Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

The EDPA issued a warning to MTN Eswatini after MTN Eswatini disclosed a customer’s personal data (Mobile Money statement) to a third party without consent, violating the act.The breach occurred when a Call Centre Agent shared a customer’s Mobile Money statement with a third party (a creditor of the customer), which was later used at a police station to pursue a debt claim.

Facts

MTN Eswatini reported a data breach to the EDPA in February 2024. MTN Eswatini became aware of the breach after a customer (referred to as X) filed a complaint through their Call Centre.

The customer reported that her Mobile Money statement had been shared with a third party without her consent.

This complaint was made after the customer was summoned to a police station, where she learned that her creditor (referred to as Y) was in possession of her six-month Mobile Money statement, which had been used to support a claim against her.

MTN conducted an internal investigation following the complaint, confirming that the breach occurred when a Call Centre Agent shared the statement via the company's WhatsApp line after being requested by the third party.

The Call Centre Agent involved in the breach was not directly employed by MTN Eswatini. The Call Centre services were outsourced to NDZ Corporate, a third-party service provider. The agent worked under NDZ Corporate's management.

After the incident, the Call Centre Agent resigned before disciplinary proceedings could begin.

MTN Eswatini reported several compliance measures that were in place to prevent such breaches, including:

• MTN claimed to conduct Data Protection and Privacy training for all employees, including NDZ Corporate staff, at least once a year.The training includes whistleblowing, ethics, and compliance training. Mandatory huddles were held for Call Centre Agents every Monday and Thursday to cover relevant procedures, followed by tests to confirm their understanding.
• The organisation had a policy for reporting observed or suspected information security incidents, which included an anonymous tip-off and whistle-blowing policy.
• NDZ staff were required to sign a Non-Disclosure Agreement (NDA) upon onboarding, ensuring they understood the importance of confidentiality when handling customer information.
• MTN had a Quality Assurance (QA) function in place that oversaw Call Centre Agents and reviewed interactions such as calls, emails, and chats to ensure compliance with data protection standards.