| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 2, 5(6), 8(1)(f), 25, 40(1)(b), 65 of the Data Protection Act, 2019; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 25 April 2024 |
| Decided: | 23 July 2024 |
| Published: | Yes |
| Fine: | KES.250,000 |
| Parties: | Maina Jackson Irungu vs. Family Bank Ltd |
| Case No.: | 616 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Maina Jackson Irungu filed a complaint with the ODPC against Family Bank Limited for incorrectly sending him account statements via email for six months and failing to stop despite repeated requests to do so. Family Bank admitted to the error, explaining that during the account opening process for a different customer, they had incorrectly saved Mr. Irungu's email address instead of their actual customer's email address. The ODPC determined that Family Bank violated Mr. Irungu's right to erasure under the Data Protection Act and ordered the bank to compensate him KES 250,000.
Maina Jackson Irungu complained to the Office of the Data Protection Commissioner (ODPC) that Family Bank Limited was sending him email statements despite not holding an account with them.
The complainant provided screenshots of emails with bank statements he had been receiving for the last six months.
He visited a Family Bank branch to seek clarification and was told he did not have an account.
Three months later, he was still receiving the email statements and wrote to Family Bank requesting them to stop and to edit his email address, but this did not resolve the issue. The complainant then filed the complaint with the ODPC.
Family Bank stated that, after an investigation, it was determined that the complainant's email address was mistakenly associated with a different customer's account during the account opening process.
This error occurred because the complainant's email address was mistakenly entered into the system for a different customer.
The bank explained that this customer had provided the complainant's email address instead of their own on the KRA PIN certificate they presented when opening their account.
They further stated that they deleted his email address from the complainant's customer account and the correct customer's email address.
The bank claimed they ceased all communication upon discovering this error. Family Bank argued that the emails sent were part of its contractual obligation to provide account-related information.
The ODPC found that: