| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 8(1)(f), 25, 26(a), 28(1) and 28(2), 29, 30, 56(1), 58 of the Data Protection Act, 2019; Regulation 14, 11(2) and 16 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021; Article 31(c) and (d) of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 19 July 2024 |
| Decided: | 14 October 2024 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | Musa Wesutsa vs. Azure Credit Ltd T/A TruePesa |
| Case No.: | 1088 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Musa Wesutsa filed a complaint against Azura Credit Limited T/A Truepesa for contacting him about a loan he did not apply for. The company obtained his information from a third party without his consent and used it to harass him over a debt owed by a staff member. The ODPC found that Azura violated the Data Protection Act by failing to inform Wesutsa about the use of his data and obtain his consent for processing. An enforcement notice was issued.
The Complainant, Musa Wesutsa, alleged that Azura Credit Limited T/A Truepesa was contacting him regarding a loan he did not apply for.
He claimed that the company was harassing him and his senior managers, seeking to recover funds that one of their staff members had borrowed. The Complainant provided screenshots of emails and calls as proof.
He further alleged that Azura Credit Limited T/A Truepesa obtained his personal information illegally, including his phone number and email address. The Complainant requested that the company stop involving him or his company in the debt recovery process.
Azura Credit Limited T/A Truepesa did not respond to the notification of complaint filed against it. Therefore, the allegations remained uncontroverted.
The Office of the Data Protection Commissioner (ODPC) found that Azura Credit Limited T/A Truepesa violated the Complainant's right to be informed by not disclosing the source of his personal data and the purpose for its collection.
The ODPC also found that the Respondent failed to fulfill its obligations under the Data Protection Act by not obtaining consent from the Complainant before processing his personal data.
Legal Provisions Reviewed
The ODPC reviewed the following legal provisions: