| Authority | ODPC – Kenya |
|---|---|
| Jurisdiction | Kenya |
| Relevant law | Data Protection Act 2019 ss. 25(a), 29, 37(1), 56, 65; Data Protection (General) Regulations 2021, Regs. 14(1), 15, 15(e); Data Protection (Complaints Handling Procedure and Enforcement) Regulations 2021, Reg. 14 |
| Type | Complaint |
| Outcome | Violation |
| Started | 28 May 2025 |
| Decided | 25 August 2025 |
| Published | Yes |
| Fine | KES 50,000 |
| Parties | Justine Nyachio Makana (Complainant) vs. MyCredit Limited (Respondent) |
| Case No. | ODPC/CIE/CON/2/3(109) |
| Appeal | N/A |
| Original Source | ODPC |
| Original Contributor | MZIZI Africa |
Justine Nyachio Makana received persistent unsolicited promotional messages from agents linked to MyCredit Limited, with no opt-out mechanism provided. MyCredit blamed independent brokers acting without authority. The ODPC rejected the broker defence and held MyCredit liable for failing to prove consent and for omitting the mandatory opt-out mechanism. KES 50,000 compensation was ordered.
The Complainant filed his complaint on 28 May 2025, alleging that MyCredit Limited had processed his personal phone number for marketing purposes without a lawful basis. He asserted that on 29 January 2025, he received copious unsolicited promotional messages from numbers he did not recognise. Critically, the messages did not contain any opt-out mechanism — contrary to the requirements of the Act — thereby denying him the ability to exercise his statutory right to object to the processing. He further alleged that the Respondent's agents had also made unwanted calls to his number. The Complainant stated he suffered harassment and distress from the persistent communications.
The Respondent expressed willingness to resolve the matter through Alternative Dispute Resolution. ADR was facilitated by the ODPC upon the Complainant's consent, but failed. The matter reverted to formal determination. Despite being notified, the Respondent failed to provide any further substantive response after its initial statement of 15 August 2025.
In that response, the Respondent advanced a broker defence: it submitted that the phone numbers used to send the impugned messages (four separate numbers matching 0743 9** 5**, 0720 6** 7**, 0798 5** 9**, and 0720 3** 3**) were not its official contact numbers. It stated that it operates only through two registered and verifiable numbers managed by ten call centre staff, and that following internal investigations, the persons who sent the messages were independent brokers who promote loan products for multiple financial institutions — including MyCredit — in return for commissions. The Respondent contended these brokers acted independently and without any authority or instruction from MyCredit, and that it was not aware of how the brokers had obtained the Complainant's personal data. It further alleged that the Complainant had improperly directed his complaint against MyCredit rather than the true perpetrators, and that upon receipt of the ODPC notice, it had proactively reached out to the brokers and cautioned them against continuing the complained-of practices.
The ODPC analysed the complaint against Sections 37(1) of the Act and Regulations 14(1) and 15 of the Data Protection (General) Regulations 2021. Section 37(1) prohibits the commercial use of personal data without either express consent or written law authorisation. Regulation 14(1) defines "commercial purposes" to include using personal data to induce another person to buy, rent, lease, join, subscribe to, or engage in a commercial transaction — squarely capturing the marketing messages in this case. Regulation 15 sets out the permitted conditions for direct marketing use of personal data, including that the data subject must have consented to the use of their data for direct marketing, must have been notified that direct marketing is one of the purposes for which their data is collected, and crucially — that a simplified opt-out mechanism must be provided.
The ODPC found that the impugned messages did not contain an opt-out mechanism as expressly required by Regulation 15(e). The Respondent had also failed to discharge its burden under Section 32 of demonstrating that it had obtained the Complainant's prior consent to process his personal data for commercial purposes, or that it had provided him with notice at the point of data collection. The broker defence did not exculpate the Respondent: the ODPC held that MyCredit remained liable for the commercial use of the Complainant's data in the course of promoting its products, regardless of whether the promotional activity was conducted by agents acting on commission. The Respondent was found to have failed to fulfil its obligations under the Act and was ordered to compensate the Complainant KES 50,000.