Download Article (PDF)
Data Protection and the Use of Independent Agents: Liability for Unsolicited Marketing

Published on April 9, 2026, 5:09 p.m. | Category: Intellectual Property and Technology

Listen to this article:

Introduction

The Data Protection Act, 2019 imposes obligations on data controllers to ensure that personal data is processed only on a lawful basis, including where it is used for commercial or marketing purposes. Where a data controller engages third-party agents to carry out marketing activities on its behalf, the question of liability for breaches committed by those agents becomes particularly significant. The recent determination in Ojowi Okwemba Charles v Premier Credit Limited, ODPC Complaint No. 1977 of 2025, issued by the Office of the Data Protection Commissioner, examines the boundaries of a data controller’s liability where its independent agents act outside the scope of their contractual mandate in processing a data subject’s personal data for unsolicited marketing. 

Background 

The Complainant, Ojowi Okwemba Charles, lodged a complaint with the Office of the Data Protection Commissioner (ODPC) on 5th December 2025, alleging that Premier Credit Limited (the Respondent) had sent him unsolicited promotional marketing messages without his consent or any other applicable lawful basis. The Complainant confirmed that he had no prior or existing commercial relationship with Premier Credit, yet the Respondent’s agents had continuously bombarded him with promotional messages soliciting him to take up a credit facility. The Complainant provided screenshots of the unsolicited SMS texts as evidence and sought that the Respondent be fined for the breach. 

Upon receiving the complaint, the ODPC notified Premier Credit of the allegations via a letter dated 19th January 2026, informing the Respondent that if the Complainant’s allegations were true, they would constitute a violation of various provisions of the Data Protection Act, 2019. The Respondent was required to provide, among other things: a response to the allegations; supporting evidence; the lawful basis relied upon for processing the Complainant’s personal data; an explanation of how data subjects may exercise their rights; and the mitigation measures taken or being adopted to prevent recurrence. On 11th February 2026, Premier Credit submitted its response to the ODPC. 

In its response, Premier Credit clarified that it engages independent sales agents to market its products and services to potential customers, and that such agents operate under an Independent Sales Agent Agreement and a Data Processing Agreement, which require compliance with the company’s data protection policy and the Data Protection Act, 2019. The Respondent stated that the Complainant’s personal data (phone number and name) did not exist in the company’s own database and that the agents responsible had processed the Complainant’s data without instructions from the company. The Respondent maintained that the agents had deviated from the confines of their contractual agreements and, accordingly, should be held personally liable. Premier Credit further demonstrated that upon becoming aware of the complaint, it had initiated internal disciplinary proceedings against the two agents responsible — Davy Jebiwott Kemboi and Bridget Muthengi — and subsequently terminated their Independent Sales Agent Agreements. 

Determination 

The ODPC framed two issues for determination: first, whether the Respondent fulfilled its obligations under the Act; and second, whether the Complainant was entitled to any remedies under the Act and its attendant Regulations. 

On the question of unlawful processing, the Office anchored its analysis on Section 37(a) of the Act, which prohibits the use of personal data for commercial purposes unless express consent has been obtained from the data subject, and on Regulation 15(1)(c) of the Data Protection (General) Regulations, which permits the use of personal data for direct marketing only where the data subject has consented to such use. The evidence before the ODPC did not demonstrate that the Complainant had been informed of the source of his personal data, the purpose for which it was being processed, or his right to object, an omission that amounted to a violation of the Complainant’s right to be informed. 

Significantly, the evidence showed that even after the Complainant replied to the agents’ SMS messages expressing his disinterest and requesting that the communications cease, marketing messages continued. One such message, received after his objection, read: “Sorry for texting without your consent, Premier Credit offers check off loans for Government employees within 24 hours….” This was particularly telling: the message acknowledged the absence of consent yet continued to market the Respondent’s products, in direct contravention of the Complainant’s right to object to processing. 

On the question of the Respondent’s liability, the ODPC applied Section 72(3) of the Act, which provides that liability for unlawful access to or disclosure of personal data does not extend to an employee or agent acting within the scope of their mandate. The Office concluded that the two agents, having valid Independent Sales Agent Agreements and Data Processing Agreements that governed their conduct, had acted outside the scope of those agreements when they processed the Complainant’s data without company instructions. As their actions fell beyond the confines established by the Respondent, liability for the unlawful processing attached to the agents personally and not to Premier Credit. 

The ODPC further noted that the Respondent had acted responsibly upon learning of the complaint by initiating disciplinary proceedings and terminating the agents’ agreements. On the question of remedies, the Office found that in the event the Complainant receives further unsolicited marketing messages from the said agents, a fresh complaint ought to be filed directly against those individuals. 

Final Determination 

The Data Commissioner dismissed the complaint against Premier Credit Limited. Parties were advised of their right to appeal the determination to the High Court of Kenya within thirty (30) days. 

Conclusion 

This determination offers important guidance on the allocation of liability between data controllers and their independent agents. Where agents are bound by clear contractual frameworks, including data processing agreements and training acknowledgements, but act outside the scope of those frameworks, the liability for resulting data protection violations will rest with the agents personally rather than with the data controller. However, organisations should take note that the absence of direct liability does not insulate them from the reputational and regulatory consequences of their agents’ conduct. Proper contractual frameworks, regular training, and prompt disciplinary action upon discovering breaches remain essential safeguards. 

The case further underscores the importance of the right to object under the Data Protection Act, 2019. Once a data subject clearly withdraws consent or objects to marketing communications, any continued processing even by an agent constitutes a violation. Organisations must implement effective mechanisms to ensure that opt-out requests are honoured promptly and consistently across all channels, including those managed by third-party agents. 

Contributors:

Joyce Mwaura | Associate Advocate-Data Protection 

How CM Advocates LLP Can Assist 

Our Technology, Media & Telecommunications (TMT), Data Protection & Cybersecurity Practice provides: 

  • End-to-end data protection compliance advisory 

  • Drafting and review of Data Processing Agreements (DPAs) 

  • Advisory on direct marketing, consent frameworks, and digital platforms 

  • Regulatory defence before the ODPC 

  • Cybersecurity governance and incident response advisory 

  • Cross-border data transfer and privacy risk management 

 

For Further Guidance 

CM ADVOCATES LLP – Technology, Media & Telecommunications (TMT), Data 

Protection & Cybersecurity Practice– 

 

Nairobi Office 

Email: law@cmadvocates.com 

Head Office – Nairobi 

I&M Bank House, 7th Floor, 2nd Ngong Avenue 

Tel: +254 20 2210978 | +254 716 209673 

 

Mombasa Office 

Links Plaza, 4 th Floor 

Links Road, Nyali 

Mombasa, Kenya 

Email: mombasaoffice@cmadvocates.com 

 

Regional Offices 

Uganda | Tanzania | Rwanda | Zambia | Ethiopia | South Sudan 

 

Disclaimer 

This CM Regulatory Alert is issued for general information purposes only and does not constitute legal advice. Specific advice should be sought for particular transactions or 

disputes. 

Get in Touch

Call 0716 209 673 or

Send us a Message

Related Articles
Data Protection in the Workplace: Employee Access to Customer Data
The Data Protection Act, 2019 imposes obligations on data controllers not only in relation to extern...
Read more
Valuation of Intellectual Property in Kenya
In Kenya’s increasingly knowledge-driven economy, intellectual property has moved from the margins o...
Read more
The Renewal of Trademarks in Kenya
In Kenya, the registration of a trademark confers upon the proprietor the exclusive right to use the...
Read more
Understanding Trademark Infringement in Kenya
In today’s competitive marketplace, a brand is often a business’s most valuable asset. At the core o...
Read more
Share This Blog

Contact Us to Request a Consultation

×

Call us on +254 716 209 673

Or email us on

NEED SOME HELP?

IF IT'S URGENT, PLEASE

CALL +254 716 209 673

NEED SOME HELP?

A
Agriculture, Farm and Estates
Anti-Bribery, Anti-Corruption & Whistleblower Protection
Arbitration and Alternative Dispute Resolution
Artificial Intelligence Practice
Aviation, Transport & Logistics
B
Banking and Securitization
Bankruptcy
Beauty and Wellness Practice
Betting, Lotteries and Gaming Practice Group
Blue Economy & Maritime Law Unit
C
Capital Markets, Private Equity & Investment Funds
Charities and Social Impact Practice
Civil Fraud, Asset Tracing & Recovery
Climate & Nature Markets
Commercial & Business Law
Competition, Anti-trust Law and Consumer Protection Practice
Construction Contracts & Project Finance
Corporate Governance & Regulatory Defence
Corporate Law
Corporate Restructuring & Special Situations
Customs & Trade Compliance
D
Debt Recovery, Restructuring & Insolvency
Digital Assets, Crypto-Currency & Blockchain
E
Employment Law & Industrial Relations
Energy Regulation & Market Reform
Entity Set-up, Governance and Compliance
Environmental & Community Relations
F
Family Business Services
Family Law
Fashion, Apparel & Luxury Practice
Financial Services, Innovation & Regulation (Fin-SIR) Practice
Fintech & Digital Innovation
Forensics Investigations Support
H
Healthcare, Life Sciences & Pharmaceuticals Practice
Hospitality, Travel & Leisure (HTL)
Hybrid Capital & Structured Finance
I
Immigration & Global Mobility
Infrastructure & Transport Projects
Insurance Practice
Intellectual Property and Technology
International Private Wealth Practice
International Trade & Investment
Investigations, Compliance & Regulatory Defence
L
Licensing & Regulatory Compliance
Litigation and Dispute Resolution
Local and International Private Clients
M
M&A’s, Share Deals and Restructuring
Multilateral Organizations, Foreign Embassies & Consulates
N
Natural Resources & Biodiversity
Notarization, Authentication and Consular Legalization
O
Oil, Gas & Minerals Law
P
Pension Schemes, Employee Benefits & Incentives
Power Generation & Transmission
Private Equity & Venture Capital
Private Wealth
Public Procurement & Strategic Partnerships (P2P) Practice
Public-Private Partnerships (PPPs)
R
Real Estate Development Projects and Joint Ventures
Real Estate Finance
Real Estate Leasing and Licensing
Regulated Industries & Professionals
Renewable Energy & Transition Projects
S
Social and Affordable Housing
Sports Law & Business Practice
Sustainable Finance & Green Investment
T
Tax & International Business Advisory Unit
Technology, Media & Telecommunications (TMT), Data Protection & Cybersecurity Practice
Transfer Pricing & Cross-Border Structuring
U
Urban Development & Smart Cities
W
Workplace Investigations & Compliance

IF IT'S URGENT, PLEASE

CALL +254 716 209 673