In May 2023, Kevin Kiprotich Rono received an unsolicited email from SBM Bank Kenya. However, since he was not a customer of the bank, he ignored the message.
However, the emails continued, and in one year, the bank sent him a total of 327 messages.
This means that the lender was emailing him almost every day.
Messages ranged from PIN and password reminders, OTP alerts, login notifications, miscellaneous alerts, statements, and promotions.
He wrote to the bank asking them to stop sending him emails because he was not a customer of SBM.
When Mr. Reno thought he had had enough, he filed a complaint with the Office of the Data Protection Commissioner (ODPC), accusing the lender of bombarding him with unwarranted messages.
In a decision in June, Data Protection Commissioner Immaculate Cassaet agreed with Mr Reno that the bank had unlawfully processed his data for a year and failed to respect his rights under Article 26(c) of the Data Protection Act and related regulations.
For the breach, Ms Kasait awarded Mr Rono Sh450,000 as damages for the violation of his right to object under Section 26(c) of the Act and the unlawful processing of his data for over a year without any justification.
“This office also takes into account the fact that the respondent (SBM Bank) illegally processed the complainant’s personal data and continued to send him emails despite his numerous requests to correct the error in their system,” Ms. Kasait added.
Article 26(c) provides that the data subject has the right to object to the processing of all or part of his personal data.
In his complaint filed on March 4, 2024, Mr. Reno accused the lender of violating his right to privacy.
Evidence before the Data Commissioner stated that he made numerous calls to the bank through the official customer service line, asking them to stop sending emails because he was not a customer.
When the letters continued, he wrote to the bank five times, but no action was taken.
Data entry
Mr. Reno said he had submitted several ticket numbers to the lender, but the messages had not stopped.
In its defense, the lender said the email was sent by one of its clients with a similar name. The client allegedly opened the bank account on April 12, 2023.
SBM added that the email was captured accurately to facilitate quick and effective communication between it and the customer.
According to the lender, it was unable to verify that the email address belonged to someone else because it relied on data information provided by the customer.
Since Mr. Reno is not a customer, the bank said it could not disclose his personal data to avoid being accused of violating its confidentiality or data protection obligations.
But in the decision, the data commissioner noted that contrary to the lender’s assertion, its client’s personal email account contained a double “O” while Mr Rono’s email account contained a single “O”.
“It was clear that the defendant (SBM Bank) did not properly register its customer’s email address at the time of registration and therefore the allegation that it was the customer who provided the complainant’s email is false,” Ms Kasait said.
The Commissioner added that the Bank, as a data processor, is obliged to comply with the rules on restricting the processing of personal data, objecting to the processing of personal data and correcting personal data within 14 days.
Ms Cassette said it was clear the bank had not taken any reasonable and prompt steps to restrict the processing of Mr Rono’s data when he questioned the accuracy of the email.
The commissioner added that the email address was personal and that Mr. Reno was entitled to ask the bank to stop using his email address to send emails that had nothing to do with him.
Ms Cassette added that it took more than a year for the lender to address the issue after the Data Commissioner intervened.
The bank was given 30 days from the date of the ruling to appeal.