15—Permitted commercial use of personal data

15.

(1) A data controller or data processor may use personal data, other than sensitive personal data, concerning a data subject for the purpose of direct marketing where—

(a)  the data controller or data processor has collected the personal data from the data subject;

(b)  a data subject is notified that direct marketing is one of the purposes for which personal data is collected;

(c)  the data subject has consented to the use or disclosure of the personal data for the purpose of direct marketing;

(d)  the data controller or data processor provides a simplified opt out mechanism for the data subject to request not to receive direct marketing communications; or

(e)  the data subject has not made an opt out request.

(2) A data controller or data processor shall not transmit, for the purposes of direct marketing, messages by any means unless the data controller or data processor indicates particulars to which a data subject may send a request to restrict such communications without incurring charges.

(3) A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail—

(a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed;

(b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided; or

(c) where there is use of automated calling systems without human intervention.

(4) A data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence and is liable, on conviction, to a fine not exceeding twenty thousand shillings or to a term of imprisonment not exceeding six months, or to both fine and imprisonment.

77  PART III—RESTRICTIONS ON THE COMMERCIAL USE OF PERSONAL DATA