Consent capture
KDPA s.30 requires a lawful basis for every processing activity. The Suite implements explicit consent as the default basis — captured the moment a member's data first enters the system, versioned against the active privacy notice, and reproducible on demand.

What the system stores
Three columns on res.partner + a related mfi.consent.log table.
| Field | Type | Set when | Editable |
|---|---|---|---|
| consent_at | datetime | On consent tick (member create or re-consent screen) | No |
| consent_version | char | Hardcoded version of the active privacy notice at consent_at | No |
| consent_marketing | boolean | Separate toggle for marketing opt-in | Yes via iBANK or branch |
| consent_channel | char | branch / ibank / ussd / whatsapp / agent | No |
| consent_witness_uid | many2one | User who captured (operator side) | No |
| consent_geo | char | Branch code or geolocation for proof | No |
Channels that capture consent
- Branch counter — operator ticks the consent box on the New Member form; cannot save without it
- iBANK signup — member ticks a checkbox underneath a full-text privacy notice; signature image stored
- USSD — *XYZ# session prompts 'Reply Y to accept'; reply stored as proof
- WhatsApp — bot sends the notice URL + waits for explicit 'I AGREE' message
- Agent app — fingerprint capture supplemented by photographed paper consent form
Privacy notice versioning
When the privacy notice changes materially (new processor, new processing purpose, new retention period), mfi.privacy.notice.version increments. Every new member-facing session checks the member's consent_version against the current version; mismatched members hit a re-consent gate before they can continue.
Warning — Marketing consent is independently revocable from service consent. Withdrawing service consent on an active loan is impossible — the system explains the regulatory reason and offers to close the loan early instead.
How a member withdraws consent
- Member logs into iBANK → Profile → Privacy
- Toggles 'Marketing communications' off → instant; suppression list updates within 24h
- Clicks 'Request data deletion' → opens an erasure request handled by the DPO (see Right to erasure)
- Clicks 'Withdraw all consent' → opens a closure ticket; cannot complete until loans cleared
Worked scenarios
Scenario — Mary onboards at the branch counter
| Character | Role |
|---|---|
| Mary Mutua | New member |
| Peter Otieno | Branch loan officer capturing the application |
Timeline
- 10:15: Peter opens MFI → Members → New, fills Mary's name, ID, DOB, phone, address.
- 10:18: He scrolls to Privacy section, reads the one-page summary aloud (KDPA rights, marketing toggle separate, retention 7 years). (mfi.privacy.notice.version = v3.2)
- 10:19: Mary ticks 'I have read and consent'. Peter ticks the witness box. (consent_at = now, consent_version = v3.2, consent_channel = branch, consent_witness_uid = Peter)
- 10:19: Mary declines marketing — leaves marketing checkbox blank. (consent_marketing = False)
- 10:20: Peter clicks Save. Member record created; auto-generated welcome SMS does NOT mention promotions (marketing opt-in respected).
Outcome — Mary onboarded with documented service consent only. ODPC inspection trail complete.
Reference
Privacy notice version history (example tenant)
| Version | Effective | Material change |
|---|---|---|
| v1.0 | 2022-01-15 | Initial publication |
| v2.0 | 2023-03-01 | Added M-Pesa C2B processor |
| v3.0 | 2024-06-01 | Added cyber-incident notification disclosure |
| v3.2 | 2025-11-04 | Added CRB Africa as a credit bureau |
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Cannot save member; 'Consent is required' | Privacy section consent box not ticked | Show the member the notice, get consent, tick. If member refuses, do NOT save — explain that service requires consent under KDPA. |
| Member complains they're receiving promotional SMS despite opting out | Marketing consent was inadvertently ticked, or a re-consent screen flipped the default | iBANK → Profile → Privacy → Marketing toggle off. Suppression list updates within 24h. Add a chatter note acknowledging the complaint for the DPO. |
| Re-consent gate keeps showing for a member who just consented | consent_version mismatch — they consented to v3.0, notice is now v3.2 | Have them re-read the changed sections in the gate screen and re-tick. Their accounts continue uninterrupted. |
| ODPC auditor asks for evidence of consent for member X | Standard audit request | Open the member, scroll to Privacy → consent_at + consent_version + witness recorded. Export the entry from mail.message audit trail. |
See also
Was this page helpful?

