| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 30 August 2023 |
| Decided: | 27 November 2023 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | Benedict Nyaga vs. Mulla Pride Limited T/A Ke Credit |
| Case No.: | 1593 of 2023 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Benedict Nyaga complained that Ceres Tech Limited (Chapaa Loan) contacted him and listed him as a guarantor for an unknown loan without consent. The Respondent was found liable for violating Nyaga's right to be informed regarding the processing of his personal data under Section 26(a) of the Data Protection Act.
Benedict Nyaga (the Complainant) filed a complaint relating to the alleged contact by Ceres Tech Limited t/a Chapaa Loan (the Respondent) regarding a loan he was unaware of and had not consented to being listed for as a referee or guarantor.
The key facts presented by the Complainant were that in August, he received abusive and insulting text messages and calls from the Respondent on diverse dates. The messages and calls concerned an unpaid loan by a loanee who is unknown to the Complainant.
The Respondent proved the allegations with screenshots of messages asking the Complainant to inform the loanee to pay a loan. The Respondent suggested that the Complainant should pay on behalf of the loanee, claiming he was allegedly listed as a guarantor.
The Complainant stated that the Respondent had failed to conduct thorough background checks before lending money. The Complainant had not consented to being listed as a referee or guarantor for the loan. The late night and early morning abusive calls caused him psychological torture, leading him to seek medical treatment for high blood pressure.
Ceres Tech Limited provided a response on 28th September 2023 to the allegations made against it.
The Respondent’s primary points were that the Complainant’s phone number was provided by their customer, David Muiruri, who gave the number as a "next of kin" contact, implying the mother was the registered owner of the number. The collection of next of kin information is governed by Clause 10 of the company’s Data Policies, which requires customers to provide the details of at least one individual to act as their next of kin.
They claimed they only contact third parties upon express consent from the data subject provided at the point of registering to use their app. The Respondent relied on Section 31 of the Banking Act as its legal basis for collecting next of kin information. The Respondent alleged that their customer and loanee, David Muiruri, provided false information.
Upon conducting investigations after receiving the Complainant's complaint, they immediately deleted the information. They stated that agents who violate their policies are subjected to disciplinary measures, and in this specific case, they terminated services with the agent in question. They provided their data protection policies, procedures, terms of use, and a standard consent form for processing data for marketing purposes. They stated that clause 21 of their policy requires them to notify customers of their rights under Section 26 of the Act when signing up to use their application.
The Office of the Data Protection Commissioner (ODPC) determined two main issues: (I) Whether there was a violation of the Complainant's rights under the Data Protection Act (the Act); and (II) Whether the Respondent had obligations to fulfil under the Act.
I. Violation of Complainant’s Rights: