A digital lender, Azura Credit Limited, has been ordered to pay Sh250,000 to a man it harassed over a loan he purportedly guaranteed on behalf of a borrower.
A loan guarantor is a third party who agrees to pay a loan if the borrower defaults.
In a new ruling, the Office of the Data Protection Commissioner (ODPC) said that Azura violated Maxwel Okoth’s rights by incessantly calling him to repay a loan he had not taken or known about.
Investigations by the ODPC established that the digital lender had collected Mr Okoth’s phone number from a third party who had borrowed money from it, and listed the complainant as a referee or emergency contact.
However, Azura, which insisted that Mr Okoth was its borrower, did not notify him at the time of collecting of his data, nor did it inform him why this was necessary. The digital lender also ignored his repeated requests to stop calling him.
“The respondent (Azura), by not informing the complainant of the use to which his personal data was to be put, at the point of collection of the personal data, violated his right to be informed,” said Data Commissioner Immaculate Kassait.
But although Azura insisted that Mr Okoth had personally taken a loan from it and defaulted, the company did not provide any evidence.
Attempts by the ODPC to verify the claims against Mr Okoth in the Azura ICT database were unsuccessful. The ODPC and Azura agreed on a date to check the database, but on the day of the visit, Azura claimed that the staff responsible for the database was absent.
“This act amounts to obstruction of the Data Commissioner contrary to Section 61 of the Act,” Ms Kassait said.
As such, in addition to the penalty to be paid to the victim of the breach, the ODPC said it had also recommended that Azura’s directors be prosecuted for contravening the law.
Data privacy violations of this nature were rampant about two years ago before the Central Bank of Kenya (CBK) stepped in to rein in the digital credit providers (DCPs), who were incessantly calling the contacts of defaulters who had nothing to do with the loans.
As part of the licensing requirements, the CBK requires the DCPs to provide, among other things, their data protection policies and procedures, and a consumer redress mechanism.
The CBK has so far licensed 58 digital lenders, including Azura, which was granted a licence in March this year.
