The National Information Technology Development Agency ('NITDA') announced, on 17 August 2021, that it had fined Soko Lending Company Limited NGN 10 million (approx. €20,700) for various violations of the Nigeria Data Protection Regulation, 2019 ('NDPR'), marking the first fine issued under the NDPR. In particular, NITDA outlined that the fine followed an investigation into a series of complaints against SokoLoan for unauthorised disclosures, failure to protect customers' personal data, and defamation of character, as well as carrying out the necessary due diligence as enshrined in the NDPR.

More specifically, NITDA highlighted that its investigation had revealed that following complainants' failures to meet loan repayment obligations, SokoLoan had sent messages to complainants' contacts who were neither parties to the loan transaction nor consented to the processing of their data. In addition, NITDA found that SokoLoan embeds trackers that share data with third parties inside its mobile application without providing users information about it or using the appropriate lawful basis.

In light of the above, among other findings, NITDA considered that SokoLoan had processed personal data without a sufficient legal basis in violation of Articles 2.2 and 2.3 of the NDPR and had illegally shared data with third parties without an appropriate lawful basis. Furthermore, NITDA identified a number of additional shortcomings, namely SokoLoan's use of a non-compliant privacy notice, contrary to Articles 2.5 and 3.1(7) of the NDPR, unwillingness to cooperate with the supervisory authority, in violation of Article 3.1(1) of the Data Protection Implementation Framework 2020, and non-filing of NDPR audit reports through a licenced Data Protection Compliance Organisation ('DPCO'), contrary to Article 4.1(7) of the NDPR.

In addition to the financial penalty, NITDA issued a number of directions to SokoLoan, including to suspend the sending of privacy-invading messages to any Nigerian until the company and its entities show full compliance with the NDPR, and to pay for the conduct of a Data Protection Impact Assessment by a NITDA-appointed DPCO on its operation. Moreover, NITDA noted that SokoLoan had been placed on mandatory Information Technology and Data Protection oversight for 9 months. 

Further to the enforcement action against SokoLoan, NITDA reminded all Nigerian businesses and data controllers of their obligation to engage NITDA-licenced DPCOs to guide them towards compliance with the data protection law.

You can read the press release here.