| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 3, 25, 26 of the Data Protection Act, 2019; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 4 August 2023 |
| Decided: | 2 November 2023 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | Benjamin Muthengi vs. Absa Bank Kenya PLC |
| Case No.: | 1421 of 2023 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Absa Bank Kenya PLC (the “Respondent”) was found not to have violated the provisions of the Data Protection law when it rectified an error it made when capturing the Complainant’s mobile phone details, which resulted in a third party receiving his account transactional messages.
Be gaming Muthengi (the “Complainant”) operated a bank account with Absa Bank Kenya PLC (the “Complainant”), a financial institution.
He alleges that he failed to receive notifications consequent to various transactions that he performed from his account on his mobile phone as expected.
Upon inquiry as to the cause at one of the Respondent's branches realised that the Respondent had used a phone number belonging to someone else (one digit was wrong) against his profile in the Respondent’s database.
He filed a Change Request form with the Respondent on their request to correct the error.
Unfortunately the change was never effected, and once again, he followed up with the Respondent, this time through its call centre and with a follow-up on email. The Complainant confirms that he then started receiving transaction notifications.
However, the Respondent noted that following two successful loan applications, the notifications would stop and would only resume when he lodged a complaint - one qas regusterd at the Respondent’s Buruburu branch.
He later received a call from an unknown person who informed him that he was receiving the Complainant's transaction notifications.
Feeling despondent and distressed, the Complainant lodged a complaint with the ODPC.
The Respondent confirmed that an error had occurred when inputting the Complainant's details in its database which was now corrected with no loss of funds to the Complainant. The Respondent also averred rhat thr notifications sent do not disclose the account holders details and averred that it had reversed any transaction charges associated with the error and the issue was now satisfactorily resolved.
The ODPC found that indeed there was an error in processing the Complainant's personal data which resulted in his information being received by a third party. It however noted the technical safeguards employed in the transmission of the transactional messages which resulted in the personal data being conveyed being masked. The ODPC also found that the Respondent rectified the error above when alerted to it, by amending the offending details in its database and refunded any amounts charged erroneously to the Respondent.