| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 20 May 2025 |
| Decided: | 8 August 2025 |
| Published: | Yes |
| Fine: | KES.50,000 |
| Parties: | Minage Lucy vs. Chapeo Capital Limited |
| Case No.: | 0722 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Minage Lucy sued Chapeo Capital Limited for persistent, unsolicited debt recovery communications regarding an unknown third party's loan. The ODPC found Chapeo lacked a lawful basis and failed to notify the Complainant of data processing. Chapeo was found liable and ordered to pay KES 50,000 compensation.
The Complainant, Minage Lucy, alleged that the Respondent, through its agents, subjected her to persistent and unsolicited phone calls and SMS messages regarding a defaulted loan taken by an unknown third party. She stated that she had no knowledge of the borrower or their obligations and had never provided consent for her data to be used for debt recovery purposes. Furthermore, she was never notified that her data was being processed. Even after she attempted to block the Respondent's contact numbers, the communication allegedly continued through alternative lines, including at odd hours and during weekends, which she characterized as harassment and an intrusion into her private life that caused her significant stress.
Chapeo Capital Limited, operating under the brand "ZK Pesa Loan," denied any breach of data protection laws. The Respondent argued that the Complainant was only contacted because she had been listed as an "alternative contact" by a borrower during a loan application in May 2025. They asserted that the processing was lawful because the borrower had voluntarily provided the information, and they maintained that they do not retain data from guarantors as they do not require formal guarantees. The Respondent also claimed to have proactive measures in place, such as agent training and a privacy policy, and stated they had deleted the Complainant's information from their systems to prevent further contact.
The Office of the Data Protection Commissioner found that the Respondent, as a data controller, had a statutory duty under Section 29 of the Act to notify the Complainant that her personal data was being collected and for what purpose. The ODPC determined that the Respondent failed to notify the Complainant, thereby breaching this duty. Crucially, the Commissioner found that the Respondent failed to provide any evidence to justify its actions or demonstrate a lawful basis—such as consent or legal necessity—for processing the Complainant's data for third-party debt recovery. Consequently, the Respondent’s actions were found to be a violation of the Complainant’s right to privacy.
In the final determination dated 8th August 2025, the Data Commissioner ruled as follows: