DTB Kenya and Uganda Ordered to Pay KSh 500,000 for Breaching Kenyan Customer’s Data Rights
In a landmark ruling, the Office of the Data Protection Commissioner (ODPC) has ordered Diamond Trust Bank (DTB) Kenya Limited and its Ugandan subsidiary to jointly pay a Kenyan customer KSh 500,000 in compensation after finding the banks in breach of the Data Protection Act.
The determination, issued last week, stems from a complaint filed by a Kenyan woman who was denied access to her own bank statements by DTB Kenya while simultaneously receiving unsolicited financial information belonging to a third party – information that DTB Kenya claimed had been sent in error by DTB Uganda.
According to the ODPC findings, DTB Kenya maintained an active account for the complainant yet repeatedly refused to provide her with statements and transaction records. Worse, the bank placed her number on its internal “Do Not Contact” list, effectively cutting her off from SMS notifications and alerts from May 2025.
In a bizarre twist, the complainant began receiving account statements and sensitive financial details of another customer, a revelation that left her questioning the bank’s data handling processes. DTB Kenya’s defence? The third-party statements were mistakenly dispatched by DTB Uganda.
The complainant told investigators she had never set foot in Uganda, never opened an account there, and had no relationship whatsoever with the sister bank. The incident, she said, shattered her confidence in DTB Kenya’s systems and controls. Despite raising the issue as early as 2022, the problem persisted unresolved for three years.
“Imagine trying to run your life and business while being locked out of your own money records, then getting someone else’s private banking details instead,” the complainant said in her submission. “It caused me serious financial distress and embarrassment.”
The ODPC faulted DTB Kenya for unlawfully processing the complainant’s personal data, failing to facilitate her right of access, and breaching the principles of data accuracy and security. DTB Uganda was separately cited for the unlawful disclosure of another customer’s data to an unauthorised person.
In its ruling, the Commissioner ordered both entities, though legally separate, to pay the KSh 500,000 compensation, highlighting the shared responsibility under the wider DTB Group.
Notably, the investigation required cross-border collaboration between Kenya’s ODPC and Uganda’s Personal Data Protection Office (PDPO), marking one of the clearest demonstrations yet of regional enforcement cooperation in East Africa.
Data Protection Commissioner Immaculate Kassait emphasised the significance of the case: “Kenyans’ personal data must be protected wherever it is processed in the region. This ruling sends a strong message to financial institutions operating across borders that they cannot hide behind separate legal entities when rights are violated.”
The ODPC has given the two banks 14 days to comply with the compensation order and rectify the breaches, including restoring the complainant’s full access and removing her from any internal block lists. Neither DTB Kenya nor DTB Uganda had issued a public statement on the ruling at the time of going to press. The case is likely to be closely watched by other cross-border institutions as regulators across the region tighten the net on data protection compliance.
