Kenya: Permitted processing of personal data


published on 14 March 2023 | reading time approx. 4 minutes

The Data Protection Act which came into force in 2019 (the “Act”) regulates the processing of personal data belonging to a data subject . The Act provides principles that any processor of personal data, that is, a data controller or a data processor must adhere to when processing personal data. The Act also grants data subjects various rights when it comes to the processing of their personal data. 

In addition, the Act stipulates various lawful bases through which a data controller or data processor may process personal data. Consent is the most common basis upon which data controllers or data processors process personal data. However, it is not the only basis upon which a data controller or data processor may rely when processing personal data. The Act provides alternative lawful bases that data controllers or data pro­cessors can rely on when processing personal data. These alternative lawful bases apply in the instance where there is a legal basis laid down by law or a legitimate reason overriding the consent requirement.

Performance of a Contract

Where a data controller or data processor has a contract with the data subject and they need to process the data subject’s personal data to comply with their obligations under the contract, they can process the personal data without the data subject’s consent. 
For example, when a buyer makes an online purchase, the seller can process their contact details in order to communicate with the buyer about delivery of the goods purchased, as it is necessary to perform the contract. However, the seller cannot use the buyer’s contact details to share information about upcoming sales and offers. This amounts to additional processing which does not fall under this basis and will therefore require the buyer’s consent.  

Undertaking a Legal Obligation

A data controller or data processor is allowed to process personal data of a data subject to comply with a legal obligation that it is subject to. Nevertheless, when processing personal data under this lawful basis a data controller or data processor is advised to document the source of the legal obligation. 
For example, when collecting Know Your Client (KYC) information of their clients, banks rely on the obligations imposed on them by banking laws and regulations as basis of processing this personal data.

Vital Interest

This lawful basis is very limited in its scope and generally can only be relied on or used during emergencies. The processing of personal data is regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.
For example, when a medical services provider needs to process personal data of a patient for medical pur­poses, but the patient is incapable of giving consent due to their condition.

Public Interest

This lawful basis will apply where a data controller or data processor or any other person is either carrying out a specific task in the interest of the public which is laid down by law or exercising official authority (for example, a public body’s tasks, functions, duties or powers). The focus, when it comes to this lawful basis, is on the na­ture of the function, not the nature of the organisation. Therefore, any organization, even that which is not a public body, can rely on this lawful basis when processing personal data in the interest of the public.
An example of public interest “processing” is the installation of traffic cameras by traffic authorities and the processing of the personal data collected by the cameras e.g. images, number plates etc. to deter traffic violations.

Public Authority

This lawful basis is different from the public interest/official authority alternative as it strictly applies to public authorities. This lawful basis is supposed to provide public authorities with the freedom to carry out their official mandates. However, this lawful basis does not exempt public authorities from complying with the provisions of the Act when processing personal data.
For example, the processing of personal data by the National Transport Authority (NTSA) for issuance of the new generation driving licenses is acceptable since NTSA is carrying out its official mandate. 

Legitimate Interest

Legitimate interest is the most flexible lawful basis, however this does not mean that it can be applicable in all circumstances. Legitimate interest will be an appropriate basis where the data controller or data processor uses data in a way that will have a minimal privacy impact. Where there is a privacy impact on data subjects, it may still be relied on if the data controller or data processor can demonstrate that their processing need outweighs the privacy needs to the data subjects.
The data controller or data processor may be guided by the below three-part test when determining whether they may rely on this lawful basis:
  • Purpose test: Are you pursuing a legitimate interest?
  • Necessity test: Is the processing necessary for that purpose?
  • Balancing test: Do the individual’s interests override the legitimate interest?
For example, a supermarket has experienced recurring incidences of theft of cars parked at its yard. The yard is an open space and can be easily accessed by anyone, but is clearly marked with signs and bollards around its perimeter. The supermarket has a legitimate interest to monitor the area through surveillance cameras to ensure the customers’ cars are safe. Data subjects using the car park are monitored in a limited timeframe and it is also in their own interest that thefts are prevented. The interest of the data subjects not to be monitored is in this case overridden by the supermarket’s legitimate interest.

Historical, Statistical, Journalistic, Literature and Art or Scientific Research Purposes

This lawful basis can only apply where a data controller or data processor is processing personal data for the purpose of historical, statistical, journalistic, literature and art or scientific research. Such processing should be for public interest. Sector specific codes of conduct should also be adhered to. Therefore, a data controller or data processor cannot not rely on this basis when processing personal data for commercial research, such as market research, unless the data controller or data processor can demonstrate that this research furthers a general public interest.
For example, recording the personal details, such as name, age, date of birth etc., of the current and past presidents of Kenya so as to retain a proper historical record of the governance of Kenya since independence would be permissible under this lawful basis. 


A data controller or data processor can rely on any of the above alternative lawful bases when processing personal data so long as they can justify the application of the basis to their processing activity. Notably, application of the above alternative lawful bases does not exempt the data controller or data processor from respecting the rights of the data subject and also adhering to the principals of data processing. The burden of proving that the processing was necessary shall lie on the data controller or data processor.
Deutschland Weltweit Search Menu