Suit No: FHC/ABJ/CS/1181/2025 · Federal High Court of Nigeria, Abuja Judicial Division
Before Justice Obiora Atuegwu Egwuatu · Decided: 11 June 2026 · Certified True Copy stamped 22 June 2026
On 11 June 2026, the Federal High Court of Nigeria delivered a judgment that any lawyer advising on data protection should read carefully — not because it applies EU law, but because it enforces principles that are structurally identical to GDPR, and it enforces them with teeth.
The case is Onimisi v. Guaranty Trust Holding Company Plc. A Nigerian resident received an unsolicited promotional SMS from a subsidiary of one of Africa's largest banking groups. He was not a customer. He objected in writing. The bank acknowledged his objection, promised to stop — and sent another promotional message two weeks later. He sued. The court declared the bank's conduct unlawful, ordered it to disclose the source of his personal data including any data brokers involved, and awarded damages.
This is not an academic data point. It is a template for what enforcement looks like when data protection obligations are taken seriously by a court.
The facts
On 9 April 2025, the applicant received a promotional SMS on his personal number reading: "Introducing Fund 724 by Guaranty Trust Fund Managers. Get 17.5% on your savings when you dial 724# to save." He had never been a customer of Guaranty Trust Bank or any of its subsidiaries. He had never provided his personal data to the Respondent. The promotional message contained no opt-out mechanism.
On 10 April 2025, he emailed the Respondent requesting: (1) disclosure of the source of his personal data; (2) the legal basis for processing; (3) immediate cessation of all marketing communications; and (4) deletion of his data. The Respondent's Customer Experience Management Team acknowledged the complaint, issued a reference number, and assured him the matter would be resolved within 14 days.
On 23 April 2025 — while that promise was still live — he received another promotional SMS in the same series. He brought proceedings under the Nigeria Data Protection Act 2023 (NDPA) and Section 37 of the Nigerian Constitution, which guarantees the right to privacy.
What the court decided
Justice Egwuatu framed the whole case around a single issue: whether the applicant had made out his case for the reliefs sought. On that issue, he found entirely in the applicant's favour.
On the data controller question, the court applied the NDPA's definition — which mirrors GDPR Article 4(7) — finding that GTCO, as the holding company directing its subsidiaries' marketing activity, clearly determined the purposes and means of processing. The submission that Guaranty Trust Bank Ltd (the subsidiary served with process) was a distinct legal entity, and therefore no liability could attach, was rejected. The subsidiary's attempt to intervene as a separate party was described by the court as "a meddlesome interloper."
Before reaching lawful basis, the court set out the foundational processing principles under NDPA section 24(1) — the direct equivalent of GDPR Article 5. Personal data must be processed fairly, lawfully and transparently; collected for specified, explicit and legitimate purposes; and used only in a manner compatible with those purposes. The Respondent had never disclosed to the applicant why it held his data or on what basis it was using it. That failure engaged the transparency obligation before any lawful basis question even arose.
On lawful basis, the court applied NDPA section 25 — equivalent to GDPR Article 6 — noting that processing is lawful only where it is based on consent, contract, legal obligation, vital interest, public task, or legitimate interest. None applied: the applicant was not a customer, had no relationship with the Respondent, and had never provided consent. The court stated this plainly:
"The Applicant could not have and did not provide consent for the purpose of his personal data, particularly for direct marketing purposes, whether expressly, impliedly, or through any pre-existing relationship."
On the right to object, the court applied NDPA sections 36(1), (3) and (4) — mirroring GDPR Article 21 — holding that once a data subject objects to direct marketing, processing for that purpose must immediately cease. Sending a second SMS after a written objection was, the court held, a clear and deliberate breach of that right.
On constitutional right to privacy, the court relied on the landmark appellate decision in Incorporated Trustees of Digital Lawyers Initiative v. National Identity Management Commission (2021) LPELR-55623(CA), where the Court of Appeal confirmed that the constitutional right to privacy expressly includes the right to protection of personal information and personal data. It further relied on Emerging Markets Telecommunication Services Ltd v. Eneye (2018) LPELR-46193(CA), which held that providing third parties access to a subscriber's phone line without consent violated the subscriber's right to privacy — including the right to the privacy of a personal telephone line.
The orders made
Court orders — Onimisi v. GTCO (11 June 2026)
- Declaration that processing the applicant's personal data for direct marketing was contrary to Section 37 of the Nigerian Constitution — unlawful, illegitimate, null and void.
- Declaration that the processing violated Sections 24, 34, 35 and 36 of the NDPA 2023 — unlawful and illegitimate.
- Declaration that continued processing after the applicant's written objection breached Section 36(1) and (3) NDPA 2023.
- Order to cease and desist from sending further direct marketing messages relating to Fund 724.
- Order to disclose the source from which the applicant's personal data was obtained, including any third parties or data brokers involved.
- Damages awarded.
Five things this tells GDPR compliance teams
The NDPA 2023 was modelled closely on GDPR. The parallels between the Nigerian court's reasoning and EU data protection law are not incidental — they are structural. Here is what this judgment signals for organisations operating under GDPR.
1. The right to object to direct marketing is absolute — and it applies immediately. GDPR Article 21(2) and (3) are unambiguous: where a data subject objects to processing for direct marketing, the processing must stop. Not after a reasonable period. Not after investigation. Immediately. This court has now put that principle into a live judgment against a major financial institution. In-house teams and DPOs should audit whether their operational processes actually deliver this — from the moment an objection is logged to the moment outbound systems are updated.
2. Legitimate interest does not cover cold outreach to non-customers. Organisations that rely on Article 6(1)(f) legitimate interest as a basis for marketing to individuals with whom they have no prior relationship should treat this judgment as a prompt to revisit that position. Where the data subject is not a customer, has never provided data voluntarily, and has no reasonable expectation of contact, it is very difficult to argue that legitimate interest — which requires a balancing test — can justify processing for direct marketing purposes.
3. No opt-out at first contact is itself a violation. The court noted as a specific aggravating factor that the first promotional message contained no mechanism for opting out. GDPR Article 21(4) requires that this right is explicitly brought to the data subject's attention at the point of first communication. If your direct marketing messages do not contain a clear, functional opt-out at first send, you are already in breach — before the data subject has even objected.
4. Courts will order disclosure of data brokers and data sources. The court made a specific order requiring the Respondent to disclose the source from which it obtained the applicant's data, including any third parties or data brokers involved. GDPR Articles 13 and 14 already require this as a transparency obligation. But this judgment shows courts will enforce it as a standalone order when it is withheld. For any organisation that acquires marketing lists, uses data enrichment services, or purchases contact data, the question is not just "do we have a lawful basis?" — it is "can we trace and disclose exactly where this person's data came from?"
5. Holding company structures do not shield you from liability. GTCO attempted to argue that it was a distinct legal entity from the subsidiary that sent the marketing messages, and that the subsidiary had no data belonging to the applicant. The court rejected this as an attempt to use corporate structure as a compliance shield. Under EU law, group-wide data processing is well within the scope of GDPR enforcement, and supervisory authorities have consistently looked through subsidiary arrangements where the processing is directed by the parent.
Key case law relied upon
| Case | Point established |
|---|---|
| Incorporated Trustees of Digital Lawyers Initiative & Ors v. NIMC (2021) LPELR-55623(CA) |
Constitutional right to privacy includes the right to protection of personal information and personal data. |
| Emerging Markets Telecommunication Services Ltd v. Eneye (2018) LPELR-46193(CA) |
Providing third parties access to a subscriber's phone line without consent violates the right to privacy of a personal telephone line. |
| Olakehinde v. EFCC (2025) LPELR-80483(SC) |
Right to privacy under Section 37 of the Nigerian Constitution is not absolute but is constitutionally protected — limitations must be justified. |
| Lawson v. Okoronkwo (2019) 3 NWLR Pt. 1658 Pg. 66 |
Facts not disputed or challenged are deemed admitted. GTCO's failure to respond on the merits was treated as concession of the factual case against it. |
| Jim-Jaja v. Commissioner of Police, Rivers State (2013) 5 NWLR (Pt. 1350) Pg. 225 |
Once a breach of fundamental rights is proved, the applicant is entitled to damages — damages are presumed to flow from the breach. |
| Okala v. Udah (2019) LPELR-55269(SC) |
The quantum of damages in fundamental rights breach cases need not be specifically pleaded — the objective reasonable person standard applies. |
| Mitin v. Commissioner of Police, Bayelsa State (2023) 18 NWLR (Pt 1898) 259 |
In fundamental rights enforcement proceedings, the applicant bears the burden of proving the alleged breach — here discharged by undisputed affidavit evidence. |
| Nwali v. EBSIEC & Ors (2015) 2 CAR 477 at 508–510 |
A personal telephone line enjoys constitutional privacy protection — third-party access without consent is an interference with the right to privacy. |
Why this matters beyond Nigeria
African data protection frameworks are converging with GDPR. The NDPA 2023 joins Kenya's Data Protection Act 2019, South Africa's POPIA, and Ghana's Data Protection Act as statutes that substantially mirror EU data protection principles. Courts in these jurisdictions are now interpreting and enforcing them.
For EU organisations with data flows to or marketing activities in these markets — financial institutions, telecoms, fintechs, and any company using data enrichment services — this judgment is a signal that the compliance gap between "having a policy" and "operating compliantly" is being tested in real litigation, not just regulatory investigations.
For data protection officers and in-house counsel managing group-wide compliance programmes, the Onimisi v. GTCO judgment is a useful case study to bring to the board. It translates what GDPR Articles 6, 13, 14 and 21 actually require — into the language of a live court order against a named institution.
The message is not new. But the court has now said it out loud: you cannot market to someone whose data you obtained without their knowledge, ignore their objection, and hide behind a subsidiary. The law is clear, and courts will enforce it.
Is your direct marketing programme compliant?
This article is general analysis — it is not legal advice and does not account for your organisation's specific circumstances. If you want a view on your direct marketing compliance position or your data processing arrangements, that is exactly the kind of work we take on.
Begin in writing →