Kenya’s LOLC Microfinance Bank directors risk prosecution in data enforcement case

Kenya’s data protection regulator has recommended prosecuting directors of LOLC Microfinance Bank after the lender failed to respond to a formal inquiry into its handling of personal data. 

In an April 14 decision seen by TechCabal, the Office of the Data Protection Commissioner (ODPC) found that the bank unlawfully processed a former employee’s personal data by publishing it in public notices without consent or a lawful basis. The regulator ordered the lender to delete the data within 14 days.

The decision signals a sharper enforcement stance in Kenya’s data protection regime. Non-compliance is no longer limited to fines or corrective orders but can extend to personal liability for company leadership when firms ignore regulatory processes.

The case escalated after LOLC Microfinance Bank failed to respond to a formal notice requesting its legal justification for publishing the data, evidence of consent and details of any corrective action. 

“By failing to respond to the Notification of Complaint, the Respondent obstructed the Data Commissioner in the exercise of her powers,” the ODPC said.

That finding led the regulator to recommend that the bank’s directors be prosecuted for obstruction under the Data Protection Act, an offence that carries a fine of up to KES 5 million ($38,700), a prison term of up to two years, or both.

A former employee filed the complaint in January 2026, alleging that the bank published his personal data after he resigned, warning the public not to transact with him.

In March, the ODPC formally requested the bank’s legal basis for publishing the data, evidence of consent and details of any corrective action. The bank did not respond, prompting the regulator to conclude that it “did not provide the lawful basis” required under the law.

Established in 2022, LOLC Kenya is one of several microfinance institutions backed by LOLC Group, a Colombo-listed financial services firm that has rapidly expanded into African lending markets in recent years, targeting underserved retail and small-business customers.

Most ODPC decisions have focused on forcing companies to stop processing data, delete records or pay fines. This case instead centres on the consequences of failing to engage with the regulator at all, raising the stakes for firms operating in Kenya’s data ecosystem.

The regulator ordered LOLC to remove the data within 14 days or face further enforcement action. The bank retains the right to appeal the decision at the High Court within 30 days.

Whether prosecutors act on the ODPC’s recommendation will test how far Kenya is willing to go in enforcing accountability under its data protection framework.