A landmark ruling by the Office of the Data Protection Commissioner (ODPC) has found Momentum Credit Limited liable for violating the data privacy rights of a Kenyan citizen, ordering the company to pay Ksh 500,000 in compensation.
The decision, issued under the provisions of the Data Protection Act 2019, follows a complaint filed by Mary Ogwena Immaculate, who accused the lender of persistently sending unsolicited promotional text messages despite her clear objection.
The ODPC determined that the company’s actions amounted to unlawful processing of personal data and caused the complainant significant emotional distress and anxiety.
According to the findings, between February and May 2025, Ogwena received over 50 unsolicited marketing messages from individuals acting on behalf of Momentum Credit Limited. She maintained that she had never been a customer of the company and had never provided consent, either explicitly or implicitly, for her personal data, including her mobile number, to be used for marketing purposes.
Despite reportedly instructing the senders to stop, the messages continued, escalating the situation into what the ODPC described as harassing conduct rather than legitimate commercial communication.
In its determination, the ODPC emphasized that consent is a fundamental requirement under Kenyan data protection laws, and organizations must demonstrate a lawful basis before processing personal data. The regulator found that Momentum Credit Limited failed on both counts, lacking consent and ignoring the complainant’s right to object.
The company attempted to distance itself from the messages by attributing them to so-called “rogue agents.” However, the ODPC firmly rejected this defense, stating that companies are fully accountable for the actions of agents, marketers, or third parties acting on their behalf.
The ruling reinforces the principle that outsourcing marketing functions does not absolve organizations from compliance with data protection obligations.
In addition to the financial compensation, the ODPC issued an enforcement notice requiring Momentum Credit Limited to implement corrective measures to ensure future compliance with data protection laws. These include reviewing its data handling practices, strengthening oversight over third-party agents, and ensuring that all marketing communications are based on valid consent.
Momentum Credit Limited has been ordered to pay Kshs. 500,000 to Mary Ogwena for sending her over 50 unsolicited promotional messages. The ODPC found that the messages sent by agents promoting the company’s services, caused her distress and amounted to a clear violation of her… pic.twitter.com/B0mD8UEwAJ
— Thuranira (@Thuranira_1) May 1, 2026
The determination also grants both parties the right to appeal the decision at the High Court within 30 days.
This case marks a significant step in the enforcement of data privacy rights in Kenya, signaling a stricter regulatory stance against unsolicited digital marketing and misuse of personal data. It sends a clear message to businesses operating in the country that failure to comply with data protection laws carries real financial and reputational consequences.
For consumers, the ruling affirms their rights to privacy and control over personal data, including the right to refuse marketing communications and to seek redress when those rights are violated.
