Fursa Moja Technologies Limited vs NCBA Group PLC & NCBA Bank Kenya PLC/ODPC

Cases Detail

Cases

Fursa Moja Technologies Limited vs NCBA Group PLC & NCBA Bank Kenya PLC/ODPC

Country: kenya
Court:
Status: Determination
Tags: data protection,online banking

Attachments:

Complaint No. 1067 of 2022 - link

The case involved a complaint filed by Fursa Mom Technologies Limited, the Complainant, against NCBA Group PLC and NCBA Bank Kenya PLC, the Respondents, regarding account operations and mandates. The directors of Fursa Mom Technologies alleged that online banking was not activated as per the agreed mandates, and despite attempts to resolve the issue with the Respondents, no action was taken. The Respondents provided their response, stating that the account mandates were not altered and that online transactions were conducted in line with the account opening documents. The Data Protection Commissioner investigated the complaint and determined that the Complainant was not entitled to any remedy under the Data Protection Act, as the Respondents had provided the requested account opening forms. The final determination dismissed the complaint, with parties having the right to appeal to the High Court of Kenya.

Issues for Determination

1.    Jurisdiction and mandate of the Data Protection Commissioner: The issue of whether the Data Protection Commissioner had the authority and mandate to address issues related to bank account operations, specifically in the context of the complaint filed by Fursa Mom Technologies Limited against NCBA Group PLC and NCBA Bank Kenya PLC.

2.    Compliance with the Data Protection Act, 2019: The question of whether the Respondents, NCBA Group PLC and NCBA Bank Kenya PLC, complied with the requirements under the Data Protection Act, 2019, in relation to the processing and storage of personal data, as alleged by the Complainant.

3.    Rights of the Complainant under the Data Protection Act: The determination of whether the Complainant was entitled to any remedy under the Data Protection Act, 2019, based on the alleged violations of their rights as data subjects in relation to the handling of their personal data by the Respondents.

Applicable Law

Under the Data Protection Act, 2019, several legal rules and sections were pertinent. Section 8(1)(f) allowed the Data Protection Commissioner to receive and investigate complaints concerning infringements of rights under the Act, while Section 56(1) permitted data subjects aggrieved by decisions under the Act to lodge complaints with the Commissioner. Section 4 delineated the application of the Act to the processing of personal data, and Section 25 outlined principles guiding such processing. Furthermore, the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021, under Regulation 13(1), necessitated investigations in response to complaints, and Regulation 14 empowered the Commissioner to make determinations based on investigation findings. Definitions provided include those for "Personal Data," "Data Controller," and "Data Processor." The case also looked into the jurisdiction and mandate of the Data Protection Commissioner, compliance requirements with data protection regulations, the rights of data subjects, including access to personal data and remedies against unauthorised processing, and the enforcement responsibilities of the Commissioner in overseeing the implementation and enforcement of the Data Protection Act.

Court's Analysis and Determination:

1.    Jurisdiction and Mandate:

The Court examined its authority and mandate to address issues related to bank account operations under the Data Protection Act, 2019. It considered the limitations of its jurisdiction to matters concerning personal data processing and storage, as outlined in the Act.

2.    Compliance with Data Protection Regulations:

The Court assessed the compliance of the Respondents, NCBA Group PLC and NCBA Bank Kenya PLC, with the requirements of the Data Protection Act, 2019. It reviewed the evidence presented regarding the handling of personal data and the rights of the data subjects.

3.    Rights of the Complainant:

The Court evaluated whether the Complainant, Fursa Mom Technologies Limited, was entitled to any remedy under the Data Protection Act, 2019. It considered the alleged violations of the Complainant's rights as data subjects and the actions taken by the Respondents in response to the complaint.

4.    Investigation and Findings:

The Court detailed the investigation process conducted by the Data Protection Commissioner in response to the complaint. It highlighted the evidence gathered, including account opening forms, mobile and online banking applications, and transactions data.

5.    Final Determination:

Based on the analysis of the jurisdiction, compliance, and rights involved, the Court made a final determination. The Court dismissed the complaint, stating that the Complainant was not entitled to any remedy under the Data Protection Act, as the Respondents had provided the requested account opening forms. Parties were informed of their right to appeal the determination to the High Court of Kenya.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.