Forty Digital Credit Providers (DCPs) are facing sanctions over complaints of the breach of their customers’ personal data.

This comes after the Office of the Data Protection Commission (ODPC) issued a statement on Wednesday notifying the public that it is conducting a preliminary assessment and audit on DCPs over the same.

“The Office of the Data Protection Commission (ODPC) wishes to notify the public that it is conducting preliminary documentary assessment and audit on 40 Digital Credit Providers (DCPs) whose practices regarding the processing of personal data has been raised to the Data Commissioner as complaints by various members of the public,” the statement read.

According to ODCP, they have received 299 complaints related to the digital lenders, which represent 54 per cent of the 555 cases the office admitted out of the 1030 complaints raised.

“As of 30 September 2022, ODPC had received 1,030 complaints, the office admitted 555 of these cases including 299 which were on Digital Lenders, representing 54 per cent of all cases admitted,” the ODPC said.

“The Data Protection (Complaints Handling and Enforcement Procedures) regulations, 2021 took effect on February 2022 paving way for data subjects to file complaints and report data breaches to the Data Commissioner.”

During the audit process, the aforementioned DCPS will be required to provide this Office with requisite documents by October 18, 2022 failure to which they will be deemed to have failed to cooperate with the Office which is an offence under Section 61 of the Act.

ODPC has also issued an enforcement notice against Aga Khan University Hospital following a breach of Kenya's Data Protection Laws.

According to the statement a complaint a patient lodged a complaint to the Data Commissioner that after visiting the Hospital and a staff later inappropriately contacted the complainant contrary to Sections 25, 41 and 46 of the Data Protection Act, 2019.

In exercise of the Powers of the ODPC, the Data Commissioner directed the Hospital to outline specific measures it will take to mitigate or eliminate the breach/ contravention and to rectify and/or put in place structures within which the measures shall be implemented within 30 days.

ODPC also cautioned that the breach of personal data attracts a hefty fine, jail time or both should one be found culpable.

“Pursuant to Section 58(3) of the Data Protection Act, 2019, any person who, without reasonable excuse, fails to comply with an enforcement notice commits an offence and is liable on conviction to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both,” 

Data Commissioner Immaculate Kassait MBS reiterated ODPC's commitment to protect personal data and enforce compliance in the event of a breach of the laws.

"This is just one among many other complaints being investigated by the office. We want to assure the public that the complaints received will be investigated and concluded accordingly. All aggrieved members of the public are encouraged to continue sending their complaints via https://www.odpc.go.ke/file-a-complaint/,” she said.

Below are the names of the digital credit providers facing sanctions:

1. APESA/Zerox Technology Company Ltd

2. ASAPKASH/Joyot Technology limited

3. BRANCH

4. CASH

5. CASH SEA

6. COLLECTPLUS

7. COOPESA

8. CREDIT KES

9. CREDIT MOJA

10. Deltech Capital Limited/Mykes loan

11. DIRECT CASH

12. FAIRKASH

13. Flashpesa

14. Flexi Cash

15. Hela Credit

16. Hikash

17. IKASH Connect

18. INSTARCASH

19. IPESA

20. KASH LOAN

21. KASHBEAN

22. KASHPLUS

23. KASHWAY

24. KESLOAN

25. LEMON KASH

26. LIONCASH/GROLA TECH LTD

27. M-CREDIT

28. METALOAN

29. MOKASH

30. PAPCASH

31. POCKET CASH

32. PREMIER CREDIT LTD

33. ROCKET PESA

34. SENTI

35. SKYPESA

36. TALA

37. WAKANDA CREDIT/KASHWAY

38. Zash loan

39. Zenka Digital Limited

40. Zuri Cas