Shah v Prime Bank Limited [2025] KEHC 2579 (KLR) | Data Protection | Esheria

Shah v Prime Bank Limited [2025] KEHC 2579 (KLR)

Full Case Text

Shah v Prime Bank Limited (Civil Appeal E001 of 2024) [2025] KEHC 2579 (KLR) (4 February 2025) (Judgment)

Neutral citation: [2025] KEHC 2579 (KLR)

Republic of Kenya

In the High Court at Kisumu

Civil Appeal E001 of 2024

AB Mwamuye, J

February 4, 2025

Between

Shakunt R. Shah

Appellant

and

Prime Bank Limited

Respondent

(Being an Appeal from the decision of the Data Commissioner (Ms. Immaculate Kassait, MBS rendered on the 1st December 2023 of a complaint in ODPC Complaint No. 1615 of 2023)

Judgment

1. The Appellant filed a complaint at the Office of the Data Protection Commissioner alleging the violation of his right to privacy. The Appellant claimed that the Respondent disclosed his personal data pertaining to bank account details held jointly with another, to third parties, without seeking his consent; and that the Respondent’s actions have since prejudiced him.

2. The Data Commissioner through its decision rendered on the 1st November, 2023 dismissed the Appellant’s complaint.

3. Aggrieved by the said decision, the Appellant has approached this Court vide a Memorandum of Appeal dated the 8th January, 2024. The Memorandum of appeal has the following grounds:i.The Data Commissioner erred in fact by misconstruing the appellant’s complaint to be that disclosures were made of details of the fixed deposits the appellant held jointly with his deceased mother, Mrs. Sudha Rajnikant Shah, by the respondent to the executors of her estate.ii.The Data Commissioner erred in fact and in law by misapprehending what the personal data in issue, the subject of the complaint, was.iii.The Data Commissioner erred in fact and in law by finding that the Respondent had a lawful basis to process the personal data in issue and that the Respondent did not in its actions or otherwise, cause a personal data breach to the complaint.iv.The Data Commissioner erred in law by failing to find that the respondent’s disclosure of the appellant’s personal banking details and financial records and transactions without the consent of the appellant constituted a personal data breach and by failing to appreciate the overwhelming evidence that established that the respondent had caused a personal data breach by disclosing this information.

4. The Appeal was canvassed by way of written submissions and the Appellant filed their submissions dated the 20th September, 2024 whilst the Respondent filed their submissions dated the 4th December, 2024.

5. This being a first appeal, the Court is, on clear and settled principle, entitled to re-evaluate the evidence considered in arriving at the decision subject of the Appeal and draw its own independent conclusions. I have considered the proceedings at the office of the Data Protection Commissioner, the Memorandum of Appeal, the Appellant’s submissions and the Respondent’s rival submissions; and I identify the following two (2) issues for determination:a.Whether the Data Commissioner misapprehended what the personal data in issue was; andb.Was the impugned data sharing action lawful.

6. On the first issue, issue, the Appellant claims that the personal data in issue was not the existence or fate of the joint accounts as at the maturity date but rather it was the details and transactions of the accounts held in the sole name of the Appellant after the maturity date; and that was the personal data in issue.

7. From the record of proceedings at the Office of the Data Protection Commissioner and the Record of Appeal, I note that the complaint related to alleged unauthorized disclosure of private/personal data concerning the Appellant’s banking details.

8. Indeed, the Appellant states that the issues are that informal bank statements for FDRs were given out by the bank manager without the consent of the Appellant. The said bank statements were held jointly between the Appellant and his late mother, Mrs. Sudha Rajnikant Shah, and upon their maturity they were renewed in the name of the Appellant.

9. I am thus satisfied that the Data Protection Officer rightly identified the personal data in question related to the information shared by the Respondent regarding the joint bank accounts of the Appellant and the Late Mrs. Sudha Shah.

10. Further, it is not disputed that all the information that the Respondent shared in response to the enquiries made related to accounts which the deceased at one time or the other had an interest in.

11. I consequently find that the Data Protection Officer did not err in finding what the personal data in issue was.

12. On the second issue; under Section 30 (1) (b) (ii) of the Data Protection Act, it is lawful to process personal data without the consent of the data subject for purposes of compliance with any legal obligation to which the data controller is subject to. Based on this, the Data Commissioner found that the Respondent was entitled to make the disclosure complained of to the Executors of the Estate of the late Mrs. Sudha Rajnikant Shah in furtherance of and in reliance of a Grant of Probate of a Written Will which had been issued in relation to the said estate in Kisumu High Court Succession Cause No. 15 of 2017.

13. I note that the Respondent indeed provided the information requested by the Executors of the Estate of the late Mrs. Sudha Rajnikant Shah and the Executors produced the Grant of Probate as their legal basis for seeking that information and also being entitled to it. That information, undoubtedly, was necessary for the discharge of their functions as Executors of the Estate of the deceased. Executors of an Estate are required by law to ascertain the nature and the extent of the Estate, and that is the reason why they made the request to the Respondent and that is also the lawful basis upon which the Respondent divulged the same to them. To the extent that the accounts were at least initially in the joint names and were then subsequently renewed in the name of the Appellant alone, the information provided was still permissible in law as the Executors needed to still satisfy themselves, and the Court they were accountable to, as to the extent of the Estate, i.e., what was part of the Estate and what was not.

14. I further find that the duty for prior notification in the circumstances was not required, as the duty to notify under Section 29 of the Act relates to the data collection stage, which had already long since passed in the present case, and Section 30 makes clear that for lawful processing under any of the circumstances under Section 30(1)(b) there is no requirement for prior notification and consent. All the Respondent had to do was to comply with Section 30(1)(b), and it is my finding that the Respondent acted lawfully within that Section.

15. The identification of the assets and liabilities of an Estate is one of the principal duties of an Executor of an Estate. The Executors must conduct an asset tracing exercise that requires them to know the status of an asset within the Estate. In the present case, the Executors needed to know if the investments/assets were still in joint names or not, so that they could include or exclude them within the Estate. The Appellant should have been supportive of that exercise, as he would have a direct financial interest in not having any of his assets being wrongfully classified under the Estate or being excluded from an Estate which he or his close relatives may have been beneficiaries to. I find that the Respondent’s disclosure, in addition to being lawful under Section 30 of the Act, also furthered the Appellant’s own interests.

16. For the foregoing reasons, I find no reason to alter the impugned decision of the Data Commissioner. Consequently, I find that this Appeal lacks merit and hereby dismiss it with costs to the Respondent.

DATED, SIGNED, AND DELIVERED VIRTUALLY THIS 4TH DAY OF FEBRUARY, 2025. …………………………………………………………………………BAHATI MWAMUYEJUDGE