CONSENT AS A LEGAL BASIS FOR PROCESSING PERSONAL DATA

Review of the ODPC Guidance Notes on Consent: Data Protection in Kenya Series 6

The Data Protection Act, 2019 defines “consent” to means any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject. The Act provides consent as one of the nine legal grounds/basis for processing of personal data. The other eight grounds are where:

  1. the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract;
  2. the processing is necessary for compliance with any legal obligation to which the controller is subject;
  3. the processing is necessary in order to protect the vital interests of the data subject or another natural person;
  4. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  5. the processing is necessary for the performance of any task carried out by a public authority;
  6. the processing is necessary for the exercise, by any person in the public interest, of any other functions of a public nature;
  7. the processing is necessary for the legitimate interests pursued by the data controller or data processor by a third party to whom the data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject; or
  8. the processing is necessary for the purpose of historical, statistical, journalistic, literature and art or scientific research.

 For consent to be a valid ground/appropriate legal basis for processing personal data the following conditions must be met by the data handler/processor:

  1. The data subjects involved must be afforded control over their personal data being processed;
  2. The data subjects must be offered a genuine choice of either accepting or declining to the processing without any detriment or negative consequence.
  3. The processing must be necessary, fair and proportionate in accordance with the principles of data protection envisage in section 25 of the Act.

The data handler/processor must also show the following in order for them to prove that valid consent was obtained:

  1. That the consent was freely given -data subject was not compelled.
  2. That the data subject was informed -knew the purpose of processing, implication to his/her rights, possibility of transfer outside Kenya and the data to be collected.
  3. The request for consent needs to be separate from other terms and conditions and in plain language that a data subject understands.
  4. The identity of data handler/processor must be clearly stated/known to the data subject involved.
  5. Purpose for processing must be clear.
  6. Separate consent must be obtained for each processing activity.
  7. Data subject must be able to withdraw consent at any time.

Data handler/processor bears the burden of proving that valid consent was obtained. And Consent must be obtained prior to processing.

At A.O.WANGA ADVOCATES we are happy to assist you in all your Data protection concerns in Kenya including registration, tailored advice & training and conducting Data Protection Impact Assessment. For more info contact us via info@aowangaadvocates.com or +254794600191.

All rights reserved for A.O.WANGA ADVOCATES

www.aowangaadvocates.com

Share your thoughts