Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

Eunice Mueni complained Aventus Technology Limited (Lendplus) unlawfully processed her NHIF data to assess her loan repayment ability and send unwanted messages. Aventus proved they used the Complainant's voluntarily submitted salary information via a public KRA calculator. The ODPC found that the lender fulfilled its obligations under the Act, dismissing the complaint as lacking merit.

Facts

The Complainant lodged a complaint alleging the unlawful processing of her personal data and a violation of her right to privacy. Specifically, the complaint related to the alleged unlawful processing of the Complainant's NHIF data by the Respondent, which was purportedly used to send unwanted messages. As evidence, the Complainant provided a screenshot of a WhatsApp message from a person identifying herself as Maureen from Lendplus. The message indicated that the Respondent could see where the Complainant worked and that she was deducted a certain amount for NHIF remittance, implying that she earned a good salary. The Complainant alleged this amounted to a violation of her privacy. It was undisputed that the Complainant had previously taken a loan with the Respondent and had delayed clearing it.

The Respondent, Aventus Technology Limited, stated that they had a standard contract containing terms, conditions, and a privacy policy, which the Complainant was required to read and understand before applying for the loan. They further submitted that the Complainant was notified of the processing of her personal data according to the terms of agreement, and that customers are always required to read and understand the terms of agreement before onboarding. The Respondent also asserted that they had mechanisms to ensure customers understood the process and the data required from them.

Regarding the core contention concerning access to the Complainant’s NHIF data, the Respondent stated that they do not have access to NHIF. Instead, they claimed to have obtained details of the customer’s salary deductions through a public pay calculator portal provided by the Kenya Revenue Authority (KRA). The Respondent explained that their portal enables them to acquire information such as PAYE, Housing Levy, NSSF, and NHIF deductions from the given salary range by the customer. This information, along with other data provided by the Complainant (including monthly income, employment details, and contact person), was used to calculate the total deductions using the PAYE calculator in order to ascertain the customer's ability to repay the loan. The Respondent attached a screenshot of the calculator input, showing that a basic salary of Kshs. 100,000 resulted in an NHIF contribution deduction of Kshs. 1,700. The Respondent claimed this information was used to inform the Complainant of her ability to repay the loan.

The ODPC addressed three key issues: whether there was a violation of the Complainant’s rights, whether the Respondent fulfilled its obligations under the Act, and whether the Complainant was entitled to remedies.

1. Violation of Rights: The ODPC found that the Complainant’s rights under the Act, including the right to be informed of the intended use of her personal data (Section 26(a)), were upheld by the Respondent. The Respondent was able to demonstrate that they informed the Complainant of the manner in which her personal data was to be used and the purpose of collection through the terms and conditions and privacy policy provided before the loan was taken.
2. Fulfillment of Obligations: The Respondent, as a data controller and data processor, had obligations pursuant to the Act. The ODPC found that the Respondent provided proof that the Complainant provided her personal data willingly and voluntarily in a bid to secure a loan, fulfilling the mandate of Section 28 of the Act to collect data directly from the data subject. Regarding the NHIF data specifically, the ODPC accepted the Respondent’s explanation that they did not unlawfully obtain this information from elsewhere. They were able to ascertain the Complainant’s deductions through a simple and basic search on the KRA calculator portal, using information (basic salary) that the Complainant herself had provided. The Respondent demonstrated the legal basis (consent and awareness of terms/conditions) upon which they processed the Complainant’s data prior to borrowing the loan, thus fulfilling its obligations as set out under the Act.
3. Entitlement to Remedies: Since the ODPC found that the Respondent fulfilled its obligations under the Act and the Complainant’s rights were upheld, the Complainant was not entitled to any remedies under the Act and attendant Regulations.

• Evaluation of Applicable Laws

Holding

The Data Commissioner made the final determination, ruling as follows: