Blog updates on current trends in Business and Technology

Latest insights on business & technology — trends, analysis, and practical tips.

Email Spam Costing Banks Ksh 450,000+ Per Customer Complaint

November 6, 2025 • Ian Makambu

Business Compliance Data Protection Email Security Banks Customer Rights Data Protection
Email Spam Costing Banks Ksh 450,000+ Per Customer Complaint

The Office of the Data Protection Commissioner (ODPC) has established clear precedents through two landmark cases that email spam violations can trigger direct compensation liability alongside potential fines of up to KSh 5 million.

The determinations reveal systemic vulnerabilities in banking sector data governance. The main aspects that come up include;

  1. Inadequate email verification during customer onboarding,
  2. Failure to respond to customer complaints within set legal timeframes,
  3. Misunderstanding data subject rights, and
  4. Insufficient controls over email marketing systems.

In this article, we discuss the two cases, Kevin Kiprotich Rono v SBM Bank Kenya and Jackson Irungu v Family Bank Limited. We share why compliance with DPA's email communication requirements is not discretionary.

Kevin Kiprotich Rono v SBM Bank Kenya

Imagine you start receiving emails from a bank, yet you have no account relationship with them. These emails continue for over ten consecutive months, to the extent that every day you get one email. The contents range from PIN/password alerts, login alerts, account statements, and confirmation alerts. This was the predicament for Rono.

Rono tried numerous remediation efforts, including calls, written emails, and multiple resolution tickets. Ten months of no effort finally resulted in him filing a formal complaint with the Office of the Data Protection Commissioner on March 4, 2024.

Bank's Discrepancy

The Data Commissioner found SBM liable for multiple violations of Rono's data protection rights. Primarily

  • The Bank unlawfully processed personal data- The lack of the data subject's consent and a valid lawful basis.
  • SBM did not honour the right to object to processing despite Ronos's numerous attempts to have the Bank cease contacting him.
  • The Bank failed to rectify/erase within legal timeframes- The DPA mandates that data controllers must rectify inaccurate data within 14 days.

Ksh 450,000 Slap

As a result, the Commissioner awarded Kevin Kiprotich Rono Ksh 450,000. This case and the award serve as a lesson to businesses. It establishes that non-responsiveness to customer complaints and delays in dealing with customer requests on their rights can independently trigger compensation liability.

Jackson Irungu v Family Bank Limited

Similar to Kevin Rono above, Family Bank Limited also sent Jackson Irungu numerous unsolicited emails containing account statements purporting to be for a bank account. This is even though Irungu did not maintain any account with Family Bank.

Driven by good faith, Irungu made efforts to resolve this issue, including visiting the Bank's branch in Nyeri and sending several email complaints. You would think that this prompted the Bank to take corrective actions.

Just as it was in the case of SBM, Family Bank claimed that it had erroneously captured the email address of the customer during onboarding.

Erroneous Capture of Personal Data Not a Defence

The Commissioner found Family Bank liable for violating Irungu's right to rectification and right to object to unlawful processing.

The Bank had erroneously processed his data without consent. Further, requests to have the information rectified went unanswered, and the Bank's failure to respond to Irungu's complaints was another violation.

"while the error was made during data capture, the bank's obligation to correct the error began the moment the bank became aware of the inaccuracy—either through complaint or through system failures (bounces, failed deliveries). Delays beyond 14 days compound the violation and demonstrate insufficient data governance."
The Commisioner

250,000 Compensation Award

Owing to these violations, the Commissioner awarded Ksh 250,000 compensation to Jackson Irungu. The basis of this compensation was:

  • Violation of the right to rectification under Section 26(d) of the DPA,
  • Unlawful processing of personal data,
  • Distress caused by unsolicited financial account communications,
  • Institutional non-responsiveness to consumer complaints.

Systemic Failures in Banking Email Governance

The above cases reveal serious systemic governance failures in the Bank's email governance.

  1. Data Quality Failure at Collection- Both cases involved erroneous email capture during customer onboarding. This suggests banks lack adequate email verification procedures, such as SMTP validation, verification emails, and double-entry.
  2. System Design Failure- Email marketing systems must include verification steps before sending communications. Consider confirming consent, checking opt-out status, and confirming that the customer is an actual customer.
  3. Complaint Handling Failure- Both banks ignored customer complaints for extended periods until forced to act by the ODPC intervention. This suggests that the banks do not have elaborate complaint-handling procedures. Our recommendation is not only to correct data but also to systematise complaint responsiveness.

Systematising Your Data Handling for Smarter, Safer Operations

At South-End Tech Ltd, we understand the true cost of spam email violations extends far beyond the compensation award. With our Data Governance Framework offering, we offer strategic options to be explored by your business to avoid such instances. The framework entails:

  • Data Quality Framework
  • Consent Management Systems
  • Complaint Handling and Escalation
  • Technical Email Controls and
  • Compliance Documentation

Reach out to info@southendtech.co.ke and/or dataprotection@southendtech.co.ke for guidance on how to achieve strategic, smart, and safer email communications.

Comments (0)

← Back to all blogs