The Office of the Data Protection Commissioner (ODPC) has ordered Diamond Trust Bank Kenya (DTB Kenya) and Diamond Trust Bank Uganda (DTB Uganda) to pay a total of Ksh. 500,000 in compensation to a customer following a severe data privacy violation.
The Complainant, Aaditi Rajput, repeatedly received sensitive financial statements belonging to an unknown third party since 2022. Compounding the breach, Rajput subsequently lost access to her own DTB bank statements and notifications from May 2025, causing significant financial difficulty in tracking her personal transactions.
The ODPC complaint, filed under No. 1244 of 2025, detailed that the improper disclosure of the third party’s financial data stemmed from DTB Uganda. Rajput alleged that her account had been improperly “linked” to DTB Uganda, an entity with which she has no relationship and has never transacted.
The Data Commissioner found that the persistent failure to resolve the issue, despite multiple reports from the Complainant, caused her “distress, anxiety, and loss of trust” in the banks’ systems. The ODPC concluded that the mishandling posed a systemic risk to the security of Kenya’s financial systems.
In its final determination, the ODPC found both the 1st Respondent (DTB Kenya) and the 2nd Respondent (DTB Uganda) liable for violating the Complainant’s rights, including the right to be informed, to access, and to rectification and erasure of her personal data.
The final determination, issued by the Data Commissioner, included the following orders:
1. Liability
Both the 1st Respondent (DTB Kenya) and the 2nd Respondent (DTB Uganda) were found liable for the data breach.
2. Compensation:
- DTB Kenya was ordered to pay the Complainant Ksh. 250,000 as compensation.
- DTB Uganda was also ordered to pay the Complainant Ksh. 250,000 as compensation.
3. An Enforcement Notice was issued specifically to the 2nd Respondent (DTB Uganda).