My Journey lodging a data protection complaint with the ODPC
Last year, on December 28th, I received a text message from a digital lender that took me down an illuminating data protection journey. The text message read:
“DEAR GUARANTOR inform Bernard XXXX of 0722 XXX XX1 to clear his loan Kshs 30,XXX.2 (COMPANY NAME). The said person has become extremely non-cooperative. This might affect your credit score incase if they don’t pay, kindly tell your friend to be a responsible borrower.”
I immediately recognised Bernard XXXX (name has been changed in this article to conceal his true identity). He is a former colleague I worked with at a previous company, whom I haven’t seen or heard from for 7 years. However, I had never even heard of the digital lender in question. I was shocked to be called a ‘Guarantor’ as I had never guaranteed him a loan. I was also angered when I realised the company was trying to coerce me into becoming a de facto debt collector. So I decided not to play their game and call Bernard. Instead, I reached out to a former colleague who still worked at the company in a leadership position and who might know something about the matter. He informed me that he too had received the same message and he knew of others who had received similar messages. However, there was nothing much he could do for me.
Concerned by the company’s tactics, I lodged a complaint with the Office of the Data Protection Commissioner (ODPC), attaching a screenshot of the message. I found it particularly surprising that this digital lending company was operating in a manner that could potentially lead to the cancellation of its operating licence. My greatest fear was that the company would deny sending me the message, but it turns out they were even more oblivious than I anticipated. I received an acknowledgement of my email four working days later from the ODPC. This delay was understandable, considering it was January and their holiday break was likely ending that week. They also sent me frequent reminders to assure me that they were dealing with my complaint.
On January 25th, I received an email from them requesting my consent to consolidate my complaint with others of a similar nature, as the respondent and the matter were alike. It seems that I was not the only complainant. I granted my consent. Subsequently, the ODPC informed me via email that they had forwarded my complaint to the company and provided them with a 14-day deadline to respond to the allegations.
Someone from the company then reached out to me on 28th January 2024, with the following message:
Hope this email finds you well.
We are in receipt of your complaint about violation of your information involving a loanee by the name of Ruth Wanjiru.
Kindly respond to this email to assist us look into the matter.
Thank you for your time and feedback.
Now, what are the chances that they got the loanee wrong and that I knew the Ruth Wanjiru they were referring to (names changed to maintain anonymity) from another context? Note that the company cleverly avoided making any direct reference to the matter in question. In response, I queried the company about why I was labelled as a guarantor when I had never guaranteed any debt for the individual in question. I also demanded an explanation for the threat of a lowered credit score and questioned the source of my contact information. I requested evidence demonstrating any connection between myself and the individual in question, as well as a written apology.
Furthermore, I sought written confirmation from the company stating that I had never guaranteed the loan for Bernard, along with evidence that my credit score was not affected by his loans. Finally, I requested a record of any personal information the company had collected about me, and I demanded written assurance of the deletion of all my personal data from their databases, supported by evidence.
The long and short of it is that the company responded with an email containing an apology and a screenshot from their company database, indicating that my number and name were not listed. They assured me that they had no means of affecting my credit score and made various promises. However, they failed to address the crucial question: how did they obtain my contact information?
At that moment, I realised that I would likely never receive answers to these lingering questions. Unfortunately, my decision to abandon the matter and not pursue it further turned out to be a significant mistake. Not because I expected financial compensation, but because I aimed to halt this company, and any others, from employing unethical debt collection methods.
When I got the final ruling from the ODPC on the matter, I realised the enormity of my impatience. What I hadn’t realised was that the ODPC had also conducted a site visit to the digital lender’s offices. The findings revealed that the company was wholly non-compliant with the Data Protection Act. They were unable to provide staff who understood anything about the company’s database and its proper operation. It’s worth noting that the ODPC had sent them a letter outlining the details of the site visit and what was required of them. Consequently, the company was deemed non-cooperative and obstructive to the ODPC’s efforts to fulfil its duties.
Regrettably, my decision to amicably settle the matter with the company hindered further action by the ODPC. While I was given the right to appeal to the High Court within 30 days, I have decided not to pursue this course of action.
I’m sharing my experience to remind you, dear reader, not to give up too easily in your pursuit of justice. It’s vital to know your rights and to seek help from the ODPC if need be and, more importantly, not to settle things too quickly. The Data Protection Act 2019 is not something to be taken lightly. Take the time to familiarise yourself with it and understand how your information should be handled, so you can effectively protect your rights.
An email on the complaints portal to the Digital Lenders Association of Kenya regarding the same matter has gone unanswered to date.