| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 19 February 2025 |
| Decided: | 19 May 2025 |
| Published: | Yes |
| Fine: | KES.250,000 |
| Parties: | Eric M. Njuguna vs. Chapeo Capital Ltd (ZK Pesa) & Anor |
| Case No.: | 0238 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Eric Munene Njuguna alleged Chapeo Capital unlawfully processed his data, designating him as a loan guarantor using unverified information from Ericson Lubale Okota without consent. The Data Commissioner found the Respondents violated data rights, specifically the right to be informed. The 1st Respondent was ordered to pay KES 250,000 compensation; prosecution was recommended for the 2nd Respondent.
The Complainant submitted his complaint on February 19, 2025. He alleged that the 1st Respondent unlawfully processed his personal data by designating him as a loan guarantor for a loan sought by the 2nd Respondent. He contended that this information was used without being verified and without informing him or obtaining his consent. The Complainant asserted that he received a demanding call on September 18, 2024, from the 1st Respondent’s agent requiring him to ensure the 2nd Respondent repaid a KShs 2,000 loan or pay it himself. He maintained that he had no knowledge of this arrangement and never consented to be a guarantor. When he challenged the agent on verification procedures, the agent allegedly checked that the Complainant’s phone number matched the name saved in the 2nd Respondent’s phonebook, without conducting proper due diligence or obtaining prior consent. The Complainant alleged he suffered financial and psychological distress, including continued anxiety and reduced productivity, resulting from the Respondents' actions, and argued that the 1st Respondent's own privacy policy states they do not require guarantors for mobile loans. He sought remedies including an enforcement notice compelling the erasure of his data, and compensation for violating his rights, financial loss, psychological distress, and punitive damages.
The 1st Respondent submitted its response on April 4, 2025, but the 2nd Respondent remained non-responsive. In their defense, the 1st Respondent (Chapeo Capital) contended that it operates within strict ethical guidelines and regulatory compliance frameworks. They denied that their debt collection practices involved threatening, harassing, or unauthorized sharing of personal customer data beyond legal parameters. Regarding customer communication, the 1st Respondent asserted that contact details are provided voluntarily by customers and are utilized exclusively for loan-related purposes. They emphasized that they remain within legal boundaries and avoid unauthorized third-party disclosures. Concerning data protection compliance, the 1st Respondent claimed to maintain strict protocols and that customer data protection is ensured under the Data Protection Act, with access limited to authorized personnel. Furthermore, they stated they had proactively initiated corrective measures, including enhanced staff training and stronger internal monitoring systems.
The Office of the Data Protection Commissioner (ODPC) determined that the 1st Respondent unlawfully processed the Complainant’s personal data by designating him as a loan guarantor, using unverified information provided by the 2nd Respondent without informing the Complainant or obtaining consent.
The ODPC found a clear violation of the Complainant's right to be informed under Section 26(a) of the Data Protection Act. Specifically, the 1st Respondent failed to comply with Section 26(a), which mandates informing the data subject about the intended purpose of data processing. By listing the Complainant as a guarantor without his consent, the 1st Respondent violated his right to be informed. Furthermore, the 1st Respondent violated key data protection principles under Section 25 of the Act by processing the data for an unauthorized purpose. The Office concluded that the 1st Respondent failed to establish a lawful basis for processing the Complainant’s personal data, as they did not obtain the required consent. The 1st Respondent was also found to have unlawfully collected and processed the data in violation of Section 28(i) by failing to collect data directly from the data subject and failing to prove the data was publicly available.
The Data Commissioner issued the following final determination: