ELIJAH MOKUA vs. ASA INTERNATIONAL KENYA LIMITED, BIDII CREDIT LIMITED, OYA MICRO-CREDIT COMPANY LTD

ODPC COMPLAINT NO. 1926 OF 2023
ODPC COMPLAINT NO. 1926 OF 2023
ELIJAH MOKUA vs. ASA INTERNATIONAL KENYA LIMITED, BIDII CREDIT LIMITED, OYA MICRO-CREDIT COMPANY LTD

1. Introduction

Elijah Mokua alleges that ASA International Kenya Limited, Bidii Credit Limited, and Oya Micro-Credit Company Ltd continuously contacted him to repay a loan taken by his wife despite him not being her guarantor, violating the Data Protection Act, 2019.

2. Nature of Complaint

The Complainant alleged that the Respondents incessantly called and sent him messages using different numbers demanding repayment of loans taken by his wife despite him not being a guarantor, thereby violating his right to privacy under Article 31 of the Constitution and the Data Protection Act, 2019.

3. Analysis of Evidence

Complainant’s Position
  • Filed his complaint via email and provided additional evidence in support
  • Stated that he was not a guarantor to the loans taken by his wife
Respondents’ Defense
  • 1st Respondent (ASA International Kenya Ltd): Stated that two employees contacted the Complainant while pursuing a loan taken by his wife that was in default. The Complainant visited its Rongai Branch on 28th September 2023 and voluntarily agreed to settle his wife’s loan. He subsequently failed to pay as agreed.
  • 2nd Respondent (Bidii Credit Ltd): Stated that its employee reached out to the Complainant after the Complainant’s wife had given them his number as a way of contacting her.
  • 3rd Respondent (Oya Micro-Credit Company Ltd): Stated that the Complainant’s wife defaulted on the fifth week of repayment. Upon visiting the business premises, they found the Complainant who introduced himself as Josephine’s husband. He acknowledged the loan, committed to repay it, and made a payment of Kshs. 2,000 via M-Pesa using his Safaricom line.

4. Issues for Determination

  1. Whether the Complainant’s personal information/data was lawfully processed

5. Final Determination

The Data Commissioner found:

  1. The Respondents were processing the Complainant’s personal data within the meaning of Section 2 of the Act.
  2. The Complainant was not a party to the loan agreements between his wife and the Respondents. The Respondents were acting ultra vires of the loan agreements by processing the Complainant’s personal data.
  3. The lawful bases for processing under Section 30(1) of the Act were not established. The Complainant did not consent to the processing, and none of the exceptions under Section 30(1)(b) applied.
  4. The allegations that the Complainant voluntarily agreed to be contacted remained unsubstantiated.
  5. Data protection rights are individualistic and apply to individual persons, not a union by cohabitation or marriage. The fact that the Complainant is the spouse of the loan defaulter does not create a lawful basis for processing his personal data.

Orders:

  • The Respondents are hereby found liable for unlawfully processing the Complainant’s personal data.
  • Enforcement Notices be and are hereby issued against all the Respondents.
  • Parties have the right to appeal this determination to the High Court of Kenya within thirty (30) days.

6. Significance and Impact

Individualistic Nature of Data Protection Rights
  • Clarifies that data protection rights are individualistic and do not extend to spouses, family members, or other associates by virtue of marriage or cohabitation
  • Establishes that being a spouse to a data subject does not constitute a lawful basis for processing personal data
Debt Collection and Data Protection
  • Reinforces that debt collectors cannot contact third parties (including spouses) who are not parties to the loan agreement
  • Establishes that common or logical sense does not override legal requirements for lawful processing
Burden of Proof on Data Controllers
  • Confirms that data controllers must establish a lawful basis under Section 30(1) for processing personal data
  • Unsubstantiated claims of voluntary consent will not satisfy the burden of proof
Processing Personal Data of Non-Parties
  • Holds that processing the personal data of individuals who are not parties to a contract is unlawful
  • Reinforces the principle that processing must be limited to data subjects who have a direct relationship with the data controller

Broader Impact: This determination warns financial institutions and debt collectors that they cannot contact spouses or third parties who are not parties to loan agreements. Data protection rights are individualistic and processing must have a clear lawful basis under Section 30(1). Unsubstantiated claims of voluntary consent will not satisfy the burden of proof.

Leave a Reply

Your email address will not be published. Required fields are marked *