| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 2, 30, of the Data Protection Act, 2019; Regulation 11(1)(b) of the Data Protection (General) Regulations, 2021. |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 4 January 2024 |
| Decided: | 2 April 2024 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | Anne Ndung'u vs. Zamaradi Capital & Credit Group Ltd T /A Haki Money |
| Case No.: | 0027 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
A complaint against Zamaradi Capital & Credit Group Ltd, a digital credit provider and owner of Haki Money, was marked as resolved after the Complainant and the Respondent reached an amicable agreement. The investigation revealed poor data governance practices at Zamaradi and a lack of co-operation with the ODPC, which was deemed obstruction of justice.
Anne Ndung'u (the “Complainant”) filed a complaint with the Office of the Data Protection Commissioner alleging that Zamaradi Capital & Credit Group Ltd (the “Respondent”) a digital credit provider with money lending product called Haki Money, listed them as guarantors of loans by third parties, without their knowledge or consent.
The Respondent theafter contacted the Complainant asking her to impose upon the third party to regularise his outstanding facilities.
In responce, the Respondent confirmed that the Complainant was indeed contacted over the outstanding third party loan, but avers that they attempted to resolve the issue amicably with the Complainant to no avail.
The ODPC found that the Respondent possessed different terms and conditions of service to those submitted to the ODPC at the inception of the claim, the Respondent did not have functional incident reporting and guarantor notification systems. The ODPC could not access the Respondent's databases and systems to review other aspects of the claim notwithstanding their prior notice to the Respondent to avail access to the databases or systems.
The ODPC found that the Respondent violated section 26 by not informing the Complainants of the use of their personal data. They also did not obtain the Complainant’s consent before so doing due to a non functional guarantor notification system and non compliant terms of use. The Respondent did not therefore process the personal data for legitimate purposes (to wit emergency contacts). Further their systems were not designed to protect or promote DPA19 principles.
The ODPC noted that the Respondent failed to co-operate with the investigations when they failed to provide access to their systems and to members of staff familiar with the Respondent's operations.
The ODPC noted however that the Respondent properly dealt with the Complaint by resolving it fully as required.
The ODPC held that: