In a landmark ruling that signals an end to corporate impunity regarding data privacy, the directors of LOLC Kenya Microfinance Bank Limited are facing potential criminal prosecution.
The Office of the Data Protection Commissioner (ODPC) has issued a scathing determination following the unlawful publication of a former employee’s image on social media, marking a significant escalation in the regulator’s enforcement strategy.
The case was brought forward by Peter Macharia Waithira, a former contract employee who resigned from LOLC in July 2025. Shortly after his departure, the bank published public notices across its social media platforms featuring Waithira’s image, warning the public against transacting with him.
The ODPC found that the bank had no lawful basis for this public shaming. The determination emphasized that:
- While companies have a right to protect their business, it does not grant a blank check to ignore the privacy rights of individuals.
- Much like the Zuku case, where the provider was found liable for ignoring a customer’s request to delete data, this ruling reinforces that personal data cannot be weaponized against individuals post-contract.
What distinguishes this ruling is the focus on stonewalling. The ODPC noted that the trend of corporate entities ignoring regulatory inquiries or obstructing investigators is no longer being met with simple administrative fines.
In the Zuku case, the provider’s refusal to cooperate led the ODPC to move beyond civil penalties, recommending criminal charges against the directors. By invoking similar language in the LOLC determination, the Data Commissioner is sending a clear message: The corporate veil will not protect directors who oversee or sanction the unlawful processing of personal data.
Under the Data Protection Act, the shift toward criminal referrals marks a hardening stance by the regulator. Legal experts suggest that this case will serve as a warning to microfinance institutions and the broader corporate sector in Kenya.
LOLC Kenya Microfinance Bank Limited was established in Kenya with the acquisition of a majority stake in Key Microfinance Bank Limited in 2022 by LOLC Holdings PLC. LOLC Holdings PLC is a Sri Lankan conglomerate listed on the Colombo Stock Exchange.
Key takeaways for Kenyan Companies
- Public notices featuring former employees must meet strict legal criteria; retaliatory notices are likely unlawful.
- Silence is no longer a viable legal strategy. Failure to engage with the ODPC can trigger criminal investigations into individual directors.
- A person’s likeness is protected personal data, and its use for blacklisting constitutes a high-risk breach of the Act.
Find the ODPC determination against LOLC Kenya Microfinance Bank Limited HERE.