Business practice does not negate the need for consent before a data subject’s personal information is shared with a third party

The complaint was lodged at the Office of the Data Protection Commissioner (the Office) on 9 October 2025 by Ms. Margaret Manyange (the Complainant) against Brites Management Services Limited (the Respondent) over alleged processing of her personal data without consent by sharing her Curriculum Vitae (CV) with a third party. The Respondent’s core business is job recruitment in which they place candidates (prospective employees) with their clients (prospective employers)

The Complainant's Case

The Complainant averred that she submitted her CV to the Respondent on 7 October 2024 in her application for a job position as a Legal Assistant. On 10 October 2024 she received a message for an interview scheduled for 11 October 2024. On 18 June 2025, the Respondent sent her a message and succeeded it with a phone call from the Respondent’s Agent informing her that she had been invited for another interview for the same job position – which she stated she did not attend as it was on short notice.

Approximately two weeks later, she received a phone call from a law firm (the Third-party) informing her of their interest in engaging her as a legal assistant and revealed that they had received her CV from the Respondent. The Complainant then filed a complaint with the Office of the Data Protection Commissioner (the ODPC) accusing the Respondent of the unauthorised sharing of her CV with a Third Party  and seeking an order compelling the Respondent to implement a mechanism for obtaining consent from individuals before sharing their personal data with third parties.

The Respondent's Case

The Respondent stated and provided a snapshot of their automated email response which indicated that they do indeed provide recruitment services on behalf of employers. Further, they attached a candidate agreement executed by the Complainant whose contents pointed to specific sharing with a named employer.

Determination of ODPC

Issue i: Whether there was a violation of the Complainant’s rights under the Act and the attendant regulations

Under Section 26(a) of the Data Protection Act, 2019 (the Act), a data subject has a right to be informed of the use of which their personal data is to be put. Based on the Section, the Complainant had a right to be informed that her personal data would be shared with prospective employers other than the specified entity before the data was processed to a third party. According to the Complainant, the consent she gave was specific to one prospective employer. On the other hand, the Respondent failed to prove that the Complainant was informed that her personal data, being the CV, would be shared with any other entity.

From the foregoing, the ODPC determined that the Respondent was in violation of the Complainant’s right to be informed of the use of her personal data under Section 26 of the Act.

Issue ii: Whether the Respondent lawfully processed the Complainant’s data

The ODPC noted that there are permitted lawful bases for processing personal data, and any further processing is to be in accordance with the purpose of collection. The Respondent had an obligation to establish a lawful basis for the processing of the Complainant’s personal data, particularly to third parties. From the Complainant’s averments, she was not aware that her information had been shared to third parties until she received interview invitation emails from the Third Party. It was her assertion that she had not consented to having her personal data shared with other parties beyond what was mutually agreed. Further, the ODPC noted that the automated email from the Respondent indicating that they do recruitment on behalf of prospective employers did not demonstrate lawful basis for processing the Complainant’s personal data.

Consequently, the ODPC found that the Respondent processed the Complainant’s personal data without lawful basis.

Why is this decision important?

The decision cautions against processing of personal information without the consent of the data subject. Disclaimers and automated mails speaking to business practice and subsequent data processing will not be construed as raising lawful basis for processing of personal data unless the data subject is duly informed of the processing and has consented to it. Additionally, goodwill will not at any point be taken to erode the requirements for notification and subsequent consent from the data subject before their personal data is processed.