| Authority | ODPC – Kenya |
|---|---|
| Jurisdiction | Kenya |
| Relevant law | Data Protection Act 2019 ss. 26(c), 32, 36, 40, 56, 65; Data Protection (Complaints Handling Procedure and Enforcement) Regulations 2021, Reg. 14 |
| Type | Complaint |
| Outcome | Violation |
| Started | 13 May 2025 |
| Decided | 11 August 2025 |
| Published | Yes |
| Fine | KES 50,000 |
| Parties | John Mkomba Nzau (Complainant) vs. Kuza Sacco Society Limited (Respondent) |
| Case No. | ODPC/CIE/CON/2/3(102) |
| Appeal | N/A |
| Original Source | ODPC |
| Original Contributor | MZIZI Africa |
John Mkomba Nzau, who was never a member or customer of Kuza Sacco, received persistent unsolicited marketing messages on his personal number. Despite exercising his right to object and opting out, further messages followed. The ODPC found the Sacco could not prove valid consent and ordered compensation of KES 50,000.
The Complainant filed his complaint on 13 May 2025, alleging that Kuza Sacco Society Limited had been sending him repeated unsolicited marketing messages to his personal mobile number without his consent. He emphasised that he was not a customer of the Sacco, had no loan facility with it, and had never given express consent for any such communications. The messages caused him considerable distress and emotional harm.
The Complainant provided evidence that on 23 April 2025 he exercised his right to stop the promotional messages, receiving a confirmation message that read: "YOU HAVE SUCCESSFULLY STOPPED KUZA SACCO PROMOTIONAL MESSAGES." Notwithstanding this, the Respondent continued to send promotional messages on 2nd May 2025 and 5th May 2025. On 6 May 2025, the Complainant sent a formal email to the Respondent seeking deletion of his personal data and compensation, which the Respondent ignored.
The Respondent denied that the unsolicited messages caused distress or emotional torture, characterising those allegations as bare assertions. It advanced the remarkable argument that the Complainant may have opted out and subsequently opted back in to receive promotional messages in order to fraudulently claim a data breach and demand compensation. In support, the Respondent pointed to the opt-out confirmation message which included an instruction to re-activate by dialling a USSD code. The Respondent further contended that upon receiving a direct opt-out from the Complainant, it immediately erased his data from the promotional list, and that any messages received thereafter may have originated from Safaricom PLC's systems rather than from the Sacco. It also argued that the Complainant's telephone number was not sensitive personal data and was readily accessible in the public domain, and that all promotional messages had contained an option to opt in, opt out, or stop.
The Complainant's rejoinder challenged the Respondent's speculation as baseless. He affirmed that he had exercised his right to object under Section 36 and right to erasure under Section 40, and that his actions were in good faith to protect his right to privacy under Article 31 of the Constitution. He noted that under Section 32 of the Act, the burden of proof to demonstrate consent lies with the data controller — and that the Respondent's speculative claim that he "might have" opted back in was entirely unsubstantiated.
A site visit to the Respondent's offices established that the Respondent could not produce any evidence showing that the Complainant's consent to receiving promotional messages was freely given, informed, specific, and unequivocal. This omission was dispositive. The ODPC held that the Respondent had violated the Complainant's right under Section 26(c) of the Act — the right to object to the processing of personal data. The Respondent was ordered to compensate the Complainant KES 50,000.