| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 25(f), 26 (c), 30(1)(b), 40(1)(b), 65 of the Data Protection Act, 2019; Regulation 12 (1)(b) 31 of the Data Protection (General) Regulations, 2021 |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 26 January 2024 |
| Decided: | 24 April 2024 |
| Published: | Yes |
| Fine: | KES.700,000.00 |
| Parties: | Dr. Bernard Shiaunda Aete vs. NCBA Bank Kenya Ltd |
| Case No.: | 169 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
NCBA Bank Kenya Ltd violated the Complainant's rights to accuracy and erasure by ignoring his request to remove his ex-wife's contact information from his account. Additionally, his account balances were often inaccurate. Despite his request, his ex-wife continued to receive transaction alerts related to his account for eight months after the initial request for changes.
Dr. Bernard S. Aete (the “Complaint”) is a customer of the NCBA Bank Kenya Ltd ( the “Respondent”). The Complainant was a beneficiary of a credit facility which he serviced regularly.
He however noted that the account position was not aligned with the statements that he received from the bank and he was therefore being cited regularly by the Respondent for not maintaining his account, which was untrue, and requesting him to regularise the same. He alerted the bank to this discrepancy on several occasions to no avail.
When the Respondent's personal circumstances changed and he got divorced, he notified the bank of the same and requested the Respondent not to send any bank statements or transaction alerts to his ex-wife.
The Respondent never effected the change and the Complainant's wife continued to receive his account statements regularly upto 8 months after he initially requested them to effect the change to the account particulars, and notwithstanding his repeated requests for them to resolve the issue.
The Respondent confirmed receipt of the change instructions and averred that they have effected the change, but averred further that they maintained the wife's contact as an alternate one for use in specific circumstances.
They also averred that the issue emanated from a system configuration error and they were in the process of rectifying the same with the vendor.
The ODPC found that the Respondent failed or neglected to effect the changes eight (8) months after they were notified of the same and that the Complainant had indeed made many requests to different people within the Bank using various channels to communicate his needs and disappointment at the Respondent's inaction. The Respondent therefore continued to process the Complainant's data irregularly.
The ODPC also found that the Respondent failed or neglected to comply with the Complaints right to erasure, and that the Respondent did not demonstrate compelling legitimate interest in continuing to process the information that could override the privacy needs of the Complainant. They therefore divulged the Complainant's information to a third party without cause.
The ODPC held that: