Aventus Technology Limited v Ndambuki [2025] KEHC 9218 (KLR) | Data Protection | Esheria

Aventus Technology Limited v Ndambuki [2025] KEHC 9218 (KLR)

Full Case Text

Aventus Technology Limited v Ndambuki (Civil Appeal 447 of 2024) [2025] KEHC 9218 (KLR) (Commercial and Tax) (27 June 2025) (Judgment)

Neutral citation: [2025] KEHC 9218 (KLR)

Republic of Kenya

In the High Court at Nairobi (Milimani Commercial Courts)

Commercial and Tax

Civil Appeal 447 of 2024

AN Ongeri, J

June 27, 2025

Between

Aventus Technology Limited

Appellant

and

Daniel Ndambuki

Respondent

(Being an appeal from the judgment of Office of the Data Protection Commission (ODPC) in ODPC Complaint No. 2506 of 2023 delivered on 4th March 2024)

Judgment

1. The Respondent in this appeal, Daniel Ndambuki filed ODPC Complaint No. 2506 of 2023 against the Appellant on the basis of endless calls made to the Respondent by the Appellant’s agents.

2. The Respondent’s complaint was that he was receiving the calls from certain phone numbers 0709xxxx00 and 0111xxxx44 over someone else who borrowed a loan from Lendplus, a product of the Appellant.

3. The Respondent said he was unaware of the loan and further that the Appellant’s Agents should have called the borrower instead of pestering him with calls and verbal abuses.

4. The Appellant in their response said that it was the borrower who gave them the Respondent to be used as a contact person when the borrower was not available.

5. The ODPC found that the Respondent’s rights were violated but there was no financial loss on the part of the Respondent.

6. The ODPC ordered the Appellant to pay compensation of Kshs. 250,000/= as damages and issued an enforcement notice against the Appellant.

7. The Appellant is aggrieved with the determination and has appealed on the following grounds:-i.The Office of the Data Protection Commissioner erred in law and fact by finding that the Appellant had violated the Respondent’s right to privacy.ii.The Office of the Data Protection Commissioner erred in law and fact by denying the Appellant had failed to fulfil its obligation as a data controller as per the terms of the Data Protection Act, 2019. iii.The Office of the Data Protection Commissioner erred in law and in fact by failing to find that the Appellant did not breach the Respondent’s right to privacy as the same was under the control of the data processor which is this case was the loan borrower.iv.The Office of the Data Protection Commissioner erred in law by awarding the Respondent compensation of Kshs. 250,000/= as damages for distress when the same was not pleaded or proven.v.The Office of the Data Protection Commissioner erred in law and fact by failing to provide in its decision the basis, criteria and rational for awarding the Respondent compensation of Kshs. 250,000/= as damages.

8. The parties filed written submissions as follows:-

9. The Appellant, a licensed Digital Credit Provider in Kenya, appealled against the decision of the Office of the Data Protection Commissioner (ODPC) which found it in violation of the Respondent’s data privacy rights and awarded damages of Kshs. 250,000.

10. The Appellant argued that it complied fully with the Data Protection Act by obtaining the Respondent’s explicit consent through a pop-up message, which the Respondent accepted, authorizing the use of his contact details as an emergency contact for the borrower, Webstar Moindi.

11. The Appellant asserted that the Respondent was aware of the purpose of data collection and its intended use, fulfilling the requirements under Sections 28 and 29 of the Act.

12. It further contended that the ODPC disregarded its evidence of compliance and failed to justify its findings, thereby erring in law and fact.

13. The Appellant also challenged the ODPC’s award of damages, arguing that the Respondent neither pleaded nor proved any actual injury or distress to warrant compensation.

14. It submitted that the ODPC for failed to provide a rationale for the Kshs. 250,000 award, violating the Appellant’s right to fair administrative action under Article 47 of the Constitution.

15. Citing case law, the Appellant emphasized that general damages must be supported by evidence of harm, which the Respondent failed to demonstrate.

16. It further argued that the award was excessive and arbitrary, lacking legal or factual basis. Should the court uphold the finding of liability, the Appellant urges a reduction of damages to Kshs. 50,000.

17. In conclusion, the Appellant submitted that the ODPC’s decision should be overturned, asserting that it adhered to data protection laws and that the damages awarded were unjustified.

18. It asks the court to set aside the ruling or, alternatively, to substantially reduce the compensation.

19. The respondents fully supported the Data Commissioner's determination and urge the court to dismiss the appeal.

20. The respondent submitted that the dispute arose from the appellant's infringement of the respondent's right to privacy under Article 31 of the Constitution and the Data Protection Act, 2019.

21. That the appellant, a data controller, unlawfully used the respondent's phone number—without consent—as a guarantor contact for a third party's loan, leading to incessant harassment by debt collectors.

22. The Data Commissioner correctly found the appellant liable for failing to obtain consent, violating Section 32(1) of the Act, and awarded Kshs. 250,000 in damages, a reasonable sum aligned with precedent (see Muthoni v Solpia Kenya Limited and Wanjiru v Machakos University).

23. Further, the respondent submitted that the appellant’s claim that damages were unpleaded is baseless, as Section 65 of the Act expressly permits compensation for breaches.

24. It said that the award was discretionary, justified, and consistent with comparable cases.

25. Finally, the respondent submitted that the appeal lacks merit, and sought its dismissal with costs.

26. The issues for determination in this appeal are as follows:-i.Whether the ODPC was right in holding the Appellant liable for violation of the Respondent’s rights.ii.Whether the award of Kshs. 250,000/= was excessive.

27. On the issue as to whether the Office of the Data Protection Commissioner (ODPC) correctly found the Appellant liable for violating the Respondent’s right to privacy under Article 31 of the Constitution and the Data Protection Act, 2019, the Appellant contended that it obtained the Respondent’s consent through a pop-up message authorizing the use of his contact details as an emergency contact for the borrower, Webstar Moindi.

28. However, the Respondent denied giving such consent, and the Appellant’s reliance on alleged pop-up consent is insufficient to discharge its burden under Section 32(1) of the Data Protection Act, which requires explicit, informed, and unambiguous consent.

29. The ODPC’s finding that the Appellant failed to prove valid consent is consistent with the holding in Solpia Kenya Limited v Muthoni [2022] eKLR, where the court emphasized that data controllers must demonstrate clear consent, not merely assume it.

30. Further, in Wanjiru v Machakos University [2023] eKLR, the court affirmed that unsolicited communications, especially those causing distress, constitute a violation of privacy rights.

31. The Appellant’s argument that the borrower, as the data processor, controlled the Respondent’s data is misconceived.

32. Under Section 2 of the Data Protection Act, the Appellant, as the data controller, bears ultimate responsibility for ensuring compliance with the Act, including obtaining consent and protecting data subjects from harassment.

33. The ODPC was therefore correct in holding the Appellant liable for the violation.

34. On the second issue, the award of Kshs. 250,000 as damages for distress, the Appellant argued that the Respondent neither pleaded nor proved actual harm.

35. While it is true that damages must be supported by evidence, the Data Protection Act under Section 65 expressly permits compensation for breaches, including non-pecuniary harm such as distress and inconvenience.

36. The ODPC’s discretionary award aligns with precedent. In Solpia Kenya Limited v Muthoni, the court upheld an award of Kshs. 200,000 for similar violations, while in Wanjiru v Machakos University, Kshs. 300,000 was deemed appropriate for unlawful data use causing emotional distress.

37. The ODPC’s award of Kshs. 250,000 is neither excessive nor arbitrary, as it falls within the range of comparable cases and reflects the need to deter unlawful data practices.

38. The Appellant’s suggestion to reduce the award to Kshs. 50,000 lacks merit, as such a nominal sum would undermine the Act’s deterrent purpose and trivialize the Respondent’s suffering.

39. In conclusion, the ODPC’s determination was grounded in law and fact, and the compensation awarded was justified.

40. The appeal is dismissed with costs to the Respondent. The Appellant shall comply with the ODPC’s enforcement notice within 30 days.

41. The Appellant shall bear the costs of this appeal.

DATED, SIGNED AND DELIVERED THIS 27THJUNE 2025 VIRTUALLY VIA MT AT VOI HIGH COURT.ASENATH ONGERIJUDGEIn the presence of:-Court Assistants: Maina/Millicent…………………………………………….for the Appellant…………………………………………….for the Respondent