Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

Lynda Namusonge Maturu complained Kenya Bankers Sacco unlawfully shared her personal and sensitive data (including medical details) across unrelated guarantors for two separate loans. The ODPC found the Sacco liable for violating principles of purpose limitation and transparency. They were ordered to pay KES 50,000 compensation and issued an Enforcement Notice.

Facts

Lynda Namusonge Maturu (the Complainant) filed her complaint on 24th March 2025, asserting that Kenya Bankers Sacco (the Respondent) unlawfully processed and shared her personal data. The central issue was that her personal information, including details relating to her medical overspend and health status, was disseminated in a single email sent to all guarantors across two separate loan facilities she held. The Complainant emphasized that since each loan had distinct guarantors, her personal details were exposed to individuals with no connection to one of the loans, violating the principle that data should only be shared with those who have a legitimate need to know. She argued that the Sacco violated the data minimization and purpose limitation principles and that this unauthorized sharing caused her significant distress and discomfort, compromising her privacy and exposing her to reputational damage.

Kenya Bankers Sacco admitted that the Complainant took out an Express Loan and an Elite Loan and began defaulting in 2023. The Sacco maintained that it was contractually and fiducially obliged to notify the Guarantors of any defaults, asserting that this processing and sharing of data were necessary to fulfil contractual duties and protect the vital interests of the Guarantors. The Respondent also confirmed that, when communicating the issue, it referenced the Complainant’s statement about medical overspending due to a chronic illness. The Sacco argued that this sensitive information was manifestly made public by the Complainant herself and that by signing the Loan Application Forms, the Complainant expressly consented to the sharing of her personal information under Clause 10 of its Privacy Notice. They concluded that their action was justified under the legitimate interests provision.

The ODPC reviewed the evidence and found that the Respondent failed to fulfil its obligations under the Act.

• The Respondent failed to produce the original signed loan application form or the Credit and Recovery Policy to substantiate its claims. The ODPC found that the generic privacy notice did not satisfy the requirement under Section 26(a) for clear, express, and unequivocal notice to the Complainant about the intended sharing of her personal data with unrelated Guarantors prior to or at the point of data collection.
• By circulating the Complainant's personal data across unrelated guarantors, the Respondent violated the right to privacy, acted unfairly and non-transparently, and exceeded the scope of disclosure. This conduct breached fundamental requirements, including lawful processing and the principles of purpose limitation and data minimization (Section 25). The Sacco failed to demonstrate that its blanket disclosure satisfied the criteria of necessity or proportionality regarding legitimate interests.
• Legal Provisions Reviewed

Holding

The final determination, issued on 20th June 2025, resulted in the following orders:

The Data Commissioner found Kenya Bankers Sacco liable for violating the Complainant's right to be informed (Section 26(a)) and for failing to fulfil its obligations under Sections 25, 29, and 30 of the Act.

1. The Respondent is ordered to pay the Complainant Kenya Shillings Fifty Thousand (KES 50,000) as compensation for the infringement of her rights [47, 48, 83, ii]. The ODPC noted that the Complainant's default in her loan obligations was taken into account when assessing the compensation amount.