| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 2 May 2025 |
| Decided: | 30 July 2025 |
| Published: | Yes |
| Fine: | KES.50,000 |
| Parties: | AK vs. Stanbic Bank Kenya Limited |
| Case No.: | 0626 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
AK complained Stanbic Bank failed to erase his personal data following account closure, causing him to receive unsolicited alerts. Despite formal requests and opting out, the bank continued processing his data. The ODPC found a violation of the right to erasure and ordered KES 50,000 compensation.
The Complainant, AK, stated that he closed his accounts with the Respondent on 4th July 2023. Despite this, he continued to receive unsolicited SMS messages from the bank even though he was no longer a customer. On 31st March 2025, he sent a formal email request asking the bank to erase his personal data, particularly his phone number, from their records. Although the Respondent acknowledged the request and claimed on 3rd April 2025 that the issue was resolved, they failed to provide confirmation that the data had actually been erased. AK followed up again on 11th April after receiving another message, at which point the bank instructed him to use a USSD opt-out code. Despite complying with this instruction, he received yet another unsolicited message on 30th April 2025, which he argued demonstrated that the bank was still unlawfully processing his data.
The Respondent stated that the Complainant held three accounts which were processed for closure on 6th September 2023. They admitted that despite this closure, the Complainant continued to receive SMS alerts and had notified the bank of the same. The bank clarified that the USSD opt-out option they provided only stopped marketing communications, but the Complainant continued to receive "general informational alerts," which led to the continued contact.
The Office of the Data Protection Commissioner found that the Act and its attendant regulations provide data subjects with the right to erasure of personal data that a controller is no longer authorised to retain. Furthermore, data controllers are required to respond to such requests within fourteen days. The Office determined that the Respondent violated the Complainant's right to deletion and erasure because the messages continued for more than fourteen days after the initial request. The ODPC noted that by the bank's own admission, it continued to send informational alerts even after the accounts were closed. However, the Office took cognisance of several mitigation measures taken by the bank, including updating its systems on 14th May 2025 to stop further messages, re-engineering its privacy complaint handling process, and conducting staff training.
In the final determination delivered on 30th July 2025, the Data Commissioner ruled as follows: