LOLC Kenya Directors Face Prosecution Over Viral Employee Shaming
A Kenyan microfinance bank’s directors could face criminal charges after the Office of the Data Protection Commissioner discovered that they publicly named and insulted a former employee on social media before completely ignoring the regulator. Peter Macharia Waithira, a former contract employee of LOLC Kenya Microfinance Bank Limited, claimed that after formally resigning via email on July 28, 2025, the bank ran public notices on its Facebook platform claiming he was no longer with the organization and warning the public against doing business with him all without his consent. The bank made his image public. It presented no legal justification for doing so. When the ODPC investigated, LOLC did not answer.
The Data Commissioner determined unequivocally that the Respondent posted the Complainant’s images on their Facebook platform, and that the bank unlawfully processed his personal data in violation of Sections 25 and 30(1) of the Data Protection Act of 2019, which require that personal data be processed lawfully, fairly, and only with the data subject’s consent or another specified legal basis. The bank’s failure to respond to the ODPC’s Notification of Complaint was ruled to be obstruction of the Data Commissioner, a violation of Section 61(b) of the Act.
That silence turned a data breach into a criminal case. In her ruling dated 14 April 2026, Data Commissioner Immaculate Kassait ordered LOLC to delete the former employee’s personal data from its online platforms within 14 days and recommended that the company’s directors be prosecuted for obstructing the Data Commissioner. Directors convicted under the relevant rules incur fines of up to KSh 3 million, imprisonment for up to ten years, or both. The case serves as a stark reminder that Kenya’s data enforcement regime now has teeth—and that institutional silence in the face of a regulatory inquiry is not a neutral position. It is a legal crime.
