Do you always need consent to process data? – 7 Lawful Basis for Processing Personal Data in Kenya

Is it necessary to seek consent every time personal data is processed? Contrary to popular belief, the answer is No!

There’s a widespread misconception that consent reigns supreme in all data processing activities. Many organizations are fixated on the idea that consent is mandatory for every processing activity under the Kenyan Data Protection Act. However, the reality is far more nuanced. Processing personal data can be grounded in other lawful bases. While obtaining consent remains a valid method of data processing, it’s essential to recognize that there are alternative legal avenues where consent may not be obligatory.

Regardless of the purpose of processing personal data, such actions are presumably not permitted unless the data controller or processor has a valid lawful basis to do so. Several lawful bases exist for processing personal data, with no single basis being inherently superior or more significant than the others.

The choice of lawful basis depends on the purpose of the processing and the relationship with the individual involved. It’s crucial to establish the appropriate lawful basis before commencing processing and to meticulously document it for each processing activity.

Additionally, it’s important to emphasize that each processing activity should rely on only one legal basis at a time.

Below are the 7 Lawful basis as provided by the Kenya Data Protection Act 2019

1. CONSENT

What is Consent? The Data Protection Act Kenya defines consent as a lawful basis wherein the data subject has provided clear, informed consent for the processing of personal data for a specific purpose. Consent must be freely given, informed, specific, and unambiguous. It must be a statement or clear affirmative action signifying agreement to the processing, with the right for the person to withdraw consent at any time. Entities] are obliged to maintain verifiable records of consent, particularly concerning treatment.

Free consent entails that the data subject’s agreement represents a genuine and voluntary choice. It is only valid if the data subject can freely make a choice without any risk of deception, intimidation, coercion, or significant negative consequences if they do not consent.

Informed consent necessitates that the data subject has adequate information before making a decision. This includes a clear and easily understandable description of the subject matter requiring consent.

Specific consent requires that consent is tailored to the processing purpose, clearly described, and unambiguous. This aligns with the quality of information provided about the purpose of consent.

Unambiguous consent mandates that all consent must be given clearly and without doubt. There should be no reasonable uncertainty regarding the data subject’s intent to agree to the processing of their data. For instance, inactivity from a data subject does not indicate unambiguous consent.

2. PERFORMANCE OF A CONTRACT

Personal data may be processed if the processing is necessary for the performance of a contract to which the data subject is a party. Data controllers and processors can process personal data to fulfill contractual obligations and should refrain from using the data for purposes unrelated to contract performance. This provision applies not only to existing contracts but also extends to pre-contractual relationships. For example, when parties are in the process of negotiating a contract and data processing is necessary to facilitate this process, it is considered legitimate as long as it is required to take steps at the request of the data subject prior to entering into the contract.

3. COMPLIANCE WITH LEGAL OBLIGATION

Personal data may be processed if it is necessary to comply with a legal obligation to which the data controller is subject. This means that data controllers and processors are permitted to process personal data when it is required by law, such as fulfilling regulatory requirements or responding to legal requests. In doing so, they must ensure that they handle the data in accordance with relevant data protection laws and regulations, regardless of the industry or sector they operate in. This includes implementing appropriate security measures to safeguard the personal data and respecting the rights of the individuals whose data is being processed. By adhering to these legal obligations, data controllers and processors contribute to maintaining the trust and confidence of data subjects and regulatory authorities alike.

4. PROTECTION OF VITAL INTERESTS OF THE DATA SUBJECT

The Data Protection Act stipulates that personal data processing is considered lawful if it is necessary to protect the vital interests of the data subject. This means that data controllers and processors can process personal data if it is crucial for safeguarding the life or well-being of the individual.

For instance, in the healthcare sector, a vital interest of a data subject might pertain to their medical emergency situation. In such cases, processing personal data is deemed necessary to provide timely and appropriate medical care, ensuring the best possible outcome for the individual’s health and safety.

Vital interest extends beyond healthcare scenarios to encompass situations where immediate action is required to prevent serious harm or loss of life in other sectors as well. Data controllers and processors must exercise discretion and ensure that such processing is strictly limited to the scope necessary for protecting the individual’s vital interests while upholding data protection principles and rights.

5. LEGITIMATE INTERESTS

Under the Data Protection Act, personal data may be processed lawfully if it serves the legitimate interests of the data controller or third parties to whom the data is disclosed. However, this is subject to the condition that such interests do not infringe upon the fundamental rights and freedoms of the data subject, which must be safeguarded.

Legitimate interests encompass a wide range of purposes that are essential for the functioning of businesses and organizations. This could include activities such as marketing, fraud prevention, network and information security, and internal administrative functions.

It’s crucial to recognize that while legitimate interests provide a legal basis for processing personal data, they must be balanced against the rights and freedoms of individuals. If the interests of the data subject outweigh the legitimate interests of the data controller or third parties, then processing must be halted or modified to ensure adequate protection of the data subject’s rights.

Therefore, data controllers must conduct a thorough assessment to determine whether their legitimate interests justify the processing of personal data, taking into account the potential impact on individuals and implementing appropriate safeguards to mitigate risks. This ensures that data processing activities are conducted responsibly and ethically, respecting the rights and privacy of data subjects.

6. PUBLIC INTEREST

The Data Protection Act permits the lawful processing of personal data if it is essential for tasks conducted in the public interest or exercising official authority vested in the data controller.

Entities may process personal data to safeguard public interest, which could encompass a broad array of activities beneficial to society, such as public health initiatives, law enforcement, or regulatory functions.

However, it’s imperative that these entities ensure that personal data processing is carried out with due regard for individuals’ rights and freedoms. This involves implementing appropriate measures to protect the security and confidentiality of personal data, as well as maintaining transparency in data processing practices.

Moreover, accountability is paramount in public interest processing, requiring data controllers to justify their actions and decisions in accordance with legal obligations. Regular assessments and reviews should be conducted to ensure that the processing remains proportionate and necessary, with mechanisms in place to address any potential risks or infringements on individuals’ privacy rights.

7. HISTORICAL, STATISTICAL, JOURNALISTIC, LITERATURE
AND ART OR SCIENTIFIC RESEARCH

Various stakeholders, including data controllers and processors, may conduct historical, statistical, journalistic, literary, artistic, and scientific research for a multitude of purposes. For example:

a) Scientific Research: The processing of personal data for scientific research serves the public interest in advancing knowledge and understanding across various fields, including but not limited to health and disease.

b) Historical Research: Personal data processing for historical research is essential for preserving and studying past events and their societal impacts, contributing to a broader understanding of history and culture.

c) Statistical Research: Data controllers and processors may engage in statistical research, utilizing data for monitoring trends and predicting and controlling occurrences, such as disease outbreaks. This includes tracking disease incidences and prevalence to anticipate and manage public health challenges like cholera outbreaks.

In Conclusion

While consent is often a fundamental requirement for processing personal data, it is not always the sole basis. The Data Protection Act in Kenya outlines seven lawful bases for processing personal data, each serving distinct purposes and contexts.

Understanding these lawful bases is crucial for data controllers and processors to ensure compliance with data protection laws while effectively utilizing personal data for various legitimate purposes. By navigating these lawful bases responsibly, organizations can strike a balance between protecting individuals’ rights and freedoms and meeting their operational and societal objectives.

Therefore, when contemplating data processing activities, it is essential to carefully assess the appropriate lawful basis applicable to the specific circumstances at hand, ensuring transparency, accountability, and respect for data subjects’ rights throughout the process.

For further guidance on Data Protection and Privacy compliance including Audits, DPIAs and registration with the ODPC – reach out to us, we will help you out.

No comments yet