4.1 Introduction

Lawful processing of personal data also known as grounds for processing personal data is a concept in data protection legislation that provide for the lawful basis or legal justification for processing personal data.  This entails that, just because one can find data or have access to it, does not mean one can legally gather and/or process it.^[i] Principally, personal data can only be lawfully processed where there is a valid legal basis. This concept keeps an obligation on data controllers or data processors not to process personal data without a legal justification.

4.2 Legal basis for Processing Personal Data

A data controller or data processor can only process personal data on basis of the legal grounds as elaborated below:

a) Consent: A data processor can process personal data on the basis that the data subject has approved and given permission to the processing of the personal data for a specific purpose. The data subject must give clear and informed consent for the processing of her/his personal data. Consent is therefore a valid legal ground for processing personal data as it legally justifies the processing of the data subject’s personal data.

b) Contract: Data processing is necessary for the performance of a contract or for entering into a contract with the data subject. For example, in a contract for delivery services the Data processor shall need to obtain data subject’s address data in order to effect delivery. A contract is a legal basis for processing personal data only when the contract terms relating to the processing of the said personal data.

c) Legal obligation: the processing is necessary for you to comply with the law to which the data controller or processor is subjected. Processing of the data subject’s personal data on this ground must be necessary under the law and only to the extent required for compliance. For Example where an employer provides personal data to immigration authority in filling non-citizen returns or where an employer provides personal data to social security authorities.

d) Vital interests: The processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving his/her consent or is not represented by his/her legal, judicial or agreed representative;^[i] This ground is very limited in scope and mostly apply where the processing is necessary to protect someone’s life.

e) Public Interest: the processing is necessary for the data controller or processor to perform a task in the public interest or in the exercise of official functions, and the task or function has a clear basis in law. This ground is most relevant to public bodies or authorities. What amounts to the public interest will normally differ from one country to another country.

f) Legitimate interests: the processing is necessary for the legitimate interests of the data processor or third party, except where such interests are overridden by fundamental rights and freedom of the Data Subject.^[ii] Legitimate interest applies when a data controller or processor uses personal data in a way that the data subject would expect them to for example in fraud prevention or direct marketing. This ground cannot be used by a public authority.^[iii]

4.3 Conclusion

The ground for processing personal data is mostly determined by the processing purpose of the personal data.  Frequently, people assume that consent should be the best and most preferred basis of processing personal ground. Nonetheless, that assumption is not correct as consent is the worst legal basis for a data controller or data processor to rely on in justifying the processing of personal data as it is difficult to establish and prove a valid consent and, ultimately a consent can be withdrawn. 

It is important to highlight that regardless of the legal ground for processing personal data a data controller or data processor should observe all other legislation and protect the rights & freedoms of a data subject. This means that all grounds of processing should be subject to all safeguards of protecting the rights, interests and privacy of the data subject. Also, data controllers or data processors are normally urged to process personal data on a ground that has less privacy intrusion to the data subject.

PART 5: DIMENSIONS OF CONSENT IN DATA PROTECTION LEGISLATION

(By Fatma Haruna Songoro)

5.1 Introduction

Consent is one of the most fundamental aspects of data protection and privacy used to safeguard the data subject’s rights and privacy. Consent forms one of the six lawful basis for processing personal data as stated under Article 5 (1) (b) Of the GDPR. Consent can only be an appropriate lawful basis if the data subject is offered control and a candid choice with regard to accepting or refusing the terms offered or declining them without detriment.^[i] Consent affords the data subject the right to self-determinate the processing and collection of his/her personal data.  This makes consent a major component of the individual participation principle under the data protection law since it gives the individual control over their personal data. This part examines the concept and construction of consent in relation to data protection Legislation and practices.

5.2 Definition of Consent

The definition of consent under the GDPR is any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.  Correspondingly the data Protection: SADC Model Law describes “consent to mean any manifestation of specific, unequivocal, freely given, informed expression of will by which the data subject or his/her legal, judicial or legally appointed representative accepts that his/her personal data be processed.

5.3 Dimensions of Consent

Going through the aforementioned definition of consent, it is clear that there are certain preconditions as pointed out hereafter that need to be met in order for consent to be valid. First consent has to be freely given in order to be valid. This means that there has to be a genuine and informed choice by the data subject to provide his/her personal data.^[i] Consent is about choice hence the data subject must recognize and know what he/she is accepting in order for consent to be valid. Consent should be sought from the data subject without an undue influence or fear of repercussion. For instance, an employer wants to use the personal data of an employee for certain commercial gain, consent should be freely sought and given or rejected by an employer without any threat or fear.

Second consent should be given on a clear specific purpose of processing the data. The data subject must know who is the data controller or recipient (if any) and the actual purpose of processing or collecting personal data.  It is important to highlight that consent must be given for a specific purpose or related purpose only. Any further processing by the data processor or controller other than for the specified purpose will require a new consent from the data subject. Further, the consent request must also be concise, user-friendly, and not bundled or tied with conditions or vexatious terms that might mislead or confuse the data subject.^[ii] It has been emphasized that consent is not a contract hence it should not be attached to terms or conditions.

Lastly, consent must be unequivocal, obvious and clearly communicated either by a statement or an affirmative action allowing or permitting the processing of the data. The data subject must clearly communicate his/her affirmation to processing of her personal data to the data controller or data processor without any ambiguity.^[iii] Blank acceptance of the data subject to processing of his/her personal data will not be considered as an affirmative action. In processing of special categories of personal data or cross border data transfer, the data controller or data processor is particularly supposed to obtain explicit consent not just the regular consent.^[iv] Explicit consent entails that the data subject must give an express statement of consent without a shadow of doubt and most preferably it should be a written statement.

5.4 Consent in Processing Child Data

Data controller or data processor are required to give special attention when obtaining consent in relation to processing of personal data relating to a child. The data protection law normally require that a child’s personal data is processed with the consent of a guardian or a competent person. The age of a child in the data protection law will depend on the specific country’s age of majority. It is normally required that the data controller or data processor should integrate mechanism to ascertain the age of the data subject and verify the consents given for processing of children personal data. Once a child attain the age of majority, the data subject should be able avail him/her the choice to modify, confirm or withdraw the parental consent given to process his/her personal data. 

Generally, if consent is obtain in violation of the aforementioned conditions it is likely that the consent will be presumed to not be valid.  The burden of proving that consent was validly given lies with the data controller or data processor. Consent is one of the most difficult legal basis to prove in processing personal data. It is therefore important that when the data controller or data processor relies on consent as the lawful basis for processing personal data to be able to demonstrate that consent was legally obtained. In order to do that the data controller or data processor has to keep the records for consents given by the data subjects. The good practice is that once consent is given it should be reviewed and refreshed after a certain period of time by the data controller or processor.^[i] It should be borne in mind that personal data is to be processed only for the specific purpose that the data subject consented to.

The rule of thumb is that consent is valid until it is withdrawn. There is no time limit for how long consent shall last only that the consent will automatically lapse when the purpose for the processing data is completed. Under the data protection regime, it is mandatory for the data controller or processor to inform and provide the data subject with the option to withdraw her/his consent. Prior to giving his/her consent the data subject should be made aware of how he/she can withdraw her/his consent. Further, the option to withdraw must be easily accessible by the data subject without any restrictions or complications.^[ii] It is worth mentioning that any processing or act done in the timeframe when consent was given will remain valid until the period when the consent is withdrawn.

5.5 Conclusion

The data protection pundits have developed a concept of consent management method for data controllers and processors. A consent management is a system that governs the collection and review of data subject consent to ensure the data controller or processor is in compliance with the law and respects the data subject’s wishes. It is of noteworthy that obtaining consent of the data subject does not in any way negate the duty of the data controller or data processor to processes personal in compliance with the law and data protection principles such as transparency, fairness or minimization. The data controller or data processor should not process personal data in a manner that prejudice or exploit the rights of the data subject just because the data subject consented. 

This current article encompasses the fourth and fifth part of the data protection and privacy articles series. The next part which is titled significant considerations in data protection and privacy framework will be released on 25th May 2022.