| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Sections 8(1)(f), 56(1), 25, 26(a), 28(1), 28(2), 29, 30 and 61 of the Data Protection Act 2019, and Regulation 14 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 18 June 2024 |
| Decided: | 15 September 2024 |
| Published: | Yes |
| Fine: | KES.250,000 |
| Parties: | Dr. Maxwel Okoth vs. Azure Credit |
| Case No.: | 869 9f 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Dr. Maxwell Okoth filed a complaint against Azura Credit Limited for contacting him about a loan he hadn't taken. The ODPC found the company in violation of the Data Protection Act for using his data without consent and obstructing their investigation by refusing access to its systems. Azura was ordered to pay Kes. 250,000 in compensation, and its directors were recommended for prosecution for obstruction of justice.
Dr. Maxwell Okoth filed a complaint with the Office of the Data Protection Commissioner (ODPC) on 18th June 2024.
Dr. Okoth alleged that Azura Credit Limited contacted him regarding a loan he was unaware of.
He claimed to be receiving incessant calls regarding the loan from a customer who repays loans for the company. Dr. Okoth provided screenshots of his call logs as proof.
Azura Credit Limited responded to the complaint on 6th August 2024. The company stated that it operates in line with the law and industry best practices for data security and privacy.
They asserted that they do not systematically or intentionally call people who have no loans with them. Azura Credit Limited stated that they only contact clients with active loans and that once a client settles their loan, their collection system automatically removes them from the collector's portfolio.
They claimed their only way to obtain someone's information is through the client themselves during loan registration.
Azura Credit Limited stated they are only allowed to contact a client when they default on their loan repayment. They also stated that they don't disclose client data to third parties during the debt collection process.
Azura Credit Limited relies on consent as a legal basis for processing data. They stated that all users are required to read and accept the Terms and Conditions of their products before a loan is granted.
The company also relies on the performance of a contract as a legal basis for processing personal data.
The ODPC investigated the complaint, reviewed the responses, and conducted a site visit at Azura Credit Limited's premises.
Azura Credit Limited, hindered the Office of the Data Protection Commissioner's (ODPC) investigations by not providing its ICT personnel with access to the backend of its database. This occurred during a site visit on 30th August 2024. As a result of this action, the ODPC was unable to examine the respondent’s loan application. The ODPC determined that this constituted an obstruction of the Data Commissioner, contrary to Section 61 of the Data Protection Act