Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

Kiplimo Kiptui complained Mulla Pride unlawfully accessed salary details, sent threatening messages, tracked location, and sent marketing messages without consent. Mulla Pride was found to have violated data protection, ordered to delete his data, and pay KES 1,000,000 compensation.

Facts

The Complainant, Kiplimo Kiptui, alleged that Mulla Pride Limited T/A KE Credit unlawfully obtained his salary details, sent him threatening messages and calls even after loan repayments were made, tracked his location including that of his child to monitor school drop-offs, and sent him marketing messages without his consent. He provided screenshots of messages as proof. He claimed to have deleted his account but still received threatening messages. He also sought deletion of all his data from the Respondent's possession.

The Respondent stated that during onboarding, they collect personal details (name, ID, birth date, salary bracket, employment status), personal contact details (addresses, phone, email), and location data (with user permission via mobile app). They claimed the Complainant's loan was overdue and he had not responded to agents. They attributed threatening messages after repayment to a "customer error" in providing incorrect account details, stating the matter was resolved and data expunged. The Respondent stated that customers are granted access to their data privacy notice. They discovered a collection agent accessed the Complainant's salary details via LinkedIn, which they condemned as unlawful and against their ethical standards, stating they were taking corrective actions. They also communicated with their outsourced company to ensure debt collection agents have privacy policies and data processing certificates. The Respondent claimed to have deleted the Complainant's data and provided screenshots as proof, along with an apology for the data breach.

The ODPC found that the Respondent violated the Complainant's rights in several ways.

• The Respondent unlawfully obtained the Complainant's salary details by admitting their collection agent accessed them via social media (LinkedIn) without prior consent, violating Section 26(a) and 28(1) of the Act.
• They unlawfully tracked the Complainant's child's school drop-off details, violating Section 44 concerning sensitive personal data of children and Section 25(c) which requires specific and legitimate purposes.
• The Respondent failed to uphold data accuracy by sending threatening messages after loan repayment, attributing it to a "customer error" but not promptly updating records.
• They also sent promotional messages without demonstrating consent, violating Section 37(1) which requires express consent or an opt-out mechanism for direct marketing.
• Lastly, the Respondent failed to fully cooperate with the ODPC, providing false/misleading information and obstructing the Data Commissioner's powers under Section 58 of the Act.
• Legal Provisions Reviewed

Holding

• The ODPC found the Respondent liable.