| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 25(a) and (c), 26, 28(1), 29, 30, 32 and 41 of the Data Protection Act, 2019; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 17 October 2023 |
| Decided: | 16 January 2024 |
| Published: | Yes |
| Fine: | Kes.500,000/= |
| Parties: | Emily Sila vs. Zerox Technology Company Ltd |
| Case No.: | 2109 of 2023 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
A complaint was received by the Office of the Data Protection Commissioner against Zerox Technology Company Limited (the “Respondent”). The complaint alleges that the Respondent was contacting the Complainant and sending numerous messages regarding a loan that she had no knowledge of.
The Respondent is a digital credit provider operating a money lending product known as “Apesa”
The Complainant alleged that the money lending product owned by the Respondent was sending her constant text messages regarding a debtor who owed the respondent money.
The complainant provided screenshots of the text messages as proof.
The Respondent was notified of the complaint but failed to respond. Consequently, the office found that there was a violation of the complainant's rights under the Act, as the respondent failed to inform the complainant of the use to which her personal data, particularly her phone number, was being put.
Additionally, it was found that the respondent did not fulfill its obligations under the Act as a data controller and data processor and was a repeat offender who had failed to respond to previous enforcement notices issued by the office. As a result, the complainant was found entitled to compensation under the Act for the damage suffered.
The ODPC held that:
The full text of the ruling is available below.