The Nigeria Data Protection Commission (NDPC) has issued a fine of N555.8 million to Fidelity Bank Plc over violating the Nigeria Data Protection Act, 2023, and the Nigeria Data Protection Regulation, 2019.
This is following investigations into the data processing activities of Fidelity Bank Plc that were triggered by a complaint from a data subject (a customer) whose personal data was collected without a lawful basis to open an account for the data subject.
This complaint was lodged with the Commission in April 2023.
But the bank affirms its commitment to data protection and strong corporate governance, adding that it remains in discussions with the NDPC over an amicable resolution to this matter.
The Commission reviewed the data processing platforms of Fidelity Bank and found that in certain critical cases, the bank processes data without the informed consent of data subjects.
Data processing tools such as cookies and banking apps were deployed, violating the NDP Act. Its banking app, at the time, had been downloaded over one million times.
A statement from NDPC dated August 21, 2024, noted that, apart from internal non-compliance, the bank relies on some non-compliant third-party processors.
The law not only encourages an organisation to be compliant but also mandates its relevant vendors, agents, or contractors, among others, to be accountable when handling individuals’ personal data.
According to the NDPC, “It is to be noted that the Commission’s initial decision was issued in July 2023, and a directive to pay a remedial fee was issued in December 2023, and over ten correspondents were exchanged. “The Commission issued repeated warnings to no avail. The Commission gave several opportunities for full accountability for over one year, considering the need to encourage compliance as a culture. However, Fidelity Bank did not provide the requisite, satisfactory remedial plan. “
The National Commissioner and CEO of the Nigeria Data Protection Commission, Dr. Vincent Olatunji, enjoins Data Controllers and Processors to eschew acts that may undermine trust and confidence in Nigeria’s capacity to protect data-driven decisions and transactions.
Dr. Olatunji noted that economic growth will be gravely hampered without demonstrable assurance or accountability in the exchange of goods and services.
However, through compliance with laws that protect individuals’ freedoms, their lives, and livelihoods, Nigeria will witness increasing momentum for sustainable development.
However, in reaction, Fidelity affirmed its commitment to Data Protection and Strong Corporate Governance.
“While the matter is the subject of an ongoing engagement with the regulator, we wish to assure the public that we have conducted ourselves to the highest ethical standards by ensuring full compliance with existing laws on data protection, “ the bank stated while giving a breakdown of its dealings with the NDPC since receiving their letter about an alleged data breach.
“On April 30th, 2023, we received a notice of investigation from the Nigerian Data Protection Agency (NDPA), now the Nigerian Data Protection Commission (NDPC). The investigation was in respect of a complaint from [name has been withheld to protect the identity of the complainant], who claimed that [name withheld] details were used to open an account in the bank without [name withheld] consent.
“Based on this notice, we conducted an internal investigation into the circumstances surrounding the claim and discovered as follows: An account opening request was received online in the name of [name withheld], and an email was sent to the email address attached to the request informing them about this.
“In compliance with our Data Protection Policy, accounts created online without full documentation are not allowed to be operational and are closed after 30 days if the outstanding documents are not provided to authenticate the identity of the person seeking to open the account, the ban’s statement read in part.
It explained that, in compliance with the lender’s data protection laws, the account was not allowed to be operational as the passport photograph and BVN were not provided.
The account was immediately placed on “Post No Debit” status as the applicant was expected to complete the account opening process by providing the outstanding documents for verification within 30 days.
The statement reads, “This was not done, and the account was eventually closed.
On May 2, 2023, we responded to the NDPC that the bank did not violate any law because there was no data breach and that the account opening process was not completed.
“On our part, we carried out due diligence by immediately blocking the account and subsequently closing the account when we did not receive the outstanding documents.
“At no point in the process was the account ever operational.
On July 7th, 2023, we were invited to a pre-action meeting with the NDPC. During the meeting, we restated our position as earlier communicated to them in our letter dated May 2nd.
“However, despite our explanation and evidence provided to support our claim, the agency informed us that they had reached a conclusion to impose a penalty on the bank.
“On December 5, 2023, we got a letter from NDPC demanding we pay a remedial fee’ of N250 million within 21 days.
“We immediately commenced another round of engagements with the Commission, as we were convinced we had not breached any existing law or regulation.
While discussions were still ongoing with the NDPC, we received another letter on the 20th of August demanding that we now pay N555.8 million naira.
“As a responsible financial organisation with a history of strong corporate governance standards, we remain committed to the due process of the law, and we wish to assure all our customers of our unwavering commitment to upholding the highest level of ethical standards in all our dealings with customer data.”
The bank further noted that its commitment to strong corporate governance has earned local and international recognition, including the prestigious CG+ award.
This is the highest rank under the Corporate Governance Rating System (CGRS) of the Nigerian Exchange Group (NGX), which evaluates listed companies against established best practices and standards.
“As a bank, we remain in discussions with the NDPC over an amicable resolution to this matter,” it concluded.
ALSO READ THESE TOP STORIES FROM NIGERIAN TRIBUNE
