SBM Bank Kenya has been ordered to pay KES 450,000 in compensation to a complainant for violating data privacy rights, following a ruling by the Office of the Data Protection Commissioner (ODPC). The bank was found to have unlawfully processed the personal data of Kevin Kiprotich Romo, sending unsolicited emails for over a year despite repeated requests to stop.
The ODPC issued its determination after an extensive investigation into a complaint filed by Romo, who claimed to have received 327 emails from SBM Bank Kenya between May 2023 and March 2024. These emails included password alerts, account notifications, and promotional offers, despite Romo having no relationship with the bank.
The complainant argued that the emails were a violation of his privacy rights under Article 31 of the Constitution of Kenya and the Data Protection Act, 2019. Romo reported the matter to the bank multiple times, requesting that his email be removed from its mailing lists. However, his requests were ignored, leading him to lodge a formal complaint with the ODPC in March 2024.
In its defense, SBM Bank Kenya stated that the emails were sent inadvertently due to an error during a customer onboarding process. According to the bank, a customer with a similar name to the complainant mistakenly provided Romo’s email address when opening an account in April 2023. “The customer admitted to providing the wrong email address, which led to the inadvertent use of the complainant’s email,” the bank explained in its response to the ODPC.
However, the ODPC found that SBM Bank’s explanation did not absolve it of responsibility. The regulator’s investigation revealed that the bank had not verified the accuracy of the email address provided by the customer. “The bank did not capture their customer’s email address correctly at the time of onboarding, and therefore, the allegation that it is the customer who provided the complainant’s email is false,” the ODPC stated in its determination.
The ODPC noted that SBM Bank Kenya failed to take reasonable steps to restrict the processing of Romo’s personal data, even after he disputed the accuracy of the data. The bank continued to send unsolicited emails to Romo for over a year, only stopping after the ODPC intervened.
Under the Data Protection Act, 2019, data controllers and processors, such as banks, are required to ensure that personal data is processed lawfully, accurately, and in a manner that protects the rights of data subjects. The Act gives data subjects the right to object to the processing of their personal data and mandates data handlers to comply with such requests within 14 days.
“The bank’s failure to act within the stipulated period constituted a breach of its obligations under the Act,” the ODPC ruled. The regulator further highlighted that the data controller did not demonstrate any legitimate interest in continuing to process Romo’s data, as required under Section 36 of the Act, which allows data processing only when there is a compelling legitimate interest that overrides the rights of the data subject.
