The Data Protection Act, 2019 (DPA) came into effect and positioned Kenya as a regional
leader in data governance and privacy regulation. It was enacted to give effect to Article
31(c,d) of the Constitution of Kenya that provides for the right to privacy. Currently,
Digital transformation is reshaping how businesses and institutions operate and the DPA
plays an important role. It ensures that safeguards of the rights of data subjects are put in
place and responsible data handling practices are taking place.
One of the most progressive features of the DPA is the right to erasure, sometimes
referred to as the “right to be forgotten.” This right empowers individuals to request the
deletion of personal data where the continued processing of that data no longer serves a
legitimate purpose.
Understanding the Right to Erasure
Under Section 40 of the DPA, a data subject may request a data controller or processor to
erase personal data concerning them in the following circumstances:
● The data is no longer necessary in relation to the purpose for which it was collected.
● The data subject withdraws consent (where processing was based on consent).
● The data subject objects to processing and there are no overriding legitimate
grounds.
● The personal data was unlawfully obtained or processed.
● Erasure is required to comply with legal obligations.
Nevertheless, this right is not absolute and is subject to certain exemptions such as Public
interest, Legal compliance or where data must be retained for legal claims or archiving
purposes. However, organizations must demonstrate clear and lawful grounds for
refusal.
Recent Developments and Enforcement Trends
With the Office of the Data Protection Commissioner (ODPC) actively investigating
complaints and issuing penalties, companies can no longer afford to treat data erasure
requests as optional or bureaucratically delayed. In several recent determinations, the
ODPC has stressed that:
● Ignoring or delaying responses to erasure requests can be considered a violation
of data subjects’ rights.
● Controllers must have transparent mechanisms for submitting and processing
such requests.
● Refusals must be well-documented, justified, and promptly communicated to the
requester.
Failure to comply may result in fines, compliance orders, or reputational damage.
Practical Implications for Companies
If your organization collects or stores personal data, whether for HR, marketing, client
onboarding, or service delivery, you must:
- Implement clear erasure protocols – Know when and how data can be deleted
securely. - Appoint a Data Protection Officer (DPO) or responsible person to manage data
rights. - Update privacy policies to reflect how and when erasure requests can be made.
- Train staff on compliance, especially those handling customer or employee data.
- Ensure system capabilities allow for the prompt deletion or anonymization of data
when legally required.
Case of Lee Mutunga v Sportpesa
The complainant, Lee Mutunga, filed a complaint with the ODPC against Milestone Games
Limited, trading as SportPesa, for failing to delete his personal data despite repeated
requests made between April 3 and April 25, 2024. Mutunga alleged that SportPesa
demanded excessive personal information—including ID number, date of birth,
occupation, postal and physical address, as mandatory before processing his account
deletion. SportPesa claimed that only email verification was required. The ODPC’s
investigation confirmed that SportPesa’s website required unnecessary personal details for
account deletion. The company only complied after ODPC’s intervention on December 4,
2024, over seven months after the initial request. SportPesa further obstructed the
ODPC investigation by providing misleading information and being uncooperative
during a site visit on February 13, 2025.
Issues:
- Did SportPesa violate Lee Mutunga’s right to erasure under the Data Protection
Act? - Did SportPesa breach the data minimization principle?
- Did SportPesa obstruct the ODPC’s investigation in violation of Section 61 of the
Data Protection Act?
Holding:
The ODPC found that indeed SportPesa violated the complainant’s right to erasure,
including breaching the data minimization principle and causing obstruction to the
ODPC’s investigations.
Reasoning:
● The ODPC found that the company’s account deletion process required more data
than necessary, contrary to the data minimization principle. SportPesa’s claim
that only email verification was needed was found to be misleading, as the website
interface contradicted this. The company only acted after regulatory pressure,
showing a lack of compliance thus violated the complainant’s right to erasure.
Moreover, SportPesa’s behavior during the investigation—failing to cooperate and
providing false information—amounted to obstruction under Section 61 of the
Data Protection Act.
Disposition:
SportPesa was ordered to pay KES 350,000 in compensation. Prosecution of directors
under Section 61 of the DPA was recommended for obstruction of the Commissioner’s
work. Both parties were granted 30 days to appeal to the High Court of Kenya.
Legal Principles Applied:
● Right to Erasure – Data Protection Act, Kenya
● Data Minimization Principle
● Section 61 – Obstruction of ODPC Investigation
Conclusion: Respecting the Right to Be Forgotten
The right to erasure is not a mere formality, it’s a cornerstone of Kenya’s data protection
ecosystem. As awareness grows, more individuals are exercising their rights, and
enforcement by the ODPC is intensifying. Organizations that continue to undermine or
ignore erasure requests risk regulatory penalties and loss of public trust.
The message is clear: Respect privacy, honor erasure requests, and build a culture of
data accountability. Anything less is a legal and reputational risk in today’s data-conscious
world.
How We Can Help
At Prof. Tom Ojienda & Associates, we are committed to providing expert legal insights and
guidance across various practice areas. Whether you are an individual seeking legal redress
or an organization navigating complex regulatory frameworks, our experienced team is
here to support you. Our articles and insights are for informational purposes only and do
not constitute legal advice. For tailored legal solutions, please contact our team of
professionals at www.proftomojiendaandassociates.com to Stay Ahead of the Game.
