The directors of microfinance lender LOLC Kenya face KSh5 million fine and potential prosecution after the firm published the photos of a former employee on social media without his consent, marking the latest enforcement action underscoring the growing bite of the country's data privacy laws.

In an update by the Office of the Data Protection Commissioner, the lender's directors also risk criminal prosecution for ignoring the regulator's calls to resolve the breach.

According to Data Commissioner Immaculate Kassait's note dated 14th April, 2026, LOLC Kenya published in its platforms "highly sensitive public notices", which featured the complainant's photos. The commissioner notes that the lender did not seek consent, effectively breaching Kenya's data security laws.

The statement notes that the complainant, Mr Peter Macharia Waithira's woes started upon tendering his resignation letter via email on 28 July 2025. According to the Data Commissioner's office findings, LOLC Kenya continued to publish notices on social media platforms claiming that Peter "was not part of them," even warning the public from transacting with him on their behalf. 

In his complaint lodged on 15 January 2026, Peter filed screenshots that LOLC Kenya published on its Facebook account as evidence against his former employer who he said he served "religiously."

Kassait noted that the Constitution of Kenya guarantees one the right to privacy, provisions that are further enhanced by the Data Protection Act, 2019. According to the subsidiary law, data controllers are directed to process personal data fairly, transparently, and within strict confines of the law.

When the office of the Data Commissioner reached out to the microlender on 16 March, 2026 to help solve the matter, the regulator's request for lawful basis upon which Peter's data was processed went unanswered. 

This silence could turn very costly for the directors of LOLC Kenya, which was founded as Remu Microfinance Bank and formerly operated as Key Microfinance Bank.

Kassait explained that where the respondent fails to answer, "the Data Commissioner shall proceed to determine the complaint." 

“Having found that the Respondent did not demonstrate the lawful basis for processing the Complainant’s personal data by failing to respond to the Notification, the Respondent is hereby directed to erase the Complainant’s images from their online media within 14 days hereof,” Kassait's ruling states in part, noting that failure to heed the authority's call will trigger enforcement.

According to the Data Commissioner, the lender's directors could face prosecution under Section 61(b) of the Act, which says it is an offence to fail to offer information sought by the commissioner. The directors now risk serving jail term pf up to two years, a fine not exceeding KSh 5 million or both.

Data Commissioner's finding highlights the increasing level of caution that organizations in Kenya must put into account when handling personal data, including that of employees.

Previously, the Data Commissioner's officer has slapped entities with hefty fines, and compensation to the complainant, but with the recommendation of criminal prosecution in LOLC Kenya case marks an escalation of how far the watchdog can go to enforce data security.

The lender has already been ordered to delete the offending posts from its social media accounts within 14 days. Whereas Peter sought monetary compensations, the regulator did not award any damages. Both parties have 30 days to file an appeal on this determination at the High Court of Kenya. 

Meanwhile, Eldoret-based St. Luke Orthopaedic and Trauma Hospital has been directed to pay KSh525,000 to a complainant for mishandling her sensitive personal data.

Data Commissioners office established that the medical facility failing to maintain its accuracy, and disclosed the medical records of an unrelated individual as though they were the complainant's.

[email protected]