JEREMIAH OKELLO vs. ZEROX TECHNOLOGY LIMITED
1. Introduction
The case is in respect to the complainant, Jeremiah Okello against ZeroX Technology Limited and its product Asapkash, on the incessant calls made to him for a loan that he was not a party to. This action is against the Data Protection Act, 2019 provisions.
Table of Contents
2. Nature of Complaint
The complainant was listed as an emergency contact by a borrower without his consent. The complainant alleged that the respondent called him over 83 times within a span of 20 minutes for a loan that he was not a party to, thereby violating his right to privacy.
3. Analysis of Evidence
Complainant’s Position
- Provided screenshots of several numbers that he alleged belonged to agents of the Respondent
- Stated that the Respondent called him over 83 times within a span of 20 minutes
- Confirmed he was not a party to the loan and did not consent to be listed as an emergency contact
Respondent’s Defense
- Initially denied that the Complainant was their customer or that they had reached out to him
- Denied that the numbers captured on the screenshots belonged to them
- Later confirmed that the Complainant was indeed listed as an emergency contact to a borrower
- Alleged that the Complainant provided his consent through a one-time password (OTP) verification process
- Stated that the borrower had not removed the Complainant as his emergency contact, therefore consent was still valid
4. Issues for Determination
- Whether there was an infringement of the Complainant’s rights under the Act
- Whether the Respondent fulfilled its obligations under the Act
- Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations
5. Final Determination
The Data Commissioner found:
- The Complainant was not informed that his number was listed as an emergency contact by a borrower.
- The Respondent did not prove that it had any basis for indirect collection of the Complainant’s personal data.
- The Respondent did not notify the Complainant that his number was collected or inform him of his rights.
- The Respondent failed to establish that they had consent to process the Complainant’s personal data.
- The Respondent provided false information to this Office in their initial response, which was later contradicted by site investigations.
Orders:
- Compensation of Ksh 300,000 to the Complainant.
- An Enforcement Notice is issued against the Respondent.
- Right of appeal to the High Court within 30 days.
6. Significance and Impact
Emergency Contact Onboarding and Consent
- Establishes that data controllers must obtain direct consent from emergency contacts before processing their personal data
- Prohibits reliance on third-party representations of consent without verification
Duty to Notify and Burden of Proof
- Reinforces the obligation to notify data subjects when collecting personal data indirectly
- Confirms that the burden of proving consent lies with the data controller
Broader Impact: This determination addresses a systemic problem in Kenya’s digital lending sector, where borrowers list emergency contacts without their knowledge and lenders harass these individuals for debt recovery. It establishes that digital lenders cannot rely on unverified representations of consent and must implement robust verification mechanisms.

