Fidelity Bank In Big Mess, Fined N555.8 Million For Data Privacy Breaches

By Onota Oghenevwede

The Nigeria Data Protection Commission (NDPC) has imposed a fine of N555.8 million on Fidelity Bank Plc for breaching the nation’s data protection laws.

The fine, which is 0.1% of the bank’s annual gross earnings for 2023, was issued after an investigation into allegations of data privacy violations.

The investigation, triggered by a complaint from a data subject, found that Fidelity Bank had collected personal data without a lawful basis for opening an account.

The Commission, in a statement signed by Babatunde Bamigboye, Head of Legal, Enforcement, and Regulations on Wednesday in Abuja, also discovered that the bank’s data processing platforms, including cookies and banking apps, were in violation of the Nigeria Data Protection Act (NDPA) and the Nigeria Data Protection Regulation (NDPR).

The NDPC noted that Fidelity Bank relied on non-compliant third-party data processors and failed to provide a satisfactory remedial plan despite repeated warnings. The Commission’s National Commissioner and CEO, Dr. Vincent Olatunji, emphasized the importance of accountability in data processing and urged data controllers and processors to comply with laws protecting individuals’ freedoms.

The Statement reads in full; “Following investigations into violations of Nigeria Data Protection Act, 2023 and the Nigeria Data Protection Regulation, 2019, Nigeria Data Protection Commission (the Commission) ordered Fidelity Bank PLC to pay a sum of N555,800,000 (Five Hundred and Fifty-Five-Million-Eight Hundred-Thousand naira) only being 0.1% of the Bank’s annual gross revenue in 2023.

“This is to be paid within 14 days upon the receipt of the Notice.Olatunji Said

“The investigation into the data processing activities of Fidelity Bank PLC was triggered by a complaint from a data subject whose personal data was collected without lawful basis for the purposes of opening an account for the data subject. This complaint was lodged with the Commission in April 2023”

“The Commission reviewed the data processing platforms of Fidelity Bank and found that in certain critical cases, the Bank processes personal data without informed consent of data subjects.

“Data processing tools such as cookies and banking apps were deployed in violation of the NDP Act. Its banking App at the material time had been downloaded over one million times.

“Apart from internal non-compliance, the Bank relies on some non-compliant third-party data processors.

“The law not only enjoins an organization to be compliant, it also mandates its relevant vendors, agents or contractors, among others to be accountable when handling personal data of individuals.He added

“It is to be noted that the initial decision of the Commission was issued since July 2023 and a directive to pay a remedial fee was issued in December 2023 Over ten correspondences were exchanged. The Commission issued repeated warnings to no avail.

“The Commission gave several opportunities for full accountability for over one year taking into account the need to encourage compliance as a culture”

“However, Fidelity Bank did not provide requisite, satisfactory remedial plan.He Said

“The National Commissioner and CEO of the Nigeria Data Protection Commission, Dr. Vincent Olatunji, enjoins Data Controllers and Data Processors to eschew acts that may undermine trust and confidence in Nigeria’s capacity to protect data driven decisions and transactions.

“Dr. Olatunji notes that without demonstrable assurance of accountability in the exchange of goods and services, economic growth would be gravely hampered.

“However, through compliance with laws that protect freedoms of individuals, their lives and livelihoods, Nigeria will witness more and more momentum for sustainable development”