Kenya’s Data Protection Act, 2019 (DPA), came into force in November 2019, transforming how personal and financial data is handled by lenders, digital credit providers (DCPs), and Credit Reference Bureaus (CRBs). For borrowers, the law provides stronger protection against data misuse and unfair profiling, ensuring that financial information is collected, stored, and shared responsibly.
The DPA is built on three core principles (lawfulness, transparency, and data minimization) requiring lenders to process only the data necessary for legitimate purposes such as credit assessment. This prevents the unnecessary collection of personal details, reducing risks such as unauthorized access or harassment.
Understanding Borrower Rights Under the Data Protection Act
Under the Data Protection Act, you are legally recognized as a “data subject.” This status gives you control over how lenders, DCPs, and CRBs use your data. The law is enforced by the Office of the Data Protection Commissioner (ODPC), which can impose fines of up to KSh 5 million or 1% of a company’s annual turnover for violations.
Your rights as a borrower are outlined under Sections 26–40 of the DPA and expanded by the Data Protection (General) Regulations, 2021. Below is a breakdown of what each right means for you.
1. Right to Be Informed
Before you provide personal details such as your national ID, phone contacts, or M-Pesa transaction records, lenders must clearly explain what information they are collecting, why they need it, how long they will keep it, and who else, such as a CRB, will access it.
Section 29 of the DPA requires lenders to issue privacy notices written in plain language. These notices must be separate from loan terms and should not bundle consent with borrowing conditions. Consent must be freely given, and you have the right to withdraw it at any time. This ensures transparency and prevents lenders or apps from using your data for hidden purposes.
2. Right of Access
You have the right to access your personal data at any time. Borrowers can request confirmation of whether their data is being processed and obtain a free copy of it within seven days using Form DPG 2.
This right allows you to review your credit profile to confirm accuracy, especially in cases where non-performing loans or default listings might still appear despite being cleared. To exercise this right, send a formal request to your lender’s Data Protection Officer (DPO) or use their digital portal. You’ll need to attach a copy of your national ID for verification.
3. Right to Rectification and Erasure
If you find incorrect information, such as a repaid loan still listed as outstanding, you can use Form DPG 3 to request correction. Lenders must fix inaccurate, incomplete, or misleading information within 14 days and notify any third parties who previously accessed it.
You also have the right to erasure, also known as the “right to be forgotten,” under Form DPG 5. This allows you to request deletion of data that is no longer needed, unlawfully obtained, or used beyond the agreed purpose. For example, you can request deletion of contacts that were accessed by debt collectors without your permission. Lenders must respond within 14 days.
While certain data may be retained for legal or regulatory reasons, you can still restrict its processing using Form DPG 1, preventing it from being used until the issue is resolved.
4. Right to Object and Restrict Processing
Borrowers can object to data processing that they find intrusive or unnecessary. Under Section 35, you have the absolute right to stop lenders or DCPs from using your information for direct marketing, such as unsolicited SMS promotions.
If your credit application is automatically declined by an algorithm, you can request a human review to challenge any unfair or biased decision. The DPA requires lenders to give you an opportunity to present additional information before making final credit decisions.
5. Right to Data Portability
Data portability enables you to transfer your credit information from one lender or DCP to another. By submitting Form DPG 4, you can request your data in a machine-readable format, such as CSV, within 30 days. This helps borrowers compare offers and access better loan terms without starting from scratch.
6. Special Protection for Sensitive Financial Data
Under Section 44, financial information that reveals your property ownership, income level, or family details qualifies as “sensitive data.” Lenders must obtain explicit consent before processing or sharing this information with third parties.
Digital credit providers are also barred from unethical collection practices such as contacting your phone contacts or using threats and intimidation for loan recovery. The ODPC has issued guidelines prohibiting such behavior, and violations may result in enforcement action.
If a lender experiences a data breach, such as leaking borrower credit information, it must notify the ODPC within 72 hours and inform affected individuals immediately. Borrowers then have the right to seek remedies, including compensation for damages caused by the breach.
How to Exercise Your Rights
Borrowers can contact a lender’s DPO via email, phone, or online form submission to make a data request. These requests are typically free unless they are excessive or repetitive. If the lender ignores your request or fails to comply, you can escalate the complaint to the Office of the Data Protection Commissioner through info@odpc.go.ke or file a case in court.
Jefferson Wachira is a writer at Africa Digest News, specializing in banking and finance trends, and their impact on African economies.