| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 14 May 2025 |
| Decided: | 11 August 2025 |
| Published: | Yes |
| Fine: | KES.50,000 |
| Parties: | Andrew Endovo vs. Standard Investment Bank Ltd |
| Case No.: | 0697 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Andrew Endovo complained Standard Investment Bank sent an unsolicited promotional email without consent, violating his data rights. The ODPC found the bank liable for breaching Endovo's rights to be informed and to object to data processing. Standard Investment Bank was ordered to pay Kshs. 50,000 compensation for the infringement.
The Complainant, Andrew Endovo, lodged a complaint alleging that on 12th May 2025, he received an unsolicited promotional email from an agent of the Respondent, Standard Investment Bank, promoting an investment product called the Mansa-X Special Fund. He asserted that he never signed up for, subscribed to, or gave consent to the Respondent or its agents to collect or use his personal data for direct marketing.
Upon receiving the email, he contacted the sender to request an explanation about the source of his contact information and the legal basis for its use, setting a 24-hour deadline for a response. He received no response or an insufficient response. He contended that the Respondent's actions constituted an unlawful sending of unsolicited promotional email without his consent, thereby violating his data protection rights.
The Complainant described the Respondent's subsequent letter (dated 3rd July 2025) as containing misleading assertions, evasive reasoning, and an unwillingness to take full accountability for the breach of his data rights. He specifically refuted the Respondent's explanation of acquiring his email through an "unnamed acquaintance" in a WhatsApp group, deeming it speculative, unverifiable, and insufficient for independent verification.
He alleged that the Respondent deliberately ignored his explicit written request after the initial email to disclose the source of his personal data and remained unresponsive until the complaint was formally filed. The Complainant also claimed that the Respondent's conduct suggested an internal culture of non-compliance when under regulatory scrutiny.
He denied any prior interest in cryptocurrency trading, forex investment, or products marketed by the Respondent, contrary to the Respondent's insinuation.
He further asserted that the unsolicited communication led to serious personal consequences, including his spouse mistakenly believing he was secretly engaged in crypto-related investments, causing emotional distress, strained relations, and a breach of trust in the marriage.
He argued that the unauthorised data processing resulted in real, tangible harm, including emotional and reputational damage that should not be dismissed as negligible.
He sought an investigation, an order to disclose the source of his contact information, appropriate enforcement action (including administrative penalties), a directive to cease and desist from such data processing practices, and substantial compensation.
The Respondent countered the complaint by stating that on or about 12th May 2025, an agent of the Respondent shared a post in a WhatsApp group, where both the agent and a long-time personal acquaintance of the Complainant were members. The post indicated the agent worked with the Respondent and invited interested persons to learn about its Mansa-X investment product.
Following this post, the acquaintance informed the agent that the Complainant had a keen interest in crypto trading and forex investment. Acting in utmost good faith, the agent genuinely believed the Complainant would find value in learning about Mansa-X and attempted to contact him by phone. However, fearing to appear impersonal, the agent instead sent a single promotional email introducing Mansa-X.