Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

Timothy Murithi complained MyCredit Limited sent unsolicited promotional messages and frequent calls without consent. Despite the Complainant’s objection, the company continued processing, lacking lawful basis or providing opt-out mechanisms,. The ODPC found MyCredit liable for infringement and unauthorized commercial use, ordering KES 50,000 compensation.

Facts

The Complainant, Timothy Murithi Kaung’u, lodged a complaint on 25th May 2025, asserting that the Respondent (MyCredit Limited) sent promotional messages to his personal number and subsequently subjected him to frequent marketing calls and messages without any lawful basis or consent. The Complainant averred that the Respondent used his registered mobile number (07*****80) as his personal line. After receiving the initial promotional message, the Complainant began receiving frequent marketing calls and additional messages from the Respondent’s agents. He claimed that these messages and calls caused him annoyance, distress, and mental strain. The Complainant asserted that the Respondent failed to obtain his express consent as required under Section 37 of the Data Protection Act, 2019, before using his personal data for commercial purposes. Furthermore, the Complainant reached out to the Respondent to object, but the Respondent ignored his complaint. He provided screenshots of the promotional messages to support his complaint. In a subsequent statement, the Complainant noted that the marketing messages sent on 19th March 2025 did not contain an opt-out option or any instructions that would allow him to unsubscribe or object to the processing of his personal data. He sought compensation of KES 2,000,000 from the ODPC.

The Respondent submitted a response to the notification of complaint on 15th August 2025. The Respondent stated that only one screenshot of a message sent from MyCredit was attached to the complaint. They expressed being shocked to receive a Notification of Complaint without any prior communication from the Complainant. The Respondent argued that the Complainant did not exhaust his rights before filing the complaint, including his right to be forgotten. They claimed that the Complainant had withdrawn his consent from MyCredit in January, and consequently, the Respondent would have deleted his data. Despite the Complainant not making the complaint directly to them, the Respondent asserted they had already deleted his data from the system and considered him forgotten. The Respondent prayed that the complaint be discontinued based on the Complainant's failure to exhaust his right to be forgotten. If the Commission found against the Respondent, they prayed for an apology, deletion of the data, and only KES 5,000 as adequate damages to compensate the Complainant against the one message sent.

The ODPC determined three main issues: whether the Respondent violated the Complainant’s rights under the Act, whether the Respondent fulfilled its obligations, and whether the Complainant was entitled to remedies.

1. Violation of Complainant’s Rights (Right to Object): The ODPC found that the Complainant exercised his right to object to the processing of his data by contacting the Respondent’s agents and informing them that he was not interested in their products. The Respondent was obligated to cease processing the data, but disregarded this objection and continued sending messages, even after the complaint was filed with the ODPC. The continued sending of messages, despite the Complainant's clear objections, constituted a direct violation of the Complainant’s right to object under Section 26 (c) of the Act. The right to object to processing is considered an absolute right when the processing is for direct marketing purposes.
2. Failure to Fulfil Obligations: The ODPC found that the Respondent did not fulfil its obligations under the Act. The processing of the Complainant’s personal data without consent violated Section 30 and 32 of the Act. The use of the data for unsolicited marketing messages and for commercial purposes without prior consent or clear purpose violated the principle of transparency and fairness. The failure to stop communication after multiple requests showed a lack of fairness in processing. Furthermore, the Respondent did not inform the Complainant about the purpose of data collection or how his data was obtained, contravening the principle of transparency. Critically, the marketing messages received by the Complainant did not contain any opt-out mechanisms, thereby limiting the Complainant's ability to exercise their right to object to receiving further communication.
3. Entitlement to Remedies: The ODPC found that the Complainant was entitled to remedies, including compensation for damages suffered by reason of a contravention of the Act, such as distress.

• Legal Provisions Reviewed

Holding

The Data Commissioner, Immaculate Kassait, made the following final determination on 26th August 2025:

1. The Respondent (MyCredit Limited) was found liable.