| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 25(a) and (c), 26, 28(1), 29, 30, 32 and 41 of the Data Protection Act, 2019; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 6 March 2024 |
| Decided: | 3 June 2024 |
| Published: | Yes |
| Fine: | Kes.500,000/= |
| Parties: | Sandra Bonareri Ongaki vs. Zerox Technology Company Ltd |
| Case No.: | 381 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Zerox Technology Company Limited (the “Respondent”) was order to compensate the Complainant KES.1,000,000/- for contacting the Complainant over a loan facility that she had no knowledge of and was not a party to. The firm was noted to be a repeat offender.
The Respondent is a digital credit provider operating a money lending product known as Asapkash.
The Complainant alleged that the Respondent was sending her constant text messages regarding a debtor who owed the Respondent money.
The Complainant provided screenshots of the text messages as proof.
The Respondent averred that their customers are mandatory required to provide the details of 2 emergency contacts during a loan application process. The contacts are alerted via a time sensitive sms to agree or refuse to take on that role. The emergency contact’s refusal means that the loan will not be disbursed to the Applicant.
The ODPCs noted that the phone numbers used to contact the Complainant belonged to the Respondent’s agents as they matched those used in a different complaint [Jeremiah Okello vs. Zerox Technology Ltd (unreported)] and further, this issue was also not denied.
The ODPC found that the Respondent did not avail proof of attempts to resolve the matter or of the OTP message allegedly sent to the Complainant when processing the third party facility.
Consequently, the office found that there was a violation of the complainant's rights under the Act, as the respondent failed to inform the complainant of the use to which her personal data, particularly her phone number, was being put.
Additionally, it was found that the respondent did not fulfill its obligations under the Act as a data controller and data processor by failing to honour the Complainant's request to stop processing her personal data.
The ODPC also found that the Respondent is a repeat offender who had failed to resolve previous enforcement notices issued by the office. As a result, the complainant was found entitled to compensation under the Act for the damage suffered.
The ODPC held that: