Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Kenya: ODPC issues fines totalling KES 9.3M on Mulla Pride, Casa Vera, and Roma School for violations of the Data Protection Act

On September 26, 2023, the Office of the Data Protection Commission (ODPC) announced, via LinkedIn, that it had issued three penalty notices totaling KES 9.3 million (approx. $63,430) against three data controllers for violating data subject rights and for non-compliance with the Data Protection Act, 2019 (the Act), after receiving complaints.

Background to the decision

In particular, the ODPC stated that the complaints against Mulla Pride Ltd, a Digital Credit Provider (DCP) that operates mobile lending apps, concerned Mulla Pride's use of the complainants' personal data including names and contact information obtained from third parties, to call the complainants and send them text messages without the complainants' consent.

The ODPC explained that the complainant in the case of Casa Vera Lounge, a restaurant, had alleged that Casa Vera had posted the complainant's image on its social media platforms without the complainant's consent.

In the third case, the ODPC noted that Roma School, an educational institution, had posted the personal data of minors, including their pictures, without first obtaining parental consent.

Findings of the ODPC

As such, the ODPC found that Mula Pride, Casa Vera Lounge, and Roma School had violated the rights of data subjects and failed to comply with the Act. The ODPC stated that data controllers should notify data subjects when collecting and processing their data, and businesses should seek consent from their customers prior to posting their customers' images online. Further, the ODPC highlighted that entities that handle minors' personal data should obtain consent from parents or guardians before processing the personal data of minors.

In light of the nature of the violations, the ODPC issued the following fines:

  • KES 2.9 million (approx. $19,621) on Mulla Pride;
  • KES 1.8 million (approx. $12,178) on Casa Vera Lounge; and
  • KES 4.5 million (approx. $30,446) on Roma School.


In conclusion, the ODPC further noted that it had conducted a compliance audit of Whitepath Company Limited, a DCP, and an inspection of Naivas Limited, a retailer, following a data breach. The ODPC stated that it would share its findings with both data controllers for their action.

You can read the announcement here.