Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

Mwikali Nzyoka complained that Kenya Women Microfinance Bank (KWFT) unlawfully disclosed her loan and sensitive personal data to Family Bank and Co-operative Bank for loan takeover. The Data Commissioner found all three banks liable for unauthorized processing and ordered them to pay KES 650,000/= compensation.

Facts

The Complainant, Mwikali Nzyoka, lodged a complaint on 22nd January 2025. She alleged that the 1st Respondent (KWFT) shared unauthorized personal information, including her loan details, to the 2nd (Family Bank) and 3rd (Co-operative Bank) Respondents without her consent or any lawful basis.

The Complainant averred that between mid-August and November 2024, the 1st Respondent leaked her sensitive personal information, including loan status, identification details, place of work, and phone number, to multiple financial institutions. She was contacted by agents from the 3rd Respondent who claimed the 1st Respondent was selling customer loans to banks. Representatives from the 2nd and 3rd Respondents subsequently confirmed they had obtained her data from the 1st Respondent. The Complainant contended that she continues to experience harassment, vulnerability, and frustration due to this unauthorized disclosure. She sought remedies including a formal investigation, a written apology, and compensation for the harm suffered.

• 1st Respondent (KWFT): The 1st Respondent denied the data breach originated from their end. They attributed the breach to former employees who allegedly took data after termination. The 1st Respondent also asserted that the breach resulted from inadequate data protection measures within their organization.
• 2nd Respondent (Family Bank): The 2nd Respondent initially denied direct responsibility, noting the Complainant was not a customer. They asserted there was no data sharing agreement with the 1st Respondent. However, they later acknowledged that the individual who contacted the Complainant was an agent associated with their institution.
• 3rd Respondent (Co-operative Bank): The 3rd Respondent argued they had no contractual relationship with the Complainant. They admitted acquiring the Complainant’s data through "market intelligence" for the purpose of potential loan takeover from the 1st Respondent. They contended that the remedies flowing from the complaint should not attach to them as the complaint was against the 1st Respondent.

The Office of the Data Protection Commissioner (ODPC) made the following key findings:

• The 1st Respondent (KWFT) violated the Complainant's right to be informed under Section 26(a) of the Data Protection Act (DPA) because they failed to inform her that they intended to sell her loan to third parties.
• The 1st Respondent failed to adhere to its statutory obligations, lacking proper consent and a valid legal basis for disclosure under Sections 25 and 30 of the DPA, resulting in unlawful processing of personal data. The data shared (loan status, identification details, phone number) was typically only known to the financial institution holding the loan, contradicting KWFT's denial that the breach originated from them. Furthermore, the 1st Respondent's security measures were found insufficient to prevent unauthorized access or disclosure, even by former employees.
• The 2nd and 3rd Respondents processed the Complainant's personal data unlawfully. The 3rd Respondent’s admission that they acquired the data through "market intelligence" for loan takeover purposes, without the Complainant's consent or a lawful basis, constituted unauthorized data processing. This action violated the principles of data minimization and purpose limitation.
• Liability: The Office concluded that it was evident that all three Respondents were handling the Complainant's personal data without consent or a lawful basis, and ultimately, all Respondents were found liable.
• Legal Provisions reviewed