DANIEL NDAMBUKI vs. AVENTUS TECHNOLOGY LIMITED
1. Introduction
This case involves a complaint by Daniel Ndambuki against Aventus Technology Limited alleging that through its customer support agents, the Respondent was calling him endlessly over someone else who borrowed a loan using their Lendplus loan application. This action is contrary to the Data Protection Act, 2019 provisions.
Table of Contents
2. Nature of Complaint
The Complainant alleged that the Respondent called him endlessly over someone else who borrowed a loan using their Lendplus loan application, could not disclose how they obtained his contact, and subjected him to harassing calls and verbal abuses.
3. Analysis of Evidence
Complainant’s Position
- Reported receiving harassing calls from multiple phone numbers regarding a loan he was unaware of
- Stated that all representatives said they were phoning from Lendplus
- Confirmed that he did not receive the alleged pop-up message and therefore did not consent to be added as an emergency contact
Respondent’s Defense
- Stated that the borrower gave out the Complainant’s phone number to be used as the contact person
- Alleged that the Complainant clicked “Accept” when he received a pop-up message to be the borrower’s contact person
- Provided call recordings where the Complainant acknowledged knowing the borrower
- Claimed that their Terms and Conditions require borrowers to provide a contact person who consents via a pop-up message
4. Issues for Determination
- Whether there was an infringement of the Complainant’s rights under the Act
- Whether the Respondent fulfilled its obligations under the Act
- Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations
5. Final Determination
The Data Commissioner found:
- The Complainant was not informed that he was onboarded as the borrower’s emergency contact.
- The Respondent did not prove that it had any basis for indirect collection of the Complainant’s personal data.
- The Respondent did not inform the Complainant of the fact, purpose, or third parties involved in data collection.
- The Respondent did not demonstrate that the Complainant consented to the processing of his personal data.
- The Respondent failed to discharge the burden of establishing the Complainant’s consent.
- The Respondent’s onboarding process exhibited deceptive design patterns that impaired the Complainant’s ability to make informed choices.
Orders:
- The Respondent is hereby found liable for infringement of the Complainant’s rights under the Act.
- Complainant to be paid damages of Ksh 250000.
- An Enforcement Notice is issued against the Respondent.
- Right of appeal to the High Court within 30 days.
6. Significance and Impact
Emergency Contact Onboarding Systems
- Establishes clear requirements for consent mechanisms in digital loan applications
- Prohibits the use of deceptive design patterns that impair users’ ability to make informed choices
Right to be Informed
- Reinforces the obligation to inform data subjects of the use of their personal data
- Data controllers cannot rely on third-party representations to establish consent
Broader Impact: This determination addresses the use of deceptive “dark patterns” to harvest personal data and harass emergency contacts for debt recovery. Financial technology companies cannot hide behind confusing consent mechanisms or claim ignorance of system design flaws. This ruling will force lenders to redesign their onboarding processes to ensure genuine, informed consent.

