Diamond Trust Bank (DTB) Kenya and DTB Uganda on Thursday ordered to pay Sh250,000 each to a customer for repeated violations of her personal financial data.
The ruling follows years of mishandling, where the complainant repeatedly received another person’s bank statements since 2022 and lost access to her own statements from May 2025, according to the Office of the Data Protection Commissioner (ODPC).
The ODPC found both banks liable and issued an enforcement notice to DTB Uganda for failing to adhere to data protection laws.
The complainant, Aaditi Rajput, stated that she had never visited Uganda nor held any account with them yet her account had been improperly linked to DTB Uganda, causing a breakdown in trust toward DTB Kenya’s systems and controls.
The nature of the complaint involves the improper disclosure of a third party’s financial information to the complainant.
Further investigation revealed that the misdirected account statements were sent by DTB Uganda, while the complainant simultaneously lost access to her own bank statements and notifications, causing financial difficulty in tracking her transactions.
The complaint had persisted for years despite multiple reports, highlighting systemic lapses in accuracy and internal controls.
The ODPC noted that DTB Kenya did not adhere to the principle of accuracy by activating the ‘Do not contact’ step before verifying that the Complainant was their customer, while DTB Uganda’s linking of the complainant’s account for nearly three years represented a “failure in accuracy, in violation of Regulation 34 of the General Regulations.”
The Data Commissioner found that both banks violated the complainant’s rights to be informed, to access, and to rectification and erasure under the Data Protection Act, 2019.
Section 65 of the Act allows for compensation for financial loss or distress caused by such contraventions. Accordingly, the ODPC directed DTB Kenya to pay Sh250,000 and DTB Uganda to also pay the same amount.
In addition to compensation, an enforcement notice was issued against DTB Uganda, requiring corrective measures to ensure compliance with the Act.
The Office highlighted the broader implications, stating that “continued mishandling of her data by DTB undermines confidence in the security of Kenya’s financial systems and poses a systemic risk if such errors are widespread.”
The complainant emphasized the potential exposure of sensitive banking data, noting that unauthorized access to her financial data could lead to identity theft, fraud, or misuse of personal and financial information.
She also pointed out the urgent need for access to her own statements for record-keeping, tax, and audit purposes.
This decision marks a clear precedent in enforcing data privacy in Kenya’s financial sector, underlining that banks are accountable for protecting customer data and ensuring systemic safeguards are in place.
The ODPC’s ruling reaffirms the importance of adhering to both technical and organizational measures to protect personal information by design and default.
By holding DTB Kenya and Uganda liable, the Office sends a strong message that data protection violations, even when spanning multiple years, will attract both financial penalties and enforcement actions to restore consumer trust.
