SBM Bank fined Sh0.4m over spam emails to non-customer

An SBM Bank Kenya branch in Nairobi CBD. The lender was fined Sh450,000 for data privacy violations.

Photo credit: File | Nation Media Group

In May 2023, Kevin Kiprotich Rono received an unsolicited email from SBM Bank Kenya. However, since he was not the bank's customer, he ignored the communication.

The emails, however, persisted and in one year, the bank had sent him a total of 327 messages.

This means that the lender was sending him an email almost every day.

The messages ranged from PIN and password reminders, one time-password (OTP) alerts, login notifications, various alerts, statements, and promotional offers.

He wrote to the bank asking them to stop sending him the emails as he was not a customer of SBM.

When Mr Rono thought he had had enough, he filed a complaint with the Office of the Data Protection Commissioner (ODPC), accusing the lender of bombarding him with unwarranted messages.

In a decision made in June, the Data Protection Commissioner Immaculate Kassait agreed with Mr Rono that the bank had unlawfully processed his data for a year and had failed to respect his rights under Section 26(c) of the Data Protection Act and related regulations.

For the breach, Ms Kassait awarded Mr Rono Sh450,000 as compensation for the infringement of his right to object, under Section 26(c) of the Act and the unlawful processing of his data for over a year without any justification.

“This office further takes into consideration the fact that the respondent (SBM Bank) unlawfully processed the complainant’s personal data and continued to send him emails despite his numerous requests to correct the error on their system,” Ms Kassait said.

Section 26(c) states that a data subject has a right to object to the processing of all or part of their personal data.

In his complaint, filed on March 4, 2024, Mr Rono accused the lender of violating his right to privacy.

Evidence tabled before the data commissioner stated that he made numerous calls to the bank through its official customer service line, asking them to stop sending the emails as he was not a customer.

When the messages continued, he wrote to the bank five times, but no action was taken.

Data entry

Mr Rono said he even raised several ticket numbers with the lender, but the messages did not stop.

In its defence, the lender said the email was provided by one of its customers with a similar name. The customer allegedly opened the bank account on April 12, 2023.

SBM added that the email was accurately captured to facilitate quick and efficient communication between it and the customer.

According to the lender, it could not verify that the email address belonged to someone else because it relied on data information provided by the customer.

And because Mr Rono was not a customer, the bank said it could not disclose his personal data to avoid being accused of breaching its confidentiality or data protection obligations.

But in the decision, the data commissioner noted that contrary to the assertion by the lender, its customer’s personal email account contained a double “O” while Mr Rono’s email account had a single “O”.

“It was therefore evident that the respondent (SBM Bank) did not capture their customer’s email address correctly at the time of onboarding and therefore, the allegation that it is the customer who provided the complainant’s email is false,” Ms Kassait said.

The commissioner added that the bank, as a data handler, was required to comply with the rules on restricting the processing of personal data, objecting to the processing of personal data and rectifying personal data within 14 days.

Ms Kassait said it was clear that the bank did not take any reasonable and immediate steps to restrict the processing of Mr Rono’s data when he disputed the accuracy of the email.

The commissioner added that the email address was personal and that Mr Rono was well within his rights to request the bank to stop using his email address to send him emails that were not relevant to him.

Further, Ms Kassait said it took over a year for the lender to address the matter after the intervention of the data commissioner.

The bank was given 30 days from the date of the ruling to appeal.

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.