BY SAM ALFAN.
SBM Bank has been slapped with a Sh450,000 fine for unlawful data processing and bombarding a man with emails despite repeated complaints.
Data Commissioner Immaculate Kassait ordered the lender to pay Kelvin Rono Sh450,000 for processing his data unlawfully.
The commissioner ordered SBM Bank to pay the money as compensation after the bank was found liable for processing his personal data unlawfully.
“This Office therefore awards Rono Sh450,000 as compensation for the infringement of the Complainant’s right to object under Section 26 (c) of the Act and the unlawful processing of the complainant’s personal data without any justification for over a year,” ruled Kassait.
Based on Regulation 14 (2) (e) of the Enforcement Regulations, the data commissioner directed to ensure that it collects personal details from its customers in an accurate manner to avoid such incidents.
Kassait said SBM Bank failed to uphold the Complainant’s right to objection by failing to correct the email address in their system despite numerous requests by the Complainant to address the same.
She said it took over one year for the lender to act and it only took the intervention of the Data Commissioner for the matter to be addressed.
“This Office further takes into consideration the fact that the Bank unlawfully processed Rono’s personal data and continued to send him emails despite his numerous requests to correct the error on their system,” said the Data commissioner.
She said from the investigations conducted, it is evident that SBM Bank did not capture their customer’s email address correctly at the time of onboarding and therefore, the allegation that it is the customer who provided Rono’s email is false.
Rono lodged a complaint alleging that he was receiving multiple emails from the lender with regards to PIN/Password/One-Time-Password (OTP) alerts, log in notifications, various alerts, account statements and promotional offers despite raising the issue with the Bank multiple times.
Rono alleged that since May 2023 up to the time of filing this complaint, he received 327 emails from the SBM Bank despite not being a customer or having any relations with the Bank.
The emails consisted of PIN/Password/One-Time Password (OTP) alerts, login notifications, transaction OTPs, Account to Mpesa transaction alerts, password reset alerts, account statements and promotion and offers.
He alleged that he made numerous calls to the Bank through their official customer care line instructing them to stop using his email as he does not bank with them.
Bank then subsequently raised several ticket numbers but they did not take any action. The Complainant attached a call log as proof of the same.
Rono also indicated that he wrote to the Bank five times on diverse dates in August 2023 instructing them to stop using his email address and no action was taken. He attached the emails sent to the Bank as proof of the same.
Bank responded that the email address provided by the customer was accurately captured by themselves and the purpose of the email was to facilitate quick and efficient communication between them and the customer.
The lender stated that it had no capacity to verify whether the email address belonged to a different person as it relied on data or information as provided by the customer.
The Bank indicated that the complainant was not a customer of the bank and therefore it cannot be in breach of its confidentiality or data privacy obligations as it cannot have divulged his personal data since the Bank has neither collected nor stored any of his personal data.
