Microlender fined Sh3m for data breach

Data Protection Commissioner Immaculate Kassait at a past event on March 29, 2023. PHOTO | WACHIRA MWANGI | NMG

A digital credit provider has been slapped with a Sh2.97 million fine for violating data protection regulations and using information obtained from third parties to send threatening messages and phone calls to complainants.

The Office of Data Protection Commissioner (ODPC) said the lender- Mulla Pride Ltd, a digital credit provider that operates KeCredit and Faircash, used names and contacts obtained from third parties, and subsequently sent threatening messages and phone calls. 

The Data Commissioner said the Sh2.97 million fine will ensure that the micro-lender only deals with data of subjects who have consented to their data being collected.

“The penalty will ensure that digital lenders and financial institutions notify data subjects when collecting their data and the intention of processing the said data,” a statement from ODPC said.

The ODPC also fined Roma School, a school based in Uthiru Sh4.5 million for posting minors’ pictures without consent from their parents.

“This being the first and the highest penalty to an educational facility sends a message to schools and other facilities handling minors’ personal data to obtain consent from parents or guardians prior to processing minors’ data,” the statement added.

Also fined by the data commissioner is Casa Vera Lounge, a restaurant on Ngong Road in Nairobi which will pay Sh1.85 million for posting a reveller’s image on its social media pages, without consent.

The Data Protection Act came into effect on November 25, 2019 and provides laws that govern the collection, processing, and storage of personal data both by the government and private sectors.

A data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence.

They are liable, on conviction, to a maximum fine of Sh20,000 or to a term of imprisonment of up to six months, or to both fine and imprisonment according to the Data Protection Act.

Further, in relation to an infringement of a provision of the Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to Sh5 million, or in the case of an undertaking, up to one percent of its annual turnover of the preceding financial year, whichever is lower.

The ODPC further said in the statement that it had conducted a compliance audit on WhitePath- a digital credit provider and an inspection at Naivas Supermarkets over allegations of data breach.

The ODPC fined Whitepath Sh5 million after ODPC received complaints over accusations their applications accessed mobile phone contacts and sent unwarranted and unsolicited text messages to the contacts. 

→[email protected]