Log In
Join for free

Shillah TM & others vs Platinum Credit Limited

ODPC/COMP/0456/2023 & ODPC/COMP/0862/2023 & ODPC/COMP/0868/2023

1. Introduction

Parties:

  • Complainants: Shillah T.M.K, Michael Kangethe, Elijah Njoroge
  • Respondent: Platinum Credit Limited

Core Issue: Unlawful processing of personal data and infringement of data subjects’ right to object under Kenya’s Data Protection Act, 2019.

Table of Contents

2. Background of Complaint

Allegations against Platinum Credit:

  • Persistent unsolicited calls/messages despite objections (March-May 2023)
  • Failure to honor “cease and desist” requests from complainants
  • Unauthorized retention and use of complainants’ phone numbers
  • Continued harassment after in-person complaints at company offices

3. Key Violations Found

  1. Right to Object Violation:
    • Ignored multiple written objections (emails, letters, messages)
    • Continued processing after explicit withdrawal of consent
  2. Operational Failure:
    • Non-functional complaint resolution mechanisms
    • Policies existed on paper but weren’t implemented
  3. Regulatory Non-compliance:
    • Failed to substantively respond to ODPC inquiries
    • Incomplete implementation of Data Protection Act requirements

4. Respondent’s Defense

  • Claimed compliance with Data Protection Act
  • Highlighted existing data protection policies and frameworks
  • Mentioned staff training programs
  • Provided certificate of registration as data controller
  • Failed to address specific complaints about harassment

5. ODPC’s Determination

Legal Basis: Violations of Data Protection Act 2019:

  • Section 26(c): Right to object to data processing
  • Section 25: Data processing principles
  • Regulation 14: Failure to implement operational safeguards

6. Final Ruling

  1. Respondent found liable for data protection violations
  2. Enforcement notice issued against Platinum Credit Limited
  3. Mandated operationalization of existing data protection policies

7. Significance of the Case

This ruling establishes critical precedents in Kenyan data protection enforcement:

  • Practical Implementation: Emphasizes that data protection policies must be operational, not just documented
  • Right to Object: Strengthens enforcement of data subjects’ right to withdraw consent
  • Financial Sector Accountability: Sets clear expectations for lending institutions regarding marketing communications
  • Regulatory Authority: Demonstrates ODPC’s willingness to enforce compliance even against established financial institutions
  • Consumer Protection: Protects individuals from harassment by financial service providers

For full determination, click 🗃️

Tags:
I O

I O

Ian Olwana supports African organisations in turning data protection laws into practical, sustainable governance practices.

http://datagovernance.africa

Leave a Reply

Your email address will not be published. Required fields are marked *