SBM Bank Fined KES 450,000 For Spamming Non-Customer
SBM Bank Kenya has become the latest business to be caught in the crosshairs of the Office of the Data Protection Commissioner (ODPC) for data privacy violations. The bank was recently fined KES 450,000 (approximately US $3,435) for sending unsolicited spam emails to a non-customer over a 10-month period.
According to a decision published by the ODPC, the complainant received a staggering 327 spam emails from SBM Bank despite never having any prior interaction with the bank. The emails were deemed unsolicited and intrusive, prompting the individual to file a complaint with the ODPC.
In its ruling, the ODPC noted that SBM Bank had failed to comply with the Data Protection Act, and its corresponding regulations. Even though SBM said in its defense that the complainant’s email was provided by another customer with a similar name during onboarding, the ODPC still found that SBM had unlawfully processed the complainant's personal data in violation of Section 26(c) of the Act and failed to uphold their right to object to the processing of their personal data.
Rising Scrutiny By The ODPC
The ODPC's decision serves as a stark reminder to all businesses operating in Kenya of the importance of data privacy compliance. The Kenyan Data Protection Act grants individuals significant control over their personal information, and businesses must obtain explicit consent before sending marketing or promotional emails.
This case also highlights the growing trend of data privacy enforcement in Kenya. The ODPC has been increasingly active in recent years, levying fines against several businesses for various data privacy violations. Some of the highest fines levied by the ODPC since 2022 include Oppo Kenya (KES 5 million in 2022), Whitepath Limited (KES 5 million in 2023), Regus Kenya (KES 5 million in 2023), Roma School (KES 4.55 million in 2023), and Mulla Pride (KES 2.975 million in 2023), among other cases.
The Kenyan government's commitment to data privacy protection is a positive development for consumers. It empowers individuals to have greater control over their personal information and ensures businesses handle data responsibly. Businesses operating in Kenya should take proactive steps to ensure compliance with the Data Protection Act to avoid costly fines and reputational damage.
Conclusion
SBM Bank's fine serves as a cautionary tale for businesses in Kenya. The ODPC is actively enforcing data privacy regulations, and non-compliance can result in significant financial penalties. Businesses should prioritize data privacy compliance by obtaining necessary consent, implementing robust security measures, and respecting consumer rights. Don't get caught off guard - CADMUS can support your business with data privacy compliance and other cyber risk management strategies.
