Federal High Court orders GTCO to pay ₦250,000 for sending unsolicited marketing messages to non-customer

A Federal High Court sitting in Abuja has ruled that Guaranty Trust Holding Company Plc (GTCO) violated the privacy and data protection rights of a man. He was never a customer. Yet, the company’s subsidiary, Guaranty Trust Fund Managers, sent him repeated promotional text messages that he did not consent to receive and could not opt out of.

Justice Obiora Atuegwu Egwuatu delivered judgement on June 11, 2026, in a suit filed by Abdulmalik Muhaimin Onimisi against GTCO, awarding him ₦200,000 in general damages and ₦50,000 in litigation costs, while dismissing several other reliefs he had sought, including ₦5 million in exemplary damages, ₦35 million in general damages, and an order compelling the bank to disclose how it obtained his phone number in the first place.

What happened

Onimisi’s case, as laid out in his supporting affidavit, was straightforward. He owns the phone number 0814******* but holds no account with any subsidiary of GTCO. On April 9, 2025, he received an unsolicited text message advertising Fund 724 by Guaranty Trust Fund Managers, promising 17.5% returns on savings. The message carried no mechanism for opting out or objecting to further contact.

Alarmed that an institution he had never done business with somehow had his number, he emailed the bank the next day demanding three things. He wanted the source of his personal data disclosed, the legal basis for processing that data explained, and all marketing communications stopped, along with deletion of his data from the company’s systems.

The bank’s customer experience management team acknowledged his complaint, issued a reference number, and promised resolution by April 14, 2025. The promise did not hold. On April 23, 2025, Onimisi received a second promotional message identical in substance to the first. The company had neither disclosed the source of his data nor stopped processing it for marketing purposes despite his explicit objection.

He approached the Federal High Court seeking declarations that the conduct breached his constitutional right to privacy under section 37 of the 1999 Constitution and his data protection rights under sections 24, 34, 35, and 36 of the Nigeria Data Protection Act 2023, along with orders compelling disclosure of the data source and an award of damages.

The jurisdictional fight that almost derailed the case

Before the substantive privacy question could be addressed, the court had to resolve a procedural dispute that occupied a significant portion of the judgement.

Onimisi sued Guaranty Trust Holding Company Plc, the parent entity. But when the court bailiff went to serve the originating processes, he went to the address at Plot 635 Akin Adeshola Street, Victoria Island, Lagos, which turned out to be the office through which Guaranty Trust Bank Ltd, a subsidiary of the holding company, operates.

According to the bailiff’s affidavit of service, deposed by Ayuba Sule on November 26, 2025, an officer at that address initially read the process, realised the matter was coming up the following day, and refused to endorse it on the ground that the date given was too short. The officer handed the document back. The bailiff then dropped it on the officer’s table and left, treating service as effected.

Guaranty Trust Bank Ltd showed up in court to argue that this amounted to no service at all on the actual respondent. Counsel for the bank raised two arguments. The first was that the respondent on record, GTCO, had simply never been served, since the process landed at the bank’s address and was received by the bank’s staff rather than the holding company’s. Counsel argued that this defect went to the root of the court’s jurisdiction.

The second argument was that the application disclosed no reasonable cause of action against Guaranty Trust Bank Ltd specifically, since nothing in Onimisi’s affidavit alleged any wrongdoing by the bank itself, and the mere fact that the bank is a subsidiary of the holding company could not by itself ground a cause of action.

The bank also disputed the facts directly. It said it searched its own customer records and confirmed Onimisi was not a customer, holds no account with it, and that GTBank itself never sent him any message. It argued that the reply email he received, sent by one Victor Olatokunbo of the Customer Experience Management Team, was not an automated message but a personal response made under the mistaken belief that he was a customer, a belief the bank says it corrected once it checked its records.

On this basis, GTBank argued it had not violated any of Onimisi’s rights, possessed none of his personal data, and could not be held to comply with demands relating to data it never had. It urged the court to dismiss the suit against it entirely, characterising its inclusion in the case as an unnecessary drag into litigation for conduct it was not responsible for.

The court did not accept this. Justice Egwuatu noted that Onimisi failed to file a reply joining issues with the bank’s jurisdictional arguments, which under settled Nigerian civil procedure typically means the unanswered points are deemed conceded. But the court was clear that a deemed concession does not automatically hand the respondent victory. It still had to examine the merits.

On the merits of service, the judge found that since the respondent had not denied that the Victoria Island address was indeed its address and office, dropping the process there satisfied Order 6 Rule 8 of the Federal High Court (Civil Procedure) Rules 2019, which permits this mode of service on a company. The judge held that the holding company was therefore duly served but simply elected not to participate in the proceedings.

On the cause of action point, the judge agreed with the bank that Onimisi’s actual grievance was never directed at Guaranty Trust Bank Ltd as a standalone entity. Nothing in his case alleged the bank itself had done anything wrong. The judge described the bank’s intervention in the suit as that of “a meddlesome interloper,” adding pointedly that if the bank genuinely believed the process was meant for it rather than the holding company, the proper move would have been to apply to set aside service on itself, rather than appear to argue the holding company was never served at all.

With the jurisdictional and cause of action arguments disposed of, the court turned to the substance of the privacy claim.

The privacy and data protection arguments against GTCO

The court framed the entire substantive dispute around one question: had Onimisi made out a case to be entitled to the reliefs he sought?

It started from section 37 of the Constitution, which guarantees the privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications. The judge was careful to note this right is not absolute. Section 45(1) of the Constitution allows laws that are reasonably justifiable in a democratic society to override Sections 37 and several other rights. But the burden remained on Onimisi to establish, by credible evidence, that his rights had actually been violated.

Because GTCO had been served but chose not to defend itself on the substantive facts, the judge applied the rule that facts deposed to and left unchallenged are deemed admitted. This meant Onimisi’s account of events stood essentially unrebutted on record.

The judge then walked through the Nigeria Data Protection Act‘s framework in detail. Section 65 of the NDPA defines a data controller as anyone, alone or jointly with others, who determines the purposes and means of processing personal data. The court found that GTCO, which in the ordinary course of business retains and processes banking information for its customers and serves as the holding company for Guaranty Trust Fund Managers, fits squarely within that definition, particularly since it was the entity sending direct marketing on behalf of Fund Managers to Onimisi’s number.

The judge then addressed consent directly. It was in evidence that Onimisi was not a customer of the respondent and had never voluntarily submitted any personal information to it. The court held that he therefore could not have, and did not, give consent for the processing of his data for direct marketing, whether express, implied, or arising from any prior relationship.

Section 24(1) of the NDPA requires data controllers and processors to ensure personal data is processed fairly, lawfully, and transparently and collected only for specified, explicit, and legitimate purposes without further processing incompatible with those purposes. Section 25 sets out the only lawful bases on which processing can proceed: consent, contract, legal obligation, vital interest, public task, or legitimate interest. The judge agreed with Onimisi’s submission that none of these six bases applied to his situation, since he was not a customer, had never supplied his information, and had never consented to its use.

Sections 34, 35, and 36 of the Act were then read together to establish the rights this framework confers on a data subject: the right to know the source of personal data, the right to request erasure, the right to restrict processing, the right to withdraw consent, and the right to object to processing, particularly direct marketing. Crucially, the court held that once a data subject objects to direct marketing, processing must cease immediately.

Applying this to the facts, the judge found that the Fund 724 message clearly constituted direct marketing and that Onimisi had objected to it through his email of April 10, 2025, an objection the respondent acknowledged the same day. Despite that acknowledgement and despite an explicit assurance that the matter would be escalated and resolved, the respondent sent another identical promotional message on April 23, 2025.

The court held this conduct squarely violated sections 36(1), (3), and (4) of the NDPA, which give a data subject the right to object to processing generally and to object to direct marketing at any time specifically and require that processing for direct marketing cease once such an objection is made.

On the strength of this analysis, the court held that Onimisi had established that the respondent breached his right to privacy under section 37 of the Constitution, resolving the sole substantive issue in his favour.

What the court actually awarded, and what it refused

The court granted three of Onimisi’s nine original reliefs in close to the form requested, and one in heavily reduced form, while refusing the rest outright.

• It declared that processing his personal data for advertisement and direct marketing purposes violated his right to privacy under section 37 of the Constitution, and was therefore unlawful, illegitimate, null, and void.
• It separately declared that the same conduct violated his data privacy rights under sections 24, 34, 35, and 36 of the NDPA, again rendering it unlawful and illegitimate.
• It further declared that the continued processing of his data for marketing purposes after he had objected amounted to a specific breach of his right to object under section 36(1) and (3) of the Act. The court also ordered the respondent to cease and desist from sending him any further direct marketing messages concerning Fund 724.

Where the judgement diverged sharply from what was asked was on disclosure and money.

• Onimisi had sought an order compelling the respondent to disclose the source from which it obtained his personal data, including any third parties or data brokers involved. The court refused this relief, offering no separate reasoning for the refusal beyond listing it among the reliefs declined. This leaves the central practical question in the case, how a non-customer’s phone number ended up in a bank’s marketing database, formally unresolved on the court record.
• On money, the gap between what was sought and what was awarded was substantial. Onimisi had asked for ₦5 million in exemplary damages specifically tied to the breach of his fundamental rights. The court refused this entirely. He had asked for ₦35 million in general damages. The court awarded ₦200,000 instead, a little over half of 1% of the sum requested. He had asked for ₦1 million to cover the cost of litigation. The court awarded ₦50,000.

The judgement closes with all other reliefs simply refused, without itemised reasoning attached to each.

Speaking on the outcome, Ige described it as a good case to have worked on, but said the damages awarded fell short of expectations. He indicated that Onimisi’s legal team intends to appeal the judgement, presumably on the question of quantum, given the wide gap, as well as the court’s refusal to compel disclosure of how GTCO obtained Onimisi’s personal data in the first place.