SportPesa Fined for Data Deletion Violations in Kenya
Kenya’s Office of the Data Protection Commissioner (ODPC) has fined Milestone Games Limited, operating as SportPesa, for violating a customer’s right to erasure. The ruling follows a complaint by Lee Mutunga, who alleged that the company ignored multiple requests to delete his personal data, in breach of the Data Protection Act.
Failure to Comply with Data Deletion Requests
Between April 3-25, 2024, Mutunga repeatedly requested SportPesa to delete his account. However, the company required additional personal details—including ID number, date of birth, and physical address—before processing the request. The ODPC found that these demands violated the principle of data minimization, as SportPesa only needed email verification to close accounts.
Despite the repeated requests, SportPesa did not delete Mutunga’s data until December 4, 2024—over seven months later—following ODPC’s direct intervention. The regulator determined that the company obstructed the investigation by providing misleading information and failing to cooperate during a scheduled site visit in February 2025.
Financial Penalty and Legal Consequences
As a result, SportPesa was ordered to compensate Mutunga KES 350,000 (approximately $3,500) for distress caused by the violation. While this was lower than the KES 1,000,000 he initially sought, the ODPC also recommended prosecuting SportPesa’s directors for obstructing regulatory oversight under Kenya’s Data Protection Act.
The case sets a precedent for enforcing data rights in Kenya, reinforcing the obligations of companies handling personal data. Both parties have 30 days to appeal the ruling to the High Court.
Recommended