← Muchangi Patrick Published Work
⇩ Download PDF
Muchangi Patrick & Co. Advocates logo Muchangi Patrick & Co. Advocates ← Back to Insights

The Compliance Brief

Vol. 03 — Issue 29
Nairobi Edition
Regulation, technology & the business of Kenya
ODPC Determinations, 2023–2026

The grace period is over

Kenya's data protection regulator has moved from advisory oversight to active sanction — fines in the millions, compensation orders, and now recommendations to prosecute company directors. Here's what the case law is actually telling businesses to fix.

Analysis 8 min read Enforcement & Case Law
By Patrick Muchangi, Founder & Advocate — Muchangi Patrick & Co. Advocates · Published April 2026
Download PDF

The Office of the Data Protection Commissioner has entered a decisive enforcement phase. The regulator is no longer testing how compliance is drafted on paper — it is testing how it operates in practice, and the volume of determinations is accelerating fast.

9,000+Complaints handled
184Compensation orders issued
96Determinations in 2025 — nearly double 2024

§1 What recent fines actually looked like

Eight determinations, ranked by penalty. The pattern: marketing and image-use violations dominate, and digital lenders are taking the heaviest hits.

Mulla Pride (Ke Credit)
2.9M
Ceres Tech
2.6M
Mast Jägermeister SE
1.5M
Grain Industries Ltd
1.0M
Nova Pioneer Kenya
950K
Michael's Bouquet
500K
Platinum Credit Ltd
250K
Undisclosed lender
200K
Figures in KES · compensation and penalty amounts as reported in ODPC determinations, 2024–2025

§2 Eight enforcement trends, in the cases themselves

Expand each docket for the case, the finding, and the practice point to act on.

01
Implied consent doesn't count anymore
Chizzy Taabu Orwa & 2 Others v Mast Jägermeister SE
KES 1.5M

Event disclaimer notices arguing attendees consented by entering and posing for photos were rejected outright — disclaimers inform, they don't substitute for clear affirmative consent. Also established: the controller carries the burden of proving consent was obtained, consent must be documented (oral consent alone isn't enough), and consent for one purpose doesn't stretch to a different one.

Practice pointIf you can't produce a record showing how and when consent was given, the ODPC treats it as never having been obtained.
02
Image and likeness is now its own enforcement category
Grain Industries v Mbuvu · Fatuma Hadi Ali v Nova Pioneer · Michael's Bouquet
KES 500K–1M

A mother's image used commercially on the strength of her daughter's terms-and-conditions click was found unlawful. A school using a minor's image without parental consent drew a heightened award reflecting the extra protection owed to children. A florist that kept using a customer's image past the agreed three-month window learned that expired consent makes continued use unlawful, full stop.

Practice pointGet specific, express consent for image use, document it, and track expiry dates like a contract renewal.
03
Rights on paper aren't rights in practice
Wananchi Group (Zuku Fibre) · YA v Wananchi Group Kenya Ltd
Enforcement notice

A former customer with no working channel to object to processing or request deletion — invalid contact emails, no cooperation with regulators — was enough to establish a breach, regardless of what the privacy policy said. A separate erasure case confirmed the right isn't absolute where a contractual obligation validly persists, but obstructing the request itself compounds the violation.

Practice pointA dedicated privacy inbox that nobody monitors is not a compliant access/erasure channel.
04
Digital lenders are the biggest single target
Ceres Tech · Mulla Pride (Ke Credit) · EM v Rosky Credit · Complaint 1966 of 2024
KES 200K–2.9M

Digital financial services accounted for a third of all 2024 determinations. Unsolicited promotional messages drew the two heaviest fines on this list. Separately, a lender that forwarded a borrower's payslips, bank statements, ID copy and guarantor details to third parties without consent — and then ignored the ODPC's notification — was ordered to pay compensation. The regulator was explicit: loan origination, credit scoring, debt collection and account closure each need their own identified legal basis.

Practice pointAudit every stage of the credit lifecycle separately — "we have consent to lend" doesn't cover "we can share your payslip with a third party."
05
Legitimate purpose still has to be proportionate
Nderitu & Mureithi v Karungo & Waweru · Various finance-sector determinations
Disproportionate processing

Security CCTV that captured footage of a neighbouring private residence was disproportionate processing, even though security is a legitimate purpose. In finance, disclosing loan default information to a borrower's employer was repeatedly found disproportionate — debt recovery is a legitimate interest, but it doesn't justify telling people who have no need to know.

Practice pointBefore processing, ask: is this necessary, is it the least intrusive option, and have we collected only what's adequate?
06
You own your agents' mistakes
Waweru & Bolo v Platinum Credit · ODPC v Tools for Humanity (Worldcoin)
KES 250K + criminal exposure

Platinum Credit's defence that unlawful marketing was sent by independent sales agents, not the company itself, was rejected entirely — a controller who engages a third party stays responsible for their compliance. The Worldcoin determination went further: failure to properly register and disclose processing entities exposes the whole organisation to criminal penalties, assessed across the entire processing chain, not just the point of collection.

Practice pointCompliant Data Processing Agreements plus ongoing oversight — not just a signature at onboarding.
07
Directors are now personally exposed
Eric Munene Njuguna v Chapeo Capital (ZK Pesa) · Wananchi Group
Prosecution recommended

A director who personally disclosed personal data without consent drew a prosecution recommendation under Section 72 of the Act. Separately, Wananchi's directors were recommended for prosecution for obstructing the Data Commissioner — denying investigators access despite a valid search warrant.

Practice pointData protection is now a board-level accountability issue. Obstruction and incomplete disclosure escalate penalties, they don't avoid them.
08
Children's data gets the strictest reading
Fatuma Hadi Ali v Nova Pioneer Kenya Limited
KES 950K

Section 33(1) requires parental consent before processing a minor's data, and the burden of proof sits with the controller. Using a minor's image for advertising was treated as commercial processing requiring express consent — general permission forms don't meet that bar.

Practice pointAuditable parental consent, clear privacy notices, and a best-interests-of-the-child test before any minor's data is used commercially.
"Where a controller cannot prove consent, they are deemed not to have obtained it at all." — the ODPC's standing position across recent determinations.

§3 Seven fixes to make now

Not a five-year plan — these are the gaps the ODPC is actually finding, in the order they tend to surface.

§4 The audit regime taking shape

The proposed Data Protection Compliance Audit Regulations, 2024 formalise how audits get triggered — complaints, investigations, risk assessments, breach notifications, or the ODPC acting on its own initiative.

Maintain Records of Processing Activities (ROPA)
Review privacy and security controls
Test incident response capabilities
Deploy efficient DSAR processes
Review third-party agreements
Document lawful bases for processing

§5 The bottom line

Every trend above traces back to the same test: does the mechanism actually work when a data subject or a regulator tries to use it? Policies that exist only on paper — unmonitored inboxes, disclaimer notices standing in for consent, agent relationships with no oversight — are exactly what recent determinations have punished. The cost of building this properly is real. The determinations above show what the alternative costs.

Key takeaway

The ODPC is testing how compliance operates in practice — not how it reads in your policy document. That's the single sentence to carry into your next internal audit.

How this touches your data protection exposure

Active enforcement means the cost of getting compliance wrong is no longer theoretical — fines, compensation orders, and even recommendations to prosecute directors are now live outcomes, not remote risks.

Muchangi Patrick & Co. Advocates helps organisations run data protection audits, fix compliance gaps before the ODPC finds them, and respond if an enforcement notice or complaint has already landed. If you're unsure where your business stands, now is the time to check.

Talk to us

Muchangi Patrick & Co. Advocates advises fintechs, startups, corporates and institutions on data protection and data privacy compliance across Kenya — from ODPC registration and DPIAs to outsourced DPO services and cross-border data transfer advisory. If the issues raised above touch your business, we can help you get ahead of them.

Book a Consultation → Chat on WhatsApp