Lending App to part with millions for sending threatening messages


A Digital Credit Provider (DCP) will have to part with sh.2,975,000 for sending threatening messages to their customer’s contacts.

Mulla Pride Ltd which operates KeCredit and Faircash mobile lending apps for sending threatening messages to contacts gotten through third parties while applying for loans.

“The Office of the Data Protection Commissioner (ODPC) has issued three Penalty Notices to three Data Controllers for failing to observe Data Privacy Rights to Data Subjects and also not complying with the Data Production Act,” read a statement from the ODPC.

Mulla Pride Ltd was found culpable of using the names and contact information of the Complainants which were obtained from third parties and subsequently used to send threatening messages and phone calls.

“This penalty will ensure that Digital Lenders and financial institutions notify data subjects when collecting and processing their data, and the intention of processing the said data. It will further ensure that the data controllers are limited to strictly dealing with the data subjects who have consented to the collection and processing of their data,” read the statement from ODPC.

Others that have been penalized are ‘Casa Vera Lounge’ and ‘Roma School’.

Casa Vera Lounge has been fined sh.1,850,000 for posting a reveler’s image on their social media platform without the reveler’s consent, while Roma School has been charged sh.4,550,000 for posting minors’ pictures without parental consent.

The penalty to Roma School is the first and highest penalty to an educational institution.

“This sends a message to other schools and other facilities handling minors’ personal data to obtain consent from their parents/guardians prior to processing minors’ data,” said the ODPC.

Meanwhile, ODPC has also conducted a Compliance Audit on WhitePath Company (a digital lender) and an inspection on Naivas Supermarkets on recent data breach.

“The findings will be shared with the Data Controllers for their swift action. The office will be embarking on conducting forty (40) Compliance Audits to various Data Controllers and Processors in various sectors this financial year,” read the statement.

Data Commissioner Immaculate Kassait has called upon entities to comply with the Data Protection Act warning that failure to do so will result in instituting enforcement procedures.