The Compliance Brief
Kenya's data protection regulator has moved from advisory oversight to active sanction — fines in the millions, compensation orders, and now recommendations to prosecute company directors. Here's what the case law is actually telling businesses to fix.
The Office of the Data Protection Commissioner has entered a decisive enforcement phase. The regulator is no longer testing how compliance is drafted on paper — it is testing how it operates in practice, and the volume of determinations is accelerating fast.
Eight determinations, ranked by penalty. The pattern: marketing and image-use violations dominate, and digital lenders are taking the heaviest hits.
Expand each docket for the case, the finding, and the practice point to act on.
Event disclaimer notices arguing attendees consented by entering and posing for photos were rejected outright — disclaimers inform, they don't substitute for clear affirmative consent. Also established: the controller carries the burden of proving consent was obtained, consent must be documented (oral consent alone isn't enough), and consent for one purpose doesn't stretch to a different one.
A mother's image used commercially on the strength of her daughter's terms-and-conditions click was found unlawful. A school using a minor's image without parental consent drew a heightened award reflecting the extra protection owed to children. A florist that kept using a customer's image past the agreed three-month window learned that expired consent makes continued use unlawful, full stop.
A former customer with no working channel to object to processing or request deletion — invalid contact emails, no cooperation with regulators — was enough to establish a breach, regardless of what the privacy policy said. A separate erasure case confirmed the right isn't absolute where a contractual obligation validly persists, but obstructing the request itself compounds the violation.
Digital financial services accounted for a third of all 2024 determinations. Unsolicited promotional messages drew the two heaviest fines on this list. Separately, a lender that forwarded a borrower's payslips, bank statements, ID copy and guarantor details to third parties without consent — and then ignored the ODPC's notification — was ordered to pay compensation. The regulator was explicit: loan origination, credit scoring, debt collection and account closure each need their own identified legal basis.
Security CCTV that captured footage of a neighbouring private residence was disproportionate processing, even though security is a legitimate purpose. In finance, disclosing loan default information to a borrower's employer was repeatedly found disproportionate — debt recovery is a legitimate interest, but it doesn't justify telling people who have no need to know.
Platinum Credit's defence that unlawful marketing was sent by independent sales agents, not the company itself, was rejected entirely — a controller who engages a third party stays responsible for their compliance. The Worldcoin determination went further: failure to properly register and disclose processing entities exposes the whole organisation to criminal penalties, assessed across the entire processing chain, not just the point of collection.
A director who personally disclosed personal data without consent drew a prosecution recommendation under Section 72 of the Act. Separately, Wananchi's directors were recommended for prosecution for obstructing the Data Commissioner — denying investigators access despite a valid search warrant.
Section 33(1) requires parental consent before processing a minor's data, and the burden of proof sits with the controller. Using a minor's image for advertising was treated as commercial processing requiring express consent — general permission forms don't meet that bar.
Not a five-year plan — these are the gaps the ODPC is actually finding, in the order they tend to surface.
If you can't prove it, the ODPC treats it as never obtained. Oral consent must be recorded or confirmed in writing.
An unmonitored inbox is not a compliant access, rectification or erasure channel.
Express consent for image use specifically — and respect the expiry date you agreed to.
You're liable for agents and processors. Execute compliant DPAs and keep exercising oversight, not just at signing.
Necessity, least intrusive means, and data minimisation — before processing starts, not after a complaint.
Obstruction and delay now escalate straight to prosecution recommendations.
As Kenya moves toward Malabo Convention accession, map your flows and prepare safeguards now.
The proposed Data Protection Compliance Audit Regulations, 2024 formalise how audits get triggered — complaints, investigations, risk assessments, breach notifications, or the ODPC acting on its own initiative.
Every trend above traces back to the same test: does the mechanism actually work when a data subject or a regulator tries to use it? Policies that exist only on paper — unmonitored inboxes, disclaimer notices standing in for consent, agent relationships with no oversight — are exactly what recent determinations have punished. The cost of building this properly is real. The determinations above show what the alternative costs.
The ODPC is testing how compliance operates in practice — not how it reads in your policy document. That's the single sentence to carry into your next internal audit.
Active enforcement means the cost of getting compliance wrong is no longer theoretical — fines, compensation orders, and even recommendations to prosecute directors are now live outcomes, not remote risks.
Muchangi Patrick & Co. Advocates helps organisations run data protection audits, fix compliance gaps before the ODPC finds them, and respond if an enforcement notice or complaint has already landed. If you're unsure where your business stands, now is the time to check.
Muchangi Patrick & Co. Advocates advises fintechs, startups, corporates and institutions on data protection and data privacy compliance across Kenya — from ODPC registration and DPIAs to outsourced DPO services and cross-border data transfer advisory. If the issues raised above touch your business, we can help you get ahead of them.