Fingrow Capital slapped with Ksh. 200,000 fine by ODPC for exposing borrower's financial data

The Office of the Data Protection Commissioner (ODPC) has ordered Fingrow Capital Limited to pay an administrative fine of Ksh. 200,000. The penalty was imposed after the lender was found guilty of illegally disclosing the confidential financial information of a borrower to third parties.

The case involved borrower Kennedy Omondi Ochieng’, whose privacy was breached when Fingrow Capital went beyond standard debt collection practices.

The ODPC investigation found that the lender engaged in egregious privacy violations, including:

Unauthorised Contact: Reaching out to the borrower’s work colleagues, contacts, and guarantor.
Illegal Disclosure: Sharing Mr. Ochieng’s most sensitive financial documents, including his payslips, bank statements, and National ID, without his explicit consent.
Further Exposure: Illegally emailing this confidential financial data to a bank’s customer service address, unnecessarily exposing the borrower to embarrassment and severe privacy risk.

The ODPC concluded that Fingrow Capital Limited illegally retrieved and disclosed the borrower’s confidential information, confirming that the actions constituted a clear breach of the Data Protection Act (2019).

This ruling reinforces the fundamental principle that data collected by financial institutions for specific purposes, such as loan assessment, cannot be weaponised for debt shaming or collection.

The fine serves as a powerful reminder to all Data Controllers and Processors in the lending sector that they must adhere strictly to the principles of:

Consent: Data disclosure requires the informed and unambiguous consent of the data subject.
Purpose Limitation: Data must be used only for the purpose for which it was originally collected.
Confidentiality: Entities must ensure robust technical and organisational security measures to prevent unauthorised disclosure.

The incident underscores the growing concern over the aggressive and often illegal tactics employed by some digital lenders. Borrowers who find themselves in a similar situation are advised to take immediate action.

If a lender contacts your workplace, colleagues, or contacts who are not legally registered guarantors, it is a likely violation of your data rights. You should immediately report the incident to the ODPC for investigation and consider pursuing legal action for damages resulting from the privacy breach.

Life

KeNHA is hiring in 41 positions for national road management

CA launches major recruitment drive with over 20 vacancies

Serial fraudster Christine Nyambura Muturi arrested in US Hospice scam

Business

ODPC Issues Ksh. 9.3M in fines to Casa Vera Lounge & others in data privacy violations

Platinum Credit fined Ksh. 400,000 for unsolicited marketing & data privacy breach

Safaricom ‘Bundle Ya Dere’ boosted by Shell with 2 bob fuel discount for cab drivers

Tech

Zoho trains 150+ students in Africa on low-code app development

Standard Chartered awards 7 women entrepreneurs with Ksh. 9.1M at Women in Tech graduation

Google commits to comply with Uganda’s data protection law after court case

Entertainment

African storytelling goes Global as TidPix launches on LG Channels across Europe

Pungulu Pa Productions announces inaugural PUNGULU PARTY! Kids Festival on Dec 7

New original drama series, Qutu, premieres on Maisha Magic Plus

Fingrow Capital slapped with Ksh. 200,000 fine by ODPC for exposing borrower’s financial data