Data Controllers Bear the Burden of Proving Consent for Unsolicited Messages
Background
In John Mkomba Nzau v Kuza Sacco Society Limited, the Complainant alleged that the Respondent sent unsolicited messages to his personal mobile number despite the fact that he was neither a customer nor had he consented to receive such communications.
He further stated that the Respondent failed to honour his opt-out request and continued sending messages even after he had exercised his right to opt out. He claimed that they exposed him to risks such as financial fraud and identity theft and left him feeling harassed and inconvenienced.
The Complainant also argued that, under Section 32 of the Data Protection Act, 2019, the burden lies on the data controller to prove that a data subject has consented to the processing of their personal data, and that the Respondent had failed to discharge this obligation.
Respondent’s Response
The Respondent denied the allegations and contended that the Complainant may have opted out and subsequently opted back in to receive communications, allegedly with the intention of taking advantage of the Respondent.
Accordingly, the Respondent requested the Office of the Data Protection Commissioner (ODPC) to enjoin the telecommunications provider, Safaricom, to provide clarity on whether the Complainant had opted out and later re-subscribed to the messaging service.
In support of its position, the Respondent produced communication dated 23rd May 2025, which it asserted demonstrated that the Complainant had opted out and that, by 2nd May 2025, he had resumed receiving messages following an alleged opt-in.
Determination by the Data Protection Commissioner:
The Data Commissioner held as follows:
- Section 26(c) of the Data Protection Act, 2019 gives a data subject the right to object to the processing of all or part of their personal data. The Complainant produced evidence of an opt-out message dated 23rd April 2025, to demonstrate that he exercised this right. Despite this, the Respondent continued processing the Complainant’s personal data in violation of his rights under the Act.
- Regarding claim that the Complainant may have opted back in, the Data Commissioner reaffirmed that Section 32 places a burden on the data controller to prove that valid 1 www.mutie-advocates.com consent exists. During a site visit, the Office of the Data Protection Commissioner found that the Respondent had no evidence to demonstrate that the Complainant had provided consent that was freely given, specific, informed and unequivocal. The Data Commissioner therefore concluded that the Respondent processed the Complainant’s personal data without a lawful basis.
- Therefore, the Respondent was ordered to pay the Complainant compensation in the sum of Kenya Shillings Fifty Thousand (KES 50,000) for the infringement of his rights under the Act.
