Zerox Technology Limited has been ordered by Kenya’s Office of the Data Protection Commissioner (ODPC) to pay KES 500,000 in compensation to Sandra Bonareri Ongaki after it was found to have violated her data privacy rights.
The company persistently contacted her over a loan default she was not responsible for, in breach of the Data Protection Act, 2019. This marks the latest case in Kenya’s regulatory push to enforce data protection laws as digital lending services grow in popularity.
The dispute centers around Zerox Technology’s mobile loan product, Asapkash. According to a complaint lodged with the ODPC in March 2024, Ongaki was repeatedly contacted by the company’s agents regarding a relative’s unpaid mobile loan. Despite informing them she was not a party to the loan, Ongaki continued to receive calls from different numbers, leading her to block several of them.
The calls, allegedly aimed at pressuring her to mediate with the borrower, led Ongaki to escalate the matter to Kenya’s data protection authority, citing a violation of her privacy rights under Article 31 of the Constitution of Kenya. Ongaki’s case was built around claims that she had not consented to the use of her personal details in this manner.
Zerox Technology, in its defense, maintained that Ongaki had been listed as an emergency contact by the loanee. The company argued that it had sent a one-time password (OTP) to Ongaki for her to accept or reject the designation as an emergency contact. However, the ODPC’s investigation found no evidence to support this claim. Zerox’s failure to prove that Ongaki had received or approved the OTP raised serious questions about the company’s data handling practices.
“The Complainant had the right to be informed of the use to which her personal data was to be put,” the ODPC stated in its ruling. “The Respondent failed to inform the Complainant that her number was listed as an emergency contact.” The Commissioner noted that Ongaki had exercised her right to object to the processing of her personal data, but the company had continued to contact her, breaching Section 26(c) of the Data Protection Act.
The ODPC also criticized Zerox for failing to demonstrate that it had fulfilled its legal obligations as a data controller. Under Section 28 of the Data Protection Act, a data controller is required to collect personal data directly from the subject unless the subject has given consent for indirect collection. The regulator found that Zerox did not have the required consent from Ongaki, a fact further compounded by the company’s inability to produce evidence of the alleged OTP sent to her.
“There was no proof that the Complainant was duly informed that her phone number was listed as an emergency contact,” the ruling added. This failure to establish a lawful basis for the data processing was a key factor in the Commissioner’s decision to impose the financial penalty on Zerox Technology.
This case is one in a growing number of complaints filed against digital lenders in Kenya, which have been accused of aggressive debt collection tactics, including contacting individuals who have no direct connection to the loans in question. The ODPC has been increasingly active in regulating these practices since the enactment of the Data Protection Act, 2019, which aimed to give individuals greater control over their personal data.
Despite being notified of the complaint by the ODPC in March 2024, Zerox reportedly made no meaningful effort to resolve the matter with Ongaki, according to the investigation. The company’s actions were seen as particularly problematic given previous enforcement notices issued against it for similar privacy breaches.
In a statement, the Data Commissioner highlighted the importance of businesses in the digital finance space adhering to the law: “The rights of data subjects, as outlined in the Data Protection Act, must be respected. Companies operating in Kenya must ensure that personal data is processed lawfully and transparently.”
Zerox Technology was also directed to comply with earlier enforcement notices related to other privacy violations. The company has 30 days to implement measures, including the encryption of emergency contact details to prevent unauthorized use of personal information in debt collection processes.
Zerox Technology has the right to appeal the ruling within 30 days.