Most businesses only process data subjects personal information based on consent but Section 11 will not limit processing only from consent, but emphasise that more factors could lead to lawful processing; we will look at some of those factors.
Consent occurs when one person voluntarily agrees to the proposal or processing of another data subject personal information. Types of consent include implied consent, express consent, informed consent and unanimous consent.
During the implementation of POPIA, most natural and juristic persons, in other words, data subjects, still believe that there is only one way to process Personal Information, and that is to obtain consent.
To obtain this consent overburdens the business functions as to only obtain written consent and only process based on this consent. Most businesses now hide behind the so-called lawfulness of a piece of paper called the “Consent”.
Regarding the Act, it is clear that consent must be obtained, but this will not be the only lawful request to process information as the consent defines “An unambiguous, informed and freely given indication by a data subject agreeing to their personal data being processed.” in order to obtain freely given consent, it must be given on a voluntary basis.
The lawful bases for processing are set out in Section 11(1) of POPIA. At least one of these must apply whenever you process personal information:
• Consent: the data subject has given clear consent for you to process their personal information for a specific purpose.
• Contract: the processing is necessary for a contract you have with the data subject or because they have asked you to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
• Legitimate interest of data subject: the processing is necessary to protect someone’s life.
• Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
• Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the data subject’s personal information which overrides those legitimate interests. (This cannot apply if you are a public authority processing information to perform your official tasks.)
No consent is required when the data subject already has a contract in place with a business and where the processing of their personal information is required in terms of the contract, or where there is a reason in law for collecting or processing personal information.
With reference to above, it would be clear that one may apply and therefore not only consent, the business will bear the burden of proof for the data subject’s or competent person’s consent but overemphasising that it will still not be the only way of processing just to feel safe as additional lawful processing would also apply.
The risk of only obtaining consent is that this consent may be withdrawn by the data subject at any time. Furthermore, in terms of POPIA, where a person reasonably objects to their information being processed it may not be processed, unless legislation provides otherwise. POPIA distinguishes between the consequences of a person’s “withdrawal of consent” and his or her “objection to” the processing of personal information.
Regarding Section 11 of POPIA, one needs to elaborate on the requirements of processing as it does not need to be only consent given to process but can involve much more, as referred to in Section 11.
I don’t see the need for each and every business to make use of consent forms as they would be able to justify their processing on other factual scenarios of Section 11.
If any of the other factual scenarios are present, consent is not needed. What are these ‘factual scenarios’? The process of personal information will also be lawful if:
• It is required to conclude or perform the contract;
• The party processing the information (the responsible party) is required to do “by law’;
• The processing protects a legitimate interest of the consumer;
• The processing is necessary for the performance of a ‘public law duty;
• It is done in pursuit of the legitimate interests of the responsible party.
Section 11 of Protection of Personal Information act 4 of 2013
About The Author:
Frank Maritz is a Senior Legal Advisor with ten years’ legal background in the Consumer Protection and POPI department at SEESA.