| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 25, 26 of the Data Protection Act, 2019; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | No Violation |
| Started: | 29 September 2023 |
| Decided: | 15 December 2023 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | Barrack Manono Shironje vs. Equity Bank Kenya Limited |
| Case No.: | 1837 of 2023 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
The Office of the Data Protection Commissioner found that Equity Bank Kenya Limited (”the Respondent”) did not infringe on the complainant's right to privacy as it had effectively communicated to the debt recovery agency that the Complainant's file was closed, which was ignored.
Barrack Shironje (”the Complainant”) filed a complaint against Equity Bank K Ltd (”the Respondent”) stating that debt collectors, who are agents of the Respondent, contacted the Complainant regarding a defaulted loan that the Complainant claims he did not have.
The Complainant alleges that this contact amounted to harassment and violated his right to privacy as his personal data was shared without due cause.
The Respondent, on the other hand, claims that the Complainant did have a loan facility that fell into arrears, and as per the Respondent’s banking practice, the Complainant's details were submitted to the debt collecting agency for further recovery of the loan balance.
The Respondent asserts that the complaint arose from a text message sent by a debt collecting company, acting as its agent, to the Complainant demanding repayment of a loan.
In response to the complaint, the Respondent provided evidence of its legal basis for processing and sharing the Complainant's data, as well as its data sharing agreement with debt recovery agencies.
The Respondent also highlighted its commitment to complying with data protection laws and regulations through the development and implementation of Data Privacy Policies and Procedures, tools to support data subject rights, training, appointment of data protection officers, privacy impact assessments, data mapping, and deployment of various safeguards including data classification tools.
It was established by the ODPC that the Complainant had initially defaulted on a loan with the Respondent, which led to the submission of his details to debt recovery agents. Despite the Complainant clearing the defaulted loan, the debt recovery agents erroneously contacted him for repayment. The Respondent acknowledged the error and communicated promptly to the debt recovery agents, insisting that it was their responsibility to ensure their records were updated. The debt recovery agent contacted the Complainant without proper authority from the Respondent, despite prior communication to close the Complainant's file.
The Office of the Data Protection Commission (ODPC) found that the Respondent effectively communicated to the debt recovery agency that the Complainant's file was closed, thereby upholding and protecting the Complainant's right to privacy. The ODPC concluded that the Respondent did not infringe on the Complainant's right to privacy. The Respondent's actions were in line with the principles of data protection as set out in the Data Protection Act, ensuring that personal data is processed lawfully, fairly, and transparently in relation to the data subject.
The ODPC held that: