| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Sections 26, 28, and 29 of the Data Protection Act, 2019. |
| Type: | Complaints |
| Outcome: | Violation |
| Started: | Various dates between September 2023 and November 2023 |
| Decided: | 15 December 2023 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | Humphrey Makhanu vs. Mulla Pride Ltd |
| Case No.: | 1843 of 2023 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
The Office of the Data Protection Commissioner in Kenya received various complaints against One Acre Fund (the “Respondent”) for unlawfully collecting and processing personal data without consent. The complainants alleged that the Respondent contacted them via calls and text messages demanding they reach out to unknown persons for loans previously acquired from the Respondent.
The case involves complaints filed against the respondent, Mulla Pride Limited, a firm operating a digital lending platform, regarding the unauthorized use of personal data, particularly contact details, of the complainants.
The Complainants allege that the Respondent bombarded them with calls and text messages demanding that they contact unknown parties regarding loans granted by the Respondent.
The Complainants claim they are not clients of the Respondent, have not sought loans from it, and have not shared their personal details with the Respondent.
The Respondent admitted to contacting the Complainants to inform the borrowers of their outstanding loans, stating that the contacts were obtained from the borrowers who provided the information voluntarily. However, it is noted that the Respondent did not sufficiently demonstrate that it took precautionary measures to confirm and verify that the complainants were properly and lawfully onboarded as referees, informed that their numbers had been listed as emergency contacts and/or guarantors prior to contacting them.
The Office found the respondent in breach of Sections 26, 28, and 29 of the Data Protection Act, 2019.
It was determined that the respondent irregularly collected, processed, and stored personal data without notifying data subjects as required by the Act.
Additionally, the respondent did not present a legal basis or legitimate reason to collect, process, and store third parties' personal data who had not consented to their data being collected or processed.
The issues for determination in the case were whether the Respondent fulfilled its duty to notify the Complainants of the use of their contact details, whether there was an infringement of the Complainants' rights as data subjects, and whether the Complainants are entitled to any remedies under the Act.
The Commissioner held: