Lawful Bases for Processing Data

Question 1

What are the lawful bases for processing data as outlined in the Kenya Data Protection Act DPA 2019?

Answer 1

1. Consent of the data subject
2. Contractual Necessity
3. Compliance with legal obligations
4. Vital interests
5. Public interest tasks or exercising official authority
6. Legitimate Interests
7. Historical, statistical, journalistic, literary, art, or scientific research
8. National security or public interest

Question 2

What is the first legal basis for data processing?

Answer 2

Consent of the data subject:
The data subject has given clear consent for their personal data to be processed for a specific purpose.

Question 3

What is the second legal basis for data processing?

Answer 3

Contractual Necessity:
Processing is necessary for the performance of a contract to which the data subject is a party.

Question 4

What is the third legal basis for data processing?

Answer 4

Compliance with Legal Obligations:
Processing is necessary for compliance with a legal obligation to which the data controller is subject.

Question 5

What is the fourth legal basis for data processing?

Answer 5

Protecting Vital Interests:
Processing is necessary to protect the vital interests of the data subject or another individual.

Question 6

What is the fifth legal basis for data processing?

Answer 6

Public interest tasks or exercising official authority:
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

Question 7

What is the sixth legal basis for data processing?

Answer 7

Legitimate Interests:
Processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party,
except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Question 8

What is the seventh legal basis for data processing?

Answer 8

Journalistic, Historical, Statistical, Literary, Art, or Research:
This data must be processed in accordance with relevant ethics and guidelines of the specific feilds.

Question 9

What is the eighth legal basis for data processing?

Answer 9

National security or public interest: The Act provides exemptions for processing in these areas, but emphasizes the importance of data protection principles

Question 10

What does “consent” require to be valid?

Answer 10

Consent must be
freely given,
specific,
Informed, and
unambiguous, typically through an affirmative action.

Question 11

How can a data subject withdraw consent?

Answer 11

A data subject can withdraw consent at any time, and it must be as easy to withdraw consent as it is to give it.

Question 12

What is the significance of “contractual necessity”?

Answer 12

It allows processing when it is essential for fulfilling contractual obligations to the data subject.

Question 13

What does “legal obligation” entail in data processing?

Answer 13

It allows processing when it is necessary to comply with a legal requirement imposed on the data controller.

Question 14

What does “vital interests” refer to in the context of data processing?

Answer 14

It refers to processing that is necessary to protect someone’s life, typically in emergency situations.

Question 15

What is the role of “public task” in legal data processing?

Answer 15

It allows processing when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Question 16

What must be demonstrated when relying on “legitimate interests”?

Answer 16

A balancing test must be conducted to ensure that the legitimate interests do not infringe on the rights and freedoms of the data subject.

Question 17

Can legitimate interests be used for direct marketing?

Answer 17

Yes, but the data subject’s interests and rights must be considered, and they must be given the opportunity to object.
However, the data subject has the absolute right to object to such processing, and if they do, the processing must be restricted pending verification

Question 18

What is the importance of documenting the legal basis for processing?

Answer 18

It ensures accountability and compliance with data protection principles, allowing data subjects to understand the basis for processing.

Question 19

What is the lawful basis for processing personal data?

Answer 19

Personal data must be processed based on one or more lawful bases as defined in the Data Protection Act.

Question 20

What is the first lawful basis for processing data?

Answer 20

Consent: The data subject has given clear consent for their personal data to be processed for a specific purpose.

Question 21

What is the second lawful basis for processing data?

Answer 21

Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is a party.

Question 22

What is the third lawful basis for processing data?

Answer 22

Legal Obligation: Processing is necessary for compliance with a legal obligation to which the data controller is subject.

Question 23

What is the fourth lawful basis for processing data?

Answer 23

Vital Interests: Processing is necessary to protect the vital interests of the data subject or another individual.

Question 24

What is the fifth lawful basis for processing data?

Answer 24

Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

Question 25

What is the sixth lawful basis for processing data?

Answer 25

Legitimate Interests: Processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Question 26

How does consent differ from other lawful bases?

Answer 26

Consent must be freely given, specific, informed, and unambiguous, while other bases may not require explicit consent.

Question 27

What is required for consent to be valid?

Answer 27

Consent must be clear, informed, and given through an affirmative action by the data subject.

Question 28

Can a data subject withdraw consent?

Answer 28

Yes, a data subject has the right to withdraw consent at any time, and it must be as easy to withdraw consent as it is to give it.

Question 29

What is the significance of "legitimate interests"?

Answer 29

It allows data controllers to process personal data without consent if it is necessary for their legitimate interests, provided these do not override the rights of the data subject.

Question 30

What must be considered when relying on "legitimate interests"?

Answer 30

A balancing test must be conducted to ensure that the legitimate interests do not infringe on the rights and freedoms of the data subject.

Question 31

What is the role of "public task" in lawful processing?

Answer 31

It allows processing when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Question 32

What is the importance of "contractual necessity"?

Answer 32

It ensures that data processing is allowed when it is essential for fulfilling contractual obligations to the data subject.

Question 33

What does "vital interests" refer to in lawful processing?

Answer 33

It refers to processing that is necessary to protect someone's life, typically in emergency situations.

Question 34

How does the Act ensure compliance with lawful processing?

Answer 34

Data controllers must document the lawful basis for processing personal data and ensure that it aligns with the principles of data protection.