| Authority: | ODPC - Kenya |
|---|---|
| Jurisdiction: | Kenya |
| Relevant law: | Section 5, 8(1)(f), 25, 56 and 61 of the Data Protection Act, 2019; Regulation 14 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021; Article 31 of the Constitution of Kenya |
| Type: | Complaint |
| Outcome: | Violation |
| Started: | 14 June 2024 |
| Decided: | 11 September 2024 |
| Published: | Yes |
| Fine: | N/A |
| Parties: | Derrick Kiamba vs. Ceres Tech Ltd T/A RocketPesa |
| Case No.: | 849 of 2024 |
| Appeal: | N/A |
| Original Source: | ODPC |
| Original contributor: | MZIZI Africa |
A Kenyan citizen filed a complaint with the Office of the Data Protection Commissioner (ODPC) against Ceres Tech Limited (Rocketpesa) for sending unsolicited promotional messages without consent. The company denied the claim, stating its marketing team followed proper protocols. The ODPC dismissed the complaint due to lack of evidence but recommended prosecuting the company directors for obstructing the Data Commissioner.
The Complainant, Derrick Kiamba, alleged that Ceres Tech Limited T/A Rocketpesa (the Respondent) was sending him unsolicited promotional messages without his consent.
He stated that agents of the Respondent had been calling and messaging him incessantly trying to sell their loan products. He provided screenshots of the messages he received as proof.
He further stated that he had blocked many of the Respondent’s contacts from calling and texting him, but they had even migrated to WhatsApp texting.
He was so distressed and anxious that he never downloaded their app before, never consented to processing his data and did not know where the Respondent got his number.
The Respondent denied the allegations. They stated that internal investigations revealed that their marketing team strictly adheres to the established protocols, including implementing measures to prevent the transmission of unsolicited messages.
They further stated that its marketing is conducted solely through authorised agents whose contact numbers are attached.
The Respondent stated that marketing messages are only sent to individuals who sign up with its app and ultimately sign the marketing consent form during onboarding. This ensures that only those who have expressly consented to receive such communications are targeted.
The Respondent provided a copy of the marketing consent form as proof. The Respondent also stated that it places great emphasis on verbal communication with data subjects regarding the option to opt out of marketing messages.
The Office of the Data Protection Commissioner (ODPC) conducted an investigation and was unable to establish whether the mobile phone numbers that contacted the Complainant did indeed belong to the Respondent.
However, during the investigation, the Respondent intentionally did not answer questions relating to the complaint, instructed its marketing team to send out promotional messages and did not allow investigation officers the opportunity to examine the system/application used to send out the promotional messages.
Legal provisions reviewed: