On the strict consent threshold for direct marketing in Kenya: The Case of Samwel Kamau Waweru v Platinum Credit Limited; ODPC Complaint No. 1951 of 2025

Background

The Complainant lodged a complaint with the Office of the Data Protection Commissioner after receiving persistent unsolicited calls and messages promoting loan products offered by the Respondent.

In or around November 2024, an agent of Platinum Credit Limited contacted the Complainant to market loan products. During the conversation, the agent demonstrated knowledge of the Complainant’s personal identification information, including details of his motor vehicle, despite the Complainant never having been a customer of the Respondent.

Upon inquiry as to how the agent obtained his personal data, the Complainant was informed that the Respondent routinely shared personal information internally with its sales team for marketing and advertising purposes.

The Complainant asserted that:

• He had never given consent for his personal data to be processed or used for marketing purposes; and
• The repeated calls and messages amounted to unauthorised processing of personal data.

Consequently, he filed a complaint with the ODPC alleging violations of the Data Protection Act, 2019.

 

Issues for Determination

1. Whether Platinum Credit Limited lawfully obtained and processed the Complainant’s personal data.
2. Whether the Respondent violated the consent requirements under the Data Protection Act, 2019.
3. Whether the use of the Complainant’s personal data for direct marketing purposes without consent was lawful.
4. Whether the Respondent breached the Complainant’s right to privacy and data protection.

 

Applicable Law

• Article 31(c) and (d) of the Constitution of Kenya, 2010 – Right to privacy
• Data Protection Act, 2019, particularly:
• Section 25 – Principles of data protection
• Section 30 – Consent for processing personal data
• Section 37 – Processing of personal data for commercial purposes
• Section 51 – Rights of data subjects

 

Complainant’s Arguments

• The Respondent processed his personal data without consent or lawful justification.
• He was subjected to unsolicited direct marketing communications.
• The Respondent unlawfully accessed and used sensitive personal information, including vehicle details.
• The Respondent failed to demonstrate compliance with the principles of lawfulness, fairness, and transparency.

 

Respondent’s Position

Based on the facts presented, the Respondent’s agent indicated that personal data was shared internally for marketing purposes, suggesting routine processing for sales and advertising, without demonstrating that consent had been obtained from the Complainant.

 

Holding / Determination

The ODPC found that:

• The Respondent processed the Complainant’s personal data without his consent.
• The use of personal data for direct marketing purposes without prior consent violated the Data Protection Act, 2019.
• The Respondent failed to uphold the principles of lawfulness, transparency, and data minimisation.

 

Decision / Orders

The ODPC:

• Upheld the complaint.
• Found Platinum Credit Limited in violation of the Data Protection Act, 2019.
• Issued appropriate enforcement measures and/or directives (including possible cessation of processing, corrective actions, or administrative penalties, subject to the ODPC’s discretion).

 

Ratio Decidendi

Personal data may not be processed or used for direct marketing unless the data subject has given clear, informed, and specific consent or another lawful basis exists. Routine internal sharing of personal data for marketing purposes does not override statutory consent requirements.

Significance of the Case

• Reinforces the strict consent threshold for direct marketing in Kenya.
• Affirms the ODPC’s role in protecting individuals from unsolicited commercial communications.
• Serves as a warning to financial institutions and lenders on compliance with data protection obligations, especially concerning non-customers.

 

Detailed Case Brief (IRAC)

Samwel Kamau Waweru v Platinum Credit Limited; ODPC Complaint No. 1951 of 2025

I — Issues

1. Whether Platinum Credit Limited lawfully obtained and processed the Complainant’s personal data.
2. Whether the Respondent violated the consent requirements under the Data Protection Act, 2019 by using the Complainant’s personal data for direct marketing.
3. Whether the Respondent’s conduct amounted to a breach of the Complainant’s right to privacy under the Constitution of Kenya, 2010.

 

R — Rules

• Article 31(c) & (d), Constitution of Kenya (2010):
  Guarantees the right to privacy, including the right not to have personal information unnecessarily revealed or misused.
• Section 25, Data Protection Act, 2019:
  Requires personal data to be processed lawfully, fairly, and transparently.
• Section 30, Data Protection Act, 2019:
  Personal data shall not be processed unless the data subject has given consent or another lawful basis exists.
• Section 37, Data Protection Act, 2019:
  Prohibits the use of personal data for direct marketing without the data subject’s prior consent.
• Section 51, Data Protection Act, 2019:
  Provides data subjects with enforceable rights against unlawful processing.

 

A — Application

Platinum Credit Limited contacted the Complainant in November 2024 to promote loan products despite the Complainant never having been a customer of the Respondent. The Respondent’s agent possessed detailed personal information, including the Complainant’s vehicle details, demonstrating that the Respondent had already collected and processed his personal data.

The Complainant did not provide consent for the collection, processing, or use of his personal data for marketing purposes. When questioned, the Respondent’s agent stated that such information was routinely shared internally with the sales team, indicating systemic processing of personal data for commercial purposes.

This conduct failed to meet the statutory requirements of lawfulness, transparency, and consent under Sections 25 and 30 of the Data Protection Act. Additionally, the repeated unsolicited calls and messages constituted direct marketing, which is expressly restricted under Section 37 without prior consent.

By using the Complainant’s personal data without lawful justification, the Respondent infringed upon the Complainant’s constitutional right to privacy under Article 31 of the Constitution.

 

C — Conclusion

The Respondent unlawfully obtained and processed the Complainant’s personal data without consent and used it for direct marketing purposes in violation of the Data Protection Act, 2019 and Article 31 of the Constitution. The complaint was therefore upheld, and Platinum Credit Limited was found to be in breach of Kenya’s data protection laws.