NAIROBI, Kenya, Dec 3 — Diamond Trust Bank (DTB) Kenya and its Uganda subsidiary have been ordered to pay a combined Sh500,000 in compensation after the Office of the Data Protection Commissioner (ODPC) found them in violation of Kenya’s Data Protection Act, 2019.
The ruling follows a complaint by Aaditi Rajput, who alleged that she had been receiving another customer’s financial statements for nearly three years while losing access to her own bank notifications, causing financial and personal distress.
“The continued mishandling of my data by DTB has caused me both financial difficulties and anxiety over the safety of my personal information,” Rajput said.
“This violation undermines confidence in Kenya’s financial systems and exposes customers to potential fraud.”
The ODPC determined that DTB Kenya failed to verify the complainant’s account before activating a “Do Not Contact” request, while DTB Uganda linked her account to a third-party account without her consent.
Both actions were found to breach principles of data accuracy, protection by design, and individual privacy rights under the Act.
As a result, DTB Kenya and DTB Uganda were each ordered to pay Sh250,000 to the complainant. Additionally, an enforcement notice has been issued to the Uganda-based unit to ensure compliance with the Data Protection Act.
Data Commissioner Immaculate Kassait emphasized that the ruling sets a precedent for accountability in Kenya’s financial sector. Both banks now have 30 days to appeal the decision to the High Court of Kenya.
