Cases
Marlene Ngira Matunga Vs Whitepath Company Limited
Case Summary.
The complainant filed a complaint on 14 November 2024 against the Respondent for unlawful processing of her personal data.The Respondent repeatedly called and texted her using different phone number regarding her colleague who the Respondent alleged was one of its clients.The Respondent alleged the colleague had taken an online loan and provided the Complainant’s details as the guarantor, meaning that they would be responsible to pay if the Colleague defaulted. The Respondent disclosed that the colleague had defaulted in the payment of the loan and demanded that the Complainant should call the Colleague and urge them to settle the loan.The Complainant was not privy to the loan and no consent was sought before she was listed as a guarantor. The Respondent did not file a response to the complaint.
Issues of determination
- Whether there was a violation of the Complainants rights under the Act;
- Whether the Respondent fulfilled its obligations under the Act; and
- Whether the Complainant is entitled to the remedies under the Act and its attendant Regulations.
Determination
The Respondent violated the Complainants right to be informed about the purpose for which their personal data was collected and processed.The Respondent being a data controller failed in its duty to inform the Complainant about her rights under the Act and the intention to use her personal data for third party debt recovery allowing her to consent or deny such consent. The Respondent did not prove obtaining consent from the Complainant for the processing of their personal data, nor fulfill any lawful basis of processing, and did not that fulfil its obligations under the Act.The Complainant requested for compensation for breach of her privacy and the emotional and psychological harm, and the Office Ordered the Respondent to compensate her KES. 450,000/=. An enforcement notice was also issued against the Respondent to ensure compliance with the Act.
Analysis
This case highlights the need to ensure processing of personal data is as per section 30 of the Act by obtaining data subject consent prior to processing of personal data or relying on other lawful basis. It is a wake up call for digital lenders to ensure compliance to the Act by ensuring that data is collected and used in adherence to the Act. The Respondent should have put in place mechanisms to ensure that the consent of the guarantor is obtained before processing their personal data.