The Office of the Data Protection Commissioner (ODPC) has fined NCBA Bank Kenya PLC hundreds of thousands of Kenyan shillings following Dr Bernard Shiaunda Aete’s complaint that the bank was sending false and misleading loan statement information to a third party (his ex-wife) despite his repeated requests to remove her as an alternate contact.
The ODPC concluded that NCBA had broken the Data Protection Act by continuing to notify the ex-wife for eight months following his formal request for removal on April 4, 2023, violating his right to erasure and his right to object to data processing.
Read also: Premier Bank, Mastercard introduce Shari’ah-compliant card system in Kenya
The Commissioner mandated that NCBA pay KES 700,000 in compensation, which was divided into KES 200,000 for processing personal data unlawfully, KES 250,000 for violating the right to object, and KES 250,000 for violating the right to erasure.
ODPC rejected the bank’s defence
The Commissioner rejected the bank’s defence and directed it to make sure that any future information sent to the complainant regarding bank balances is accurate and current, despite NCBA’s assertion that the ongoing notifications were caused by a technical glitch in their system’s sync job between NQUEST and T24 platforms, which was ultimately fixed on January 16, 2024.
Recent enforcement proceedings against organisations for unauthorised use of personal data, including photos of kids without parental agreement, showcase the Office of the Data Protection Commissioner’s (ODPC) dedication to protecting data privacy rights.
Financial institutions must understand that proactive steps are necessary to guarantee compliance with the Data Protection Act; technical mistakes alone are not enough to prevent data leaks.
Read also: M-PESA makes waves in Kenya with 34 million users milestone
About the Office of the Data Protection Commissioner
Under the 2019 Data Protection Act, the Office of the Data Protection Commissioner was created as a data regulatory office.
To preserve individuals’ privacy, the duty of the office is to regulate the processing of personal data and give data subjects the rights and remedies to prevent the processing of their personal data that does not comply with the Act.
