ODPC COMPLAINT NO. 0027 OF 2024
ODPC COMPLAINT NO. 0027 OF 2024
JANE NJAMBI vs. CREDITWATCH INVESTMENT LIMITED

1. Introduction

The case is in respect to the complainant, Jane Njambi against Creditwatch Investment Limited and its product Cloudloan, on the endless calls made to her regarding a loan she had no knowledge of and asking her to contact a borrower whom she did not know. This action is against the Data Protection Act, 2019 provisions.

2. Nature of Complaint

The complainant was listed as an emergency contact without her consent. The complainant alleged that the respondent called her endlessly regarding a loan she had no knowledge of, asked her to contact a borrower whom she did not know, and continued contacting her even after she objected.

3. Analysis of Evidence

Complainant’s Position
  • Provided a video recording of a conversation with one of the agents who contacted her
  • In the recording, the agent explained that the Respondent got her number from the borrower and assumed the borrower had informed her
  • Stated she had been receiving calls in diverse dates in December 2023 up until the date of the complaint
Respondent’s Defense
  • Stated that Cloudloan is an online platform that issues loans to clients
  • Claimed that prior to issuance of loans, it assigns the debtor to be a data processor in order to collect the information of an emergency contact
  • Averred that the debtor is the data processor, processing the Complainant’s information on its behalf as the data controller
  • Indicated that when they were unable to reach the debtor, they contacted the emergency contact provided
  • Admitted that multiple staff contacted the Complainant due to lack of integration in their debt collection system

4. Issues for Determination

  1. Whether there was an infringement of the Complainant’s rights under the Act
  2. Whether the Respondent fulfilled its obligations under the Act
  3. Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations

5. Final Determination

The Data Commissioner found:

  1. The Complainant was not informed that her number was listed as an emergency contact by a borrower.
  2. The Respondent’s argument that it assigns the debtor to be a data processor is incorrect and does not comply with the Act.
  3. Clause 5 of the Respondent’s Terms and Conditions attempting to assign data processor status to borrowers is unlawful.
  4. The Respondent did not prove that it had any basis for indirect collection of the Complainant’s personal data.
  5. The Respondent is a repeat offender and has not adhered to measures directed in previous Enforcement Notices.

Orders:

  • Compensation of Ksh 500,000 to the Complainant.
  • The Respondent is directed to amend Clause 5 of its Terms and Conditions.
  • An Enforcement Notice is issued against the Respondent.
  • Right of appeal to the High Court within 30 days.

6. Significance and Impact

Debtor as Data Processor Misclassification
  • Clarifies that borrowers cannot be classified as data processors under the Act
  • Establishes that data controllers cannot delegate their obligations to borrowers
Repeat Offender Consequences
  • Demonstrates that repeated violations attract higher compensation and stricter enforcement
  • Establishes that non-compliance with previous Enforcement Notices will be taken into account

Broader Impact: This determination addresses a systemic problem in Kenya’s digital lending sector, where lenders attempt to evade data protection obligations by misclassifying borrowers as data processors. It establishes that data controllers cannot delegate their responsibilities and must directly obtain consent from emergency contacts.

Leave a Reply

Your email address will not be published. Required fields are marked *