The Office of the Data Protection Commissioner (ODPC) has fined medium sized lender SBM Bank Kenya, the local subsidiary of Mauritius based lender State Bank of Mauritius (SBM) Holdings, KSh. 450,000 for violating the law in a case where the bank sent spam messages over the course of ten months to a non-customer.
- Kevin K. Rono filed a complaint with the office after receiving 327 emails in 10 months from the lender despite not being a customer or having any relations with the bank.
- The emails consisted of PIN/Password/One-Time Password (OTP) alerts, login notifications, transaction OTPs, Account to Mpesa transaction alerts, password reset alerts, account statements and promotion and offers.
- In his complaint, Rono said that his efforts to stop the lender from sending the spam emails through calls to its customer service desk did not resolve the issue.
In its defense, SBM Bank said that Rono’s email was provided by one of their customers with a similar name. It was recorded during the onboarding of the similarly named Rono, who opened a bank account on 12th April 2023, weeks before the spam messages begun.
“The Complainant (Rono) was not a customer of the bank and therefore it cannot be in breach of its confidentiality or data privacy obligations as it cannot have divulged his personal data since the Bank has neither collected nor stored any of his personal data,” SBM stated in a response to the complaint.
In the May, the ODPC ruled that SBM Bank, as a data controller, violated Rono’s rights by unlawfully processing his personal data for over a year.
“This Office therefore awards the Complainant KSh 450,000 as compensation for the infringement of the Complainant’s right to object under Section 26 (c) of the Act and the unlawful processing of the complainant’s personal,” The ODPC said in its ruling.