ODPC Fines Loan App KES 5 million for Personal Data Abuses

Loan Apps Kenya

The Office of the Data Protection Commissioner (ODPC) has issued two penalty notices against WhitePath Company Limited which offers online loan services, and Regus Kenya.

The ODPC has challenged businesses to protect personal data by design and by default and cooperate with them to avoid penalties.

In a statement by the Data Protection Office, WhitePath failed to comply with an ODPC’s enforcement notice dated 10th January 2023, while Regus Kenya was non-cooperative and failed to respond to a Notification of Complaint dated 27th October 2022, a reminder to the Notification of Complaint dated 11th November 2022 and an Enforcement Notice dated 16th February 2023.

To this end, each company is required to pay the ODPC a penalty of KES 5 million pursuant to Section 63 of the Data Protection Act, and Regulation 20 of the Data Protection (Complaints Handling Procedure and Enforcement).

the Office of the Data Protection Commissioner (ODPC) received nearly 150 complaints against WhitePath, claiming that their applications have been accessing users’ mobile phone contacts and sending unwanted text messages to those contacts.

That’s not all: Whitepath staff have reportedly been harassing the complainants and their contacts irregularly obtained from the complainant’s phone books. This has been a big issue with loan apps in the country, which have since received more scrutiny from legislators and regulators in the name of new laws that have been put in place to tame their sometimes unscrupulous activities.

WhitePath has not been approved as a loan app by the CBK. Currently, 32 digital lenders have received a license to run their operations in Kenya.

On the other hand, the complaint against Regus alleged frequent spamming of automated improper information to the complainant despite attempts to make the respondent stop.


Speaking on the notices, the Data Commissioner Immaculate Kassait, MBS said, “Data protection is the responsibility of every data controller and processor, and it must be the company’s top priority whenever they collect, process, or store personal information. I challenge businesses to protect personal data by design and by default and cooperate with the ODPC to avoid penalties.”


Comments are closed.