| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 4 January 2024 |
| Decided: | 2 April 2024 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | Anne Ndungu vs. Zamaradi Capital & Credit Group Ltd T/A Haki Money |
| Case No.: | 27 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Anne Ndungu complained Zamaradi Capital repeatedly demanded loan repayment for a third party, despite her not being the guarantor. The Data Protection Commissioner found Zamaradi violated data protection by processing her data unlawfully and failing to cooperate. The complaint was summarily resolved to the complainant's satisfaction but an enforcement notice was issued against the respondent by the ODPC.
The Complainant, Anne Ndungu, alleged that the Respondent repeatedly contacted her to repay a loan taken by a third party, despite the fact that she was not the third party's guarantor at the time.
She supported her complaint with screenshots and printouts of messages received from the Respondent and/or its agents. These messages included demands for repayment and threats to report her as uncooperative, stating this would impact her credit score if she did not pay or tell her friend to pay.
Upon receiving the complaint notification, the Respondent, Zamaradi Capital & Credit Group Ltd, stated they reached out to the Complainant via email on 5th February 2024 to clarify details and amicably resolve the issue.
They claimed the Complainant requested a written apology as proof that her information was not in their system, and the Respondent stated they honored her requests. The Respondent also provided a written statement sworn by its operations manager, a copy of its Terms and Conditions outlining loan operations, correspondence from the Central Bank of Kenya (CBK) regarding their data controller/processor (DCP) license application, and a contractual agreement with an outsourcing agency/company.
The ODPC established that the Respondent processed the Complainant's personal data by repeatedly contacting her as a guarantor for a third-party loan, despite her not being one. The ODPC found this processing was done without a lawful basis as required by Section 30 of the Data Protection Act, 2019 ('the Act').
A site visit revealed that the Respondent's money lending application Terms and Conditions differed from those presented to the ODPC, and both the guarantor notification system and the incident reporting mechanism were non-functional.
Furthermore, the Respondent failed to fully cooperate with the ODPC's investigations during the site visit by not availing required ICT personnel or providing complete and comprehensive information on its systems and databases, thereby curtailing the investigations and obstructing the Data Commissioner, which is an offence under Section 61 of the Act.
The Data Commissioner made the following final determination: