 maintaining that the Companies Act provides multiple permissible modes of notification — including hard copy notices, website postings, and electronic communication — and that no advance notice was given that AGM communications would be sent via email and SMS, nor that his data would be shared with a third party (Image Registrars Limited) for these purposes. He argued that the failure to transparently disclose the mode of notice and the fact of third-party involvement contravened Sections 25(c), 25(d), 26(a), and 26(c) of the Act. He further noted that despite the 1st Respondent's own admission that his data was shared with Image Registrars, no attempt was made to remedy the breach or offer an apology.
The ODPC found that the 1st Respondent's processing of the Complainant's personal data was lawfully premised on the legal obligation ground under Section 30(1)(b)(ii) of the Act — the Companies Act 2015 imposes a statutory duty to maintain a shareholder register and to call AGMs. The 2nd Respondent's processing of data received from the Bank was covered by the legitimate interests ground under Section 30(1)(b)(vii), as its role was limited to sending notifications about crucial AGM activities that served the rights of shareholders. Although the repeated emails were acknowledged as a technical issue, the ODPC accepted the 2nd Respondent's evidence that the issue was identified and mitigated. The ODPC also noted the Complainant's own omission — he initially alleged he had no relationship with the respondents, yet he was in fact a registered shareholder entitled to the very notices he complained of. The Complaint was dismissed in its entirety.