SBM Bank Kenya has been fined Ksh 450,000 by the Office of the Data Protection Commissioner (ODPC) for violating the country’s data protection laws.
The fine followed a complaint filed by Kevin Kiprotich Rono, who had received 327 unsolicited emails from the bank over a span of 10 months, despite not being a customer of the institution.
The emails contained highly sensitive information such as passwords, One-Time Password (OTP) alerts, account statements, and promotional content.
This raised concerns over the misuse and mismanagement of personal data.
Rono, frustrated by the unsolicited messages, made multiple attempts to stop the emails by contacting SBM Bank’s customer service team.
However, his efforts to resolve the matter proved unsuccessful.
After months of being ignored, he eventually filed a formal complaint with the ODPC, Kenya’s regulatory body charged with overseeing compliance with data protection laws.
The ODPC launched an investigation into the matter and found that SBM Bank had violated Rono’s right to object to the processing of his personal data, a right enshrined in the Data Protection Act of 2019.
The bank explained that the issue arose due to an error in its system during the onboarding process.
According to SBM Bank, Rono’s email address was mistakenly linked to another customer with a similar name, leading to the flood of emails.
Despite acknowledging this error, the ODPC ruled that the bank failed to act promptly in rectifying the situation.
Under the Data Protection Act, organizations are required to address such complaints within a 14-day period, a deadline that SBM Bank missed.
This delay in resolving the issue was considered a serious violation of the law.
The ODPC’s decision to fine SBM Bank underscores the growing importance of data protection laws in Kenya, especially in an increasingly digital age where the handling of personal data is crucial to maintaining public trust.
The ruling serves as a reminder that organizations must take the privacy rights of individuals seriously and implement robust systems to prevent the unlawful processing of personal data, even in cases of human error.
This case is also significant as it highlights the role of the ODPC in ensuring accountability among data controllers in Kenya.
The fine imposed on SBM Bank signals to other organizations, particularly in the financial sector, that compliance with data protection laws is mandatory, and failure to adhere to these regulations will result in penalties.
It sets a precedent for future cases and emphasizes the need for institutions to swiftly address data processing complaints to avoid legal consequences.
Add Comment