The Office of the Data Protection Commissioner (ODPC) has ruled against NCBA Bank Kenya PLC in a case where Dr. Bernard Shiaunda Aete complained about the bank sending false and misleading loan statement information to a third party (his former wife) despite multiple requests to remove her as an alternate contact.
The ODPC found that NCBA violated the Data Protection Act by continuing to send notifications to the former wife for eight months after the complainant’s formal request for removal on April 4, 2023, infringing on his right to object to data processing and right of erasure.
The Commissioner ordered NCBA to pay KES 700,000 in compensation, broken down as KES 200,000 for unlawful processing of personal data, KES 250,000 for infringing the right to object, and KES 250,000 for infringing the right to erasure. While NCBA claimed the Continued notifications were due to a technical error in their system’s sync job between NQUEST and T24 platforms, which was finally corrected on January 16, 2024, the Commissioner rejected the bank’s defense and ordered it to ensure future information sent to the complainant regarding bank balances is accurate and up-to-date
The Office of the Data Protection Commissioner (ODPC) has demonstrated its commitment to upholding data privacy rights, as evidenced by recent enforcement actions against organizations for unauthorized use of personal data, including images of minors without parental consent.
Financial institutions must recognize that technical errors are insufficient defenses against data breaches; proactive measures are essential to ensure compliance with the Data Protection Act.