Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

Mary Mwaura complained that her SACCO (Kenya Bankers Savings & Credit Cooperatives Society) shared her personal details with an auctioneer without her knowledge or consent, leading to harassment. The SACCO argued it was part of loan recovery since she was a guarantor. The ODPC found the disclosure unlawful and ordered the SACCO to compensate her KES 200,000 and review its data practices.

Facts

Mary Gathoni Mwaura had guaranteed a loan for someone, and when that person defaulted, she unexpectedly found herself being harassed by strangers. These strangers, she later discovered, were representatives from Muga Auctioneers. They had obtained her personal details — including her full name and phone number — and began bombarding her with calls. Alarmed, Mary reached out to the ODPC with a complaint.

According to her, she had never been informed that her personal data would be shared with a third party, let alone an auctioneering firm. She had not been given a chance to consent, and the repeated contact left her feeling psychologically distressed and humiliated. She wanted answers and accountability.

The Kenya Bankers Savings & Credit Co-operative Society, named as the first respondent, admitted to sharing her information with the auctioneers. Their justification was that Mary had guaranteed a defaulted loan and that engaging the auctioneers was part of their debt recovery process.

Muga Auctioneers, on their part, argued that they were simply doing their job and had not misused the data.

After evaluating the case, the Commissioner found that the SACCO had indeed violated Mary’s data rights. The law was clear: any sharing of personal data must follow due process — which includes providing notice to the data subject and securing consent where necessary. None of that had been done in Mary’s case. Her personal data had been disclosed without a lawful basis, and the SACCO had failed in its duty to protect her privacy.

Legal Provisions Reviewed

The ODPC reviewed the following provisions of the Data Protection Act of Kenya:

• Section 25 of the Data Protection Act: This section establishes the principles of data protection, requiring that personal data is collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Section 26(a) of the Data Protection Act: This provides the right of a data subject to be informed of the use to which their personal data is to be put.
• Article 31 of the Constitution of Kenya 2010: This article concerns the right to privacy.
• Section 8 (1) (f) of the Data Protection Act: This provision allows the Office of the Data Protection Commissioner (ODPC) to receive and investigate complaints regarding infringements of rights under the Act.