Brian Kimani & Annsalome Wangari v Zillions Credit Limited

Cases Detail

Cases

Brian Kimani & Annsalome Wangari v Zillions Credit Limited

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: privacy,data protection rights

Case Summary

The 1st Complainant alleged that Meta Loan, a product of the Respondent, called and asked him to repay their loan. The 1st Complainant averred that he never took a loan from the Respondent. They also called him to talk to a 3rd party to pay their loan. The 2nd Complainant alleged she was receiving incessant calls from Zash loan a product of the Respondent, telling her to pay a 3rd party’s loan as he was listed as the guarantor. She adduced screenshots as evidence.

The Respondents responded by averring for the 1st Complainant; his contact details were provided by a third party who was one of their borrowers who was required to provide alternative phone numbers in addition to their primary phone number. The Respondent admitted to contacting the 1st Complainant requesting him to pass information to the borrower to pass on information of repayment. However, the Respondent denies that they asked the 1st Complainant to repay the loan but no evidence was provided to prove it.

The Respondents confirmed contacting the 2nd Respondent but states that they contacted her to pass on information to the customer who listed them as their emergency contact. The Respondents also confirmed that they did not have a standard contract between themselves and the complainants because they were not their primary customers. The Respondents aver that the contact details of the Complainants were voluntarily provided by the customers at the point of taking a loan facility. The Respondent attached a copy of its privacy policy as proof.

Issues for Determination

  1. Whether the Respondent fulfilled its duty to notify the Complainants of the use of their contact details as per Section 29 of the Data Protection Act
  2. Whether there was any infringement of the Complainants’ Rights as data subjects as provided for in the Data Protection Act

Determination

The Respondent is found liable for breach of Section 29 and 26 of the Data Protection Act

Analysis

  1. Duty to Notify (Section 29 of the Data Protection Act)

The ODPC found the Respondent in breach of Section 29, which mandates that data subjects be notified about the collection and intended use of their data. This is a critical requirement intended to ensure transparency and give individuals control over their personal information. In this case, the Respondent’s process of using contacts provided by borrowers without directly informing these contacts (the Complainants) violates this transparency principle.

The Respondent’s reliance on reforming their policies “in process” does not exempt them from compliance at the time of the data usage, which makes the ODPC’s finding appropriate and timely. Financial institutions, particularly in the digital loan space, must have robust mechanisms to ensure that all data subjects are aware of and consent to the use of their data, even when they are not the primary customers.

  1. Infringement of Data Subject's Rights (Section 26 of the Data Protection Act)

The ODPC correctly noted that the Respondent failed to notify the Complainants about the collection of their personal data, nor was the purpose of this collection—to facilitate debt collection—disclosed. This is a substantial oversight that infringes on the rights of data subjects under Section 26, which provides data subjects the right to be informed of data collection and processing activities.

The failure to provide a clear and understandable notification about how and why their personal data was being used further exacerbates the breach, undermining the data subjects’ ability to make informed decisions about their personal data.

Critique of the Respondent's Practices:

The practice of using third-party contacts as emergency numbers or guarantors without their explicit consent reflects a broader issue in the digital lending industry, where the boundaries of consent are often blurred. The Respondent’s policy of relying on borrowers to provide these contacts, and their subsequent use for debt collection, poses ethical and legal challenges.

The attachment of the privacy policy by the Respondent, while a positive step, does not substitute for direct communication with the data subjects about the specific uses of their personal data. Privacy policies must be coupled with proactive measures to ensure all involved parties understand and agree to the terms, especially in cases involving third-party data.

Recommendations:

Given the breach, it is imperative for the Respondent to accelerate any ongoing reforms to their data handling practices to ensure that similar breaches do not occur in the future.

Institutions should adopt clearer consent and notification processes, particularly when the data of third parties is involved. This could include direct notifications and explicit consent mechanisms before their data is used.

Regular reviews and audits of privacy practices can help ensure that financial institutions remain compliant with data protection laws, adapting to changes in legal standards and technology.

The ODPC’s determination in this case serves as a crucial reminder to all data controllers, especially in the financial sector, about the importance of adhering to data protection laws to safeguard individual rights. It also highlights the need for continual evaluation and adaptation of data protection measures in response to evolving data usage contexts.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.