| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Legal Provisions Reviewed |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 23 March 2025 |
| Decided: | 10 June 2025 |
| Published: | Yes |
| Fine: | KES.250,000 |
| Parties: | Samuel Kadzuga Nyamawi vs. FIN Africa T/A Trustgro SCA Limited |
| Case No.: | 0385 of 2025 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
Samuel Kadzuga complained that FIN Africa T/A Trustgro sent persistent, unsolicited text messages for services he never subscribed to, violating his privacy rights. The Respondent denied liability, claiming the messages came from an unauthorized external agent. The ODPC found the Respondent liable because their affiliated agent violated the Complainant's right to information and ordered KES 250,000 compensation.
The Complainant averred that the Respondent persistently sent him unsolicited text messages without his consent and despite him not having subscribed to any of its services. He stated that on or about 5th March 2025, he began receiving repeated and unsolicited marketing messages from people claiming to be agents of the Respondent. The constant nature of the messages became bothersome and annoying to him.
The intrusions and growing concern that his personal data might have been shared or used without his permission led him to write an email to the Respondent on 19th March 2025. In this email, he raised the issue that his personal data could be at risk of falling into the wrong hands, including fraudsters, which could expose him to identity theft.
The Complainant noted that the Respondent initially replied, claiming they did not have any of his data because he was not their customer. The Respondent also claimed that the individuals sending the messages were not working for them and that he had no grounds to raise the issue.
Despite this initial denial, the Complainant continued his investigation, contacting the individuals through WhatsApp to learn more about who they were and their actual link to the Respondent. Through these conversations, the Complainant found that the person who had called him and sent multiple marketing messages was indeed working on behalf of the Respondent. He further asserted that the individual even gave him the contact details of her supervisor. The Complainant then wrote to the supervisor, asking whether the individual was officially associated with the Respondent. The Complainant confirmed that the supervisor responded by email and confirmed that the person was indeed working with the Respondent.
Based on this evidence, the Complainant concluded that the individual was acting as a representative of the Respondent and was promoting its services. He argued that the Respondent should take responsibility for the actions of its agents. By sending him marketing messages and using his personal information without permission, the agent—and by extension, the Respondent—violated his rights under Sections 26, 29, and 37 of the Act. The Complainant concluded that the Respondent, through its agents and for its own benefit, unlawfully interfered with his right to privacy and failed to follow key data protection rules.
The Complainant prayed for KES 500,000 as compensation for emotional distress and exposure to financial fraudsters and phishing.
The Respondent averred that it received a notification of complaint from the Office on 10th April 2025, although this was not the first time it had encountered the matter. The Respondent contended that the Complainant had previously contacted the Company directly via email on 19th March 2025, raising concerns about a person using a mobile number to send unsolicited messages offering a loan while allegedly representing the Respondent. In the same email, the Complainant attached a copy of his national identity card, which the Company asserted was the only piece of personal data it ever received or possessed in relation to the Complainant.
The Respondent noted that the Complainant later sent a second email on 20th March 2025, demanding KES 250,000 as compensation, based on the claim that the said agent was affiliated with the Company and had misused his personal data. The Respondent purportedly sought to engage the Complainant directly to clarify the situation and resolve the matter amicably. Subsequently, the Respondent replied to the Office on 28th March 2025, informing the Office that internal investigations had commenced and expressing its willingness to engage the Complainant directly. However, the Respondent averred that the Complainant declined direct communication and insisted that all future responses be addressed exclusively through the Office. The Respondent further contended that after the matter was escalated, the Complainant revised his compensation demand significantly, from the initial KES 250,000 to KES 5,000,000.
Following its internal review, the Respondent asserted that the Complainant was not listed in any of its customer records, nor was any of his personal data in its custody prior to the complaint. It claimed that the only information in its possession was voluntarily submitted by the Complainant himself when initiating the complaint process.
Regarding the alleged agent, the Respondent stated that she is an independent referral agent who has worked with several financial institutions over the years, including the Respondent. However, she is not employed by the Company, does not have any employment contract with it, and has no access to its internal systems or customer data.