The Office of the Data Protection Commissioner (ODPC) has ordered microfinance company Platinum Credit Limited to pay Ksh400,000 to a Kenyan citizen for unlawfully processing his personal data and subjecting him to persistent unsolicited marketing.
According to court documents seen by The Kenya Times, the dispute traces back to November 27, 2024, when the complaint was filed by Samuel Kamau Waweru, accusing Platinum Credit and its sales agents of repeatedly contacting him with marketing calls and promotional text messages for loan products without his consent or authorization.
Waweru argued that he never shared his personal information with the lender and had expressly objected to the communications.
ODPC investigation reveals false information provided
During the ODPC’s investigation, Platinum Credit initially denied responsibility, claiming the individual who had contacted the complainant was not their agent. However, the Data Commissioner’s office established that the caller was indeed acting on behalf of the company.
In its determination, the ODPC found that Platinum Credit had violated the Data Protection Act, 2019, specifically the fundamental principles of data processing outlined in Section 25, as well as the constitutional right to privacy under Article 31(c) and (d) of the Kenyan Constitution.
Also Read: Safaricom Fined After Company Shares Ex-Employee ID
The Commissioner further noted that the company furnished false or misleading information during the investigation—an offence under Section 57(3) as read with Section 73 of the Act.
In its final determination, the ODPC imposed a series of heavy penalties on Platinum Credit. The regulator found the company liable for unlawfully processing the complainant’s personal data and ordered it to pay Ksh400,000 in compensation.
It also issued an Enforcement Notice directing the lender to comply with the Data Protection Act and immediately cease all unlawful data processing activities.
Additionally, the ODPC recommended the prosecution of the company’s directors for knowingly providing false or misleading information during the investigation. Both parties were also informed of their right to appeal the decision to the High Court within 30 days.
NCBA Bank found guilty
Earlier this year, ODPC ordered NCBA Bank to pay Ksh250,000 over a data privacy breach involving the mishandling of a customer’s email address.
The fine was imposed after a report on a data privacy breach, which resulted in repeated disclosure of confidential business information to an unintended recipient.
Also Read: What Bloggers & Online Publishers Need to Know About Data Protection & Privacy
This came following a complaint lodged on October 22, 2024, by a business owner whose efforts to have NCBA update his correct email address were “repeatedly ignored”.
ODPC found the lender guilty of failing to rectify the complainant’s personal data despite having adequate time and opportunity to do so.
The regulator noted that this negligence amounted to a violation of the Data Protection Act, citing the bank’s continued sharing of personal and business information with an unintended third party as a serious breach of privacy.
Follow our WhatsApp Channel and X Account for real-time news updates.
