| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 25, 26, 36 of the Data Protection Act, 2019. |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 4 March 2024 |
| Decided: | 31 May 2024 |
| Published: | Yes |
| Fine: | KES.450,000/- |
| Parties: | Kevin Kiprotich Rono vs. SBM Bank Kenya |
| Case No.: | 372 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
The ODPC determined that an email address is personal data and the Complainant rightfully objected to its processing. SBM Bank, the Respondent, who was required to address the objection within 14 days, took over a year and only acted after the ODPC intervened. Furthermore, the Respondent failed to correct inaccurate customer data when prompted. As a result, the Complainant is entitled to a KES.450,000 compensation for the delay in resolving the issue.
Kevin Rono (the “Complainant”) alleged that SBM Bank Ltd (the “Respondent”) has since May 2023 to the date of filing of the complaint, sent him a total of 327 emails despite him not being a customer of the Respondent or otherwise having any relations with it.
The emails comprised various various transactional notifications eg OTP alerts, login information, account to mobile money alerts, transactional OTPs, password reset alerts, account statements marketing information and promotional offers.
He avers that the Respondent failed or neglected to resolve the issue even after he made at least 5 different requests for them to do so.
The Respondent averred that the Complainant's email was very similar to one of it's customers who provided it in order to facilitate communication. They further averred that they contacted their customer when they received the Complainant’s communication, who corrected the details of his email (there was an extra ‘o’) and therefore considered the matter to have been resolved.
The ODPC found that from the account opening forms provided to it, the Respondent's customer provided an email address but this was incorrectly captured by the Respondent in its system. The error was therefore made by the Bank, not its customer or the Complainant.
The ODPC also found that the Respondent also failed to resolve the issue promptly when notified of the error by the Complainant. In fact, the Respondent only resolved the error when they received communication from the ODPC.
The ODPC found that: