DEBT RECOVERY -vis-à-vis- DATA PROTECTION Part 1B
March 20, 2025DEBT RECOVERY -vis-à-vis- DATA PROTECTION
Author
Joy Ruguru Kabuchoru
With the rapid growth of the digital lending sphere, and the change in regulations of the financial facilities the access to financing has taken an overturn. The growth of technology is a major contributor to this in that the ability of individuals to access finances is possible regardless of their financial capability as with a smart phone, they can borrow money at any time. However, this has come with its own challenges, one of which is debt collection by the digital lending companies. The striking issues are consumer protection as well as data protection. In this series, we will focus of data protection.
The aggressive and unscrupulous debt collecting methods by the digital lending companies have come under fire. This has resulted to instances of breach of violation of Article 28 as well as Article 31 of the 2010 Kenyan Constitution. The Office of Data Protection receives numerous complaints on the breach of data privacy as recent case study as below:-
On the 23 rd day of April 2023, the Office the Data Protection received complaints from data subjects on breach of their data privacy by Whitepath Company Limited (a digital lending application). In this case, the digital lending company is the data processor or the data controller. The Complainants, alleged that they have been receiving incessant messages from the company demanding payment from them as guarantors of loans which they know nothing of as they were not contracted to be guarantors of the same.
The striking issues are:-
- whether being listed as an emergency contact to the borrower without opting out automatically makes one a guarantor; and
- whether by virtue of the borrower accepting the privacy policy, being the data subject, acknowledges that they have read and understood the privacy policy and accept all of the terms. Particularly consenting to the borrower collecting, using, storing, transferring, or otherwise processing their personal information.
Section 30 of the Data Protection Act, 2019 expressly states two instances where the data
processor or the data controller can process personal data. These instances are:-
- with the consent of the data subject for a specified purpose; and
- in relation to the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract
Noting keenly, the second instance places the burden of proof on the data controller or the data processor. The third party has to show that indeed it the data subject had expressly consented to the same as envisaged under Section 2 of the Data Protection Act, 2019.
In conclusion, as per the Data Protection Act, 2019, it is evident that the lending company was processing the data subjects personal data without their consent. The data controller or the data processor failed to proof that indeed the data subject had expressly consented to the processing of their personal data by the data controller or data processor. As such, the data processor and/or the data subject was held liable of the breach of the personal data.
Thus, if found in such predicament and you wish to pursue a legal claim. Don’t look any further, you are in the right hands, just contact us.
