The Nigeria Data Protection Commission (NDPC) has imposed a fine of N555,800,000 on Fidelity Bank PLC for breaches of data privacy regulations.
This penalty, amounting to 0.1% of the bank’s anticipated annual gross revenue for 2023, is to be paid within 14 days of receiving the notification.
Babatunde Bamigboye, the NDPC’s Head of Legal, Enforcement, and Regulations, stated on Wednesday that the fine results from an investigation triggered by a complaint lodged in April 2023. The complaint alleged that Fidelity Bank unlawfully collected personal data during the account opening process for the individual involved.
Bamigboye said a subsequent examination of the bank’s data processing practices identified multiple violations of the Nigeria Data Protection Act (NDP Act) and the Nigeria Data Protection Regulation (NDPR).
“The Commission’s investigation uncovered that Fidelity Bank’s data processing activities, including the use of cookies and its banking app—which had been downloaded over one million times—were conducted without obtaining informed consent from data subjects. The bank also relied on non-compliant third-party data processors, failing to ensure their adherence to data protection regulations.
“Despite the Commission’s repeated warnings and efforts to engage with Fidelity Bank over the past year, including an initial decision in July 2023 and a directive for remedial payment issued in December 2023, the bank did not submit an adequate remedial plan. Over ten correspondences were exchanged, but Fidelity Bank failed to achieve compliance.
“Dr. Vincent Olatunji, National Commissioner and CEO of the Nigeria Data Protection Commission, emphasised the importance of data protection in fostering trust and economic growth,” Bamigboye said.
He further quoted the CEO saying, “Data Controllers and Data Processors must avoid actions that undermine confidence in Nigeria’s data protection capabilities. Ensuring compliance with data protection laws is crucial for sustainable development and economic momentum.”
“The NDPC’s decision underscores the Commission’s commitment to enforcing data protection regulations and holding organizations accountable for their handling of personal data,” the statement added.