| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 26(a) of the Data Protection Act, 2019; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | No violation |
| Started: | 5 October 2023 |
| Decided: | 2 January 2024 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | Gladys Jepkoech Kemboi vs. Diamond Trust Bank & Anor |
| Case No.: | 1933 of 2023 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
The complaint was filed by Gladys Jepkoech Kembol against Diamond Trust Bank and Jubilee Insurance Company Limited for an alleged infringement of personal data. The Complainant alleged that the Respondents signed her up for a product without her consent. The case was dismissed for want of merit.
Gladys Jepkoech Kembol alleged that while at Diamond Trust Bank's Eldoret Branch, an employee approached her and informed her of an insurance package offered by Jubilee Insurance.
She claimed that the employee proceeded to fill in insurance forms, attaching her bank account details and personal details, including copies of her Identification Number (ID) and KRA Pin, without her express consent.
As a result, a standing order was initiated against her account, leading to the insurance policy deducting her savings totaling about Kshs. 500,000.
Despite numerous protests and communication with the bank's employee to cancel the insurance policy and suspend the standing order, no action was taken to remedy the situation.
The Data Protection Commissioner's determination was based on the findings of the investigations. The evidence submitted indicated that the complainant provided her personal information for the purpose of the assurance policy and signed all the necessary forms.
The respondent also proved that they did not have sufficient information to share with the other party for the purpose of signing up the assurance policy without the complainant's consent.
Additionally, the complainant did not provide enough proof of the alleged unauthorized policy and the amount submitted to the 2nd respondent. As a result, the Data Commissioner found that the respondents were not liable for violation of the complainant's rights or their obligations under the Act.
The respondent was absolved from liability because the complainant failed to sufficiently prove that her privacy rights were infringed or violated by the respondents.
The ODPC held that: