The Nigerian data protection regulator says that alleged data privacy violations on the Fidelity Bank app counting over a million downloads, triggered the ₦555.8 million fine imposed on the financial institution.
Dr Vincent Olatunji, National Commissioner/CEO, Nigeria Data Protection Commission (NDPC), announced on Wednesday in Abuja that the regulator imposed the fine on Fidelity Bank after its investigations revealed that the bank allegedly processed personal data without the informed consent of over one million users of its banking app.
The alleged breach is a violation of the Nigeria Data Protection Act, 2023, and the Nigeria Data Protection Regulation, 2019, the regulator says in a statement issued to clarify the developments that culminated in the imposition of the penalty.
NDPC: Fidelity Bank app processed personal data without consent
“The investigation into the data processing activities of Fidelity Bank was triggered by a complaint from a data subject whose personal data was collected without lawful basis for the purpose of opening an account for the data subject. This complaint was lodged with the Commission in April 2023,” according to the regulator.
NDPC uncovered that Fidelity Bank deployed data processing tools, including cookies and banking apps, without a lawful basis. The Fidelity Bank app, downloaded over one million times, was found to be processing personal data in critical cases without obtaining the required consent from data subjects, Babatunde Bamigboye, Head of Legal, Enforcement and Regulations, NDPC, explains in the statement.
According to NDPC, “The Commission reviewed the data processing platforms of Fidelity Bank and found that in certain critical cases, the bank processes personal data without informed consent of data subjects. Data processing tools such as cookies and banking apps were deployed in violation of the NDP Act. Its banking app at the material time had been downloaded over one million times.”
Beyond its internal non-compliance, Fidelity Bank was also found to rely on non-compliant third-party data processors. Under Nigerian law, NDPC says, organisations are responsible not only for their own compliance but also for ensuring that their vendors and contractors handle personal data lawfully.
In response to these findings, the NDPC has imposed a fine of N555,800,000 on Fidelity Bank, representing 0.1% of the bank’s annual gross revenue for 2023. The fine must be paid within 14 days of receiving the notice. Despite multiple warnings and opportunities to rectify the situation, the bank failed to present a satisfactory remedial plan, the regulator says.
NDPC says that “over ten correspondences were exchanged. The Commission issued repeated warnings to no avail. The Commission gave several opportunities for full accountability for over one year – taking into account the need to encourage compliance as a culture. However, Fidelity Bank did not provide requisite, satisfactory remedial plan.”
“It is to be noted,” according to the data protection regulator, “that the initial decision of the Commission was issued since July 2023 and a directive to pay a remedial fee was issued in December 2023.”