| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 25 May 2025 |
| Decided: | 22 August 2025 |
| Published: | Yes |
| Fine: | KES.250,000 |
| Parties: | Aori Chris Kipkorir vs. Platinum Credit Limited |
| Case No.: | 0750 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Aori Chris Kipkorir complained that Platinum Credit Limited ignored his formal data erasure request, continuing unsolicited loan marketing calls and texts. The ODPC found the Respondent failed to erase data within statutory timelines or prove consent. Consequently, Platinum Credit was ordered to pay KES 250,000 compensation.
The Complainant, Aori Chris Kipkorir, alleged that the Respondent persistently violated his rights over a two-year period by engaging in unsolicited communication. He stated that on 13th May 2025, he submitted a formal demand letter and a DPG 5 erasure form, citing unlawful processing and requesting a complete cessation of contact. Despite these submissions, he received further phone calls and text messages from individuals identifying as the Respondent's agents on 22nd and 23rd May 2025, and another loan marketing call on 16th July 2025. He argued that the Respondent failed to erase his data, failed to provide confirmation of compliance, and continued to process his personal information without consent.
Platinum Credit Limited initially claimed that the Complainant was not in their database and had never been a customer. They argued that the contact numbers reported were not linked to their employees, alleged that unknown individuals were impersonating their brand, and requested verifiable proof. The Respondent further stated that they contacted the Complainant in good faith and claimed he had expressed satisfaction and intended to withdraw the complaint. However, during the investigation, the Respondent’s Busia Regional Manager contradicted these claims by acknowledging that agents were indeed contacting a client without consent on 16th July 2025 and that she had called the Complainant to apologize.
The Office of the Data Protection Commissioner found that the Respondent failed to erase the Complainant's personal data within the statutory fourteen-day timeline following the formal request, thereby violating Section 40(1)(b) of the Act and Regulation 12(3) of the General Regulations. Investigations confirmed the Complainant received numerous communications despite his formal requests to stop. Furthermore, the ODPC determined that the Respondent failed to discharge the burden of proof to show it had obtained express consent or had any other lawful basis to process the Complainant's data as required under Sections 30 and 32 of the Act. Consequently, the Respondent was found to have unlawfully processed the Complainant's personal data.
In the final determination dated 22nd August 2025, the Data Commissioner ruled as follows: