The Federal High Court in Abuja has ordered Guaranty Trust Holding Company Plc (GTCO) to immediately cease sending direct marketing messages to a non-customer and disclose the source of the individual’s personal data.
Justice Obiora Egwuatu issued the order in a judgment delivered on June 11, 2026, following a lawsuit filed by Mr. Abdulmalik Muhaimin Onimisi over an alleged breach of his data privacy rights.
The court specifically directed GTCO to stop sending promotional messages relating to “Fund 724,” an investment product offered by Guaranty Trust Fund Managers, pursuant to Section 36 of the Nigeria Data Protection Act (NDPA), 2023.
Justice Egwuatu also ordered the company to reveal how it obtained the applicant’s personal information, including details of any third parties or data brokers involved in the collection and processing of the data.
According to the applicant’s counsel, Barrister Oladipupo Ige, Onimisi is not an account holder with any subsidiary of GTCO. Despite having no relationship with the company, he allegedly received an unsolicited promotional text message on April 9, 2025, advertising “Fund 724.”
The applicant maintained that he never provided his personal information to the bank and became concerned about how the institution obtained and used his data.
Following the message, Onimisi sent an email to the company on April 10, 2025, requesting disclosure of the source of his personal data, the legal basis for processing the information, the cessation of all marketing communications, and the deletion of his data from the company’s records.
His lawyer argued that GTCO’s refusal to disclose the source of the data raised serious concerns regarding the unlawful acquisition, sharing, and commercialization of personal information. He further claimed that the continued processing of the data caused psychological distress, apprehension, loss of business opportunities, and financial costs to the applicant.
In response, counsel to the bank, G.O. Ejem, argued that the wrong entity had been served with the court processes. He maintained that Guaranty Trust Bank Ltd (GTBank), which received the originating documents, is a separate legal entity from Guaranty Trust Holding Company Plc, the company named in the suit.
The defence stated that GTBank conducted an internal review and confirmed that the applicant was not a customer and had no account or personal data stored with the bank. The bank also denied sending any message to the applicant.
According to the defence, GTBank could not have violated the applicant’s rights because it neither possessed nor processed his personal information. The bank also argued that the applicant failed to provide evidence of psychological trauma, business losses, or damages allegedly suffered from the unsolicited message.
However, Justice Egwuatu held that the respondent, in the course of its business operations, retains and processes customer information and serves as the holding company of Guaranty Trust Fund Managers, whose investment product was being promoted.
The court found that the applicant was not a customer of the respondent and had never voluntarily provided any personal information to the company.
The judge ruled that the applicant neither gave consent nor had any pre-existing relationship that would justify the processing of his personal data for direct marketing purposes.
He further held that the applicant successfully established that his constitutional right to privacy, guaranteed under Section 37 of the 1999 Constitution, had been violated.
Consequently, the court declared the processing of the applicant’s personal data for advertising and direct marketing purposes unlawful, illegitimate, null, and void.
The court also declared the unsolicited promotional text message sent to the applicant unlawful and held that GTCO breached his fundamental rights through its actions and omissions.
The judgment reinforces the provisions of the Nigeria Data Protection Act, 2023, which seeks to protect the privacy rights of individuals and ensure that data controllers and processors comply with their obligations regarding the collection, storage, and use of personal information.
Legal observers say the ruling could have significant implications for data privacy compliance and direct marketing practices among financial institutions and other corporate entities operating in Nigeria.
