Chantal Marissa Pande and Joel Stephen Kunga v Credit Bank PLC

Cases Detail

Cases

Chantal Marissa Pande and Joel Stephen Kunga v Credit Bank PLC

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,data protection rights

Case Summary

Chantal Marissa Pande and Joel Stephen Kunga (hereinafter ‘the Complainants’) had a bank-customer relationship with Credit Bank PLC (hereinafter ‘the Respondent’). Through this relationship, the Complainants alleged that the Respondent caused the publication of their personal data in the form of their account numbers to third parties. The Respondent's purported negligence in safeguarding their customers' personal data, as outlined in Section 25 of the Data Protection Act (hereinafter referred to as 'the Act'), coupled with their failure to promptly report the data breach as mandated by Section 43 of the Act, resulted in distress and public humiliation for the Complainants.

Recognizing the Complainants’ status as siblings to the Westlands Branch Bank Manager, the Respondent stated that on about February 2023 they were notified of alleged money laundering cases by the said former branch manager that a whistleblower had written to the Directorate of Criminal Investigations (DCI). The Respondent affirmed that no such complaints were ever made. Post investigations by authorities including the DCI, it was found that the said allegations by the whistleblower had no legal bases thereby closing the file. In addition to this, James Wambugu’s article suggestive of such laundering also included the Complainants. 

The Respondent was prompted to carry out investigations to ascertain the veracity of the said allegations to which they took appropriate remedial actions as aligned to both their internal guidelines and policies and that of the CBK. The data was claimed to have been extremely confidential during the investigations too and that the money laundering accusation was brought to their attention through the former branch manager. Therefore, they affirmed their stance on not having any responsibility with regard to the alleged breach of personal data as well as no contribution to the article by Wambugu.  

Issues for determination

  1. Whether the rights of the Complainants were violated
  2. Whether the Respondent fulfilled its obligations under Section 43 of the Act and
  3. Whether the Complainants are entitled to the remedies sought 

Determination

Due to the Complainant’s inability to demonstrate the violation of principles governing data protection and that indeed the Respondent unlawfully revealed their names and bank details to a third party,  it was found that the Respondent did not violate the Complainants’ rights as there is no evidence to demonstrate so. 

Furthermore, the Act’s requirement for notification and communication of breach where personal data has been accessed or acquired by an unauthorised person causing them real risk of harm was also negated through there being no evidence linking the Respondent to the disclosure of the complainants’ personal data to a third party. 

Therefore, having discredited the main issues at hand, the Respondent was said to not violate the Complainants’ rights and that remedies sought by the Complainants was not justified and therefore not granted.  

The ODPC noted money laundering and related crimes under the Proceeds of Crime and Anti-Money Laundering Act (2009) as well as the Tax Procedures Act (2015) thereby forwarding the file to the Financial Reporting Center and the Kenya Revenue Authority for further action.

Analysis

  1. Whether the rights of the Complainants were violated

The Complainants failed to demonstrate that the Respondent in fact was responsible for the breach of their personal data. In accordance with the Complaints Management Manual, under the information required while lodging the complaint, the complainant is required to file details of the respondent including any supporting documents to be used in the investigation process. As such, had the Complainant availed any documents or proof to speak to their claims against the Respondent regarding for example the public ridicule and distress that they faced as a result of the Respondent’s actions directly, then there would be reason for the Office to believe that in fact their rights were violated. 

Additionally, the Respondents were able to prove to the Office that they were not aware of any published article or allegations regarding money laundering save for the allegations made by their former branch manager. Hence the rights of the Complainants were discovered to not be violated by the ODPC.

  1. Whether the Respondent fulfilled its obligations under Section 43 of the Act

As the Respondents were not found to be liable for the infringed rights of the Complainants, it would not be their obligation to disclose any such breach within the 72-hour requirement as per Section 43 of the Act. 

  1. Whether the Complainants are entitled to the remedies sought

Further to the fact that the Respondent did not violate any of the Complainants’ rights, the remedies were not granted by the ODPC.

 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.