Data Protected - South Africa

Contributed by Webber Wentzel

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Protection of Personal Information Act 4 of 2013 (“POPIA”).

Entry into force

The President signed a proclamation in April 2014 declaring some parts of POPIA effective. Those sections relate to the appointment of the Information Regulator.

 

The substantive obligations are not yet effective and will come into force on a date to be published in the Government Gazette. The POPIA provides for a one-year grace period after the provisions come into force, and so it is only after the expiry of that grace period that the processing of personal information must conform to the requirements of the POPIA. This grace period may be extended by the Minister of Justice and Constitutional Development by any additional period not exceeding three years.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The Information Regulator

SALU Building,
316 Thabo Sehume Street,
Pretoria

www.justice.gov.za/inforeg/index.html

The National Assembly approved the appointment of members to the Information Regulator on 7 September 2016.  The Regulator will be responsible for education, monitor and enforce compliance, handle complaints, perform research and facilitate cross-border cooperation. The Information Regulator has jurisdiction throughout the republic, is independent and is subject only to the Constitution and to the law and must be partial and perform its functions and exercise its powers without fear, favour, or prejudice

Adv Pansy Tlakula was appointed as the Information Regulator with effect from 1 December 2016. Adv Lebogang Stroom, and Johannes Weapond were appointed as full-time members and Prof Tana Pistorius and Sizwe Snail were appointed as part-time members. They will serve a term of office of five years.

Notification or registration scheme and timing

There is no notification scheme.

However, prior authorisation must be obtained from the Information Regulator where a “responsible party” (akin to a data controller) seeks to: (i) process unique identifiers (an identifier that is assigned to the data subject by a responsible party and uniquely identifies the data subject) under certain circumstances; (ii) process criminal behaviour on behalf of third parties; (iii) process personal information for the purposes of credit reporting; or (iv) transfer “special personal information” or personal information of a child to a third country without adequate protection.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The POPIA applies where the responsible party is: (i) domiciled in South Africa; or (ii) not domiciled in South Africa but makes use of automated or non-automated means in South Africa to process personal information, unless those means are used only to forward personal information through South Africa.

Is there a concept of a controller and a processor?

The POPIA applies to responsible parties, but limited obligations extend to “operators” (akin to data processors) too.

An operator must: (i) only process personal information with the knowledge or authorisation of the responsible party; (ii) treat personal information which comes to its knowledge as confidential and not disclose it (unless required by law or in the course of the proper performance of its duties); and (iii) notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

Are both manual and electronic records subject to data protection legislation?

Yes. The POPIA applies to personal information entered in a record by or for a responsible party by making use of automated or non-automated means, provided that where non-automated means are used the recorded information forms part of a filing system or is intended to form part thereof. 

The meaning of “automated means” is any equipment capable of operating automatically in response to instructions given for the purpose of processing information.

A filing system is a structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.

Are there any national derogations?

Certain types of processing are excluded by the POPIA. For example, processing in the course of a purely personal or household activity; processing by a public body which involves national security; and processing by the Cabinet of the national government need not comply with the conditions for lawful processing of personal information.

Also exempted from the conditions for lawful processing of personal information is processing solely for the purpose of journalistic, literary or artistic expression, to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression. The journalistic exemption requires that the responsible party is, by virtue of office, employment or profession, subject to a code of ethics that provides adequate safeguards for the protection of personal information.

_____________________________________________________________________ Top

Personal Data

What is personal data?

The POPIA defines “personal information” to mean information relating to an identifiable, living, natural person, and, where applicable, an identifiable, existing juristic person (for example, a company or other similar legal entity). 

An open-ended list of examples of the types of information that constitute personal information is provided in the POPIA. Such examples include: (i) information relating to personal characteristics such as race, gender, sex and age; (ii) personal opinions and preferences; (iii) private correspondence; and (iv) the views of another individual about a data subject.

Is information about legal entities personal data?

Yes. The POPIA extends to include information not only about individuals, but also about juristic persons (legal entities). The processing of personal information of legal entities is subject to the same provisions as the processing of personal information of individuals.

What are the rules for processing personal data?

Personal information may generally be processed if: (i) the data subject provides voluntary, express, and informed consent to the processing; (ii) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party; (iii) processing complies with an obligation imposed by law on the responsible party; (iv) processing protects a legitimate interest of the data subject; (v) processing is necessary for the proper performance of a public law duty by a public body; or (vi) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

A data subject may withdraw consent to processing of personal information at any time. This withdrawal of consent does not affect processing of personal information in accordance with other processing rules (see above), such as where the processing complies with an obligation imposed by law on the responsible party.

Personal information may be processed only if all measures that give effect to the processing comply with the eight “conditions for lawful processing of personal information”. These conditions, which are modelled on provisions of the Data Protection Directive, are called: accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation.

 

Are there any formalities to obtain consent to process personal data?

The POPIA requires consent to be a voluntary, specific and informed expression of will. However, there is no prescribed manner in which such consent must be obtained.

Consent for the purposes of receiving direct marketing by means of unsolicited electronic communications must be requested in a prescribed manner and form.

Are there any special rules when processing personal data about children?

Processing data about children is only allowed if; (i) it is carried out with the prior consent of a competent person; (ii) it is necessary for the establishment, exercise or defence of a right or obligation in law; (iii) it is necessary to comply with an obligation of international public law; (iv) it is for historical, statistical or research purposes; or (v) it is of personal information which has deliberately been made public by the child with the consent of a competent person.

The Regulator may, upon application by a responsible party and by notice in the Government Gazette, authorise a responsible party to process the personal information of children if the processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the child.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Under the POPIA, sensitive personal data, referred to as “special personal information”, includes the standard types of sensitive personal data (excluding genetic information) and information concerning the criminal behaviour of a data subject to the extent that such information relates to: (i) the alleged commission by a data subject of any offence; and (ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

Are there additional rules for processing sensitive personal data?

Special personal information may be processed where either a general exception or a functional exception is met.

General exceptions include: (i) the processing is carried out with the consent of a data subject; (ii) processing is necessary for the establishment, exercise or defence of a right or obligation in law; (iii) processing is necessary to comply with an obligation of international public law; (iv) processing is for historical, statistical or research purposes to the extent that the purpose serves a public interest and the processing is necessary for the purpose concerned, or it appears to be impossible or would involve a disproportionate effort to ask for consent (and in both cases sufficient guarantees protect the privacy of the data subject); and (v) the information has deliberately been made public by the data subject

An example of a functional exception (as set out in the POPIA) is where the data subject’s religious or philosophical beliefs are processed by a spiritual or religious organisation to whom the data subject belongs.

The Information Regulator may, upon application by a responsible party, authorise the processing of special personal information where such processing is deemed by the Information Regulator to be in the public interest and subject to adequate safeguards.

Are there additional rules for processing information about criminal offences?

 

This is subject to the same rules as other sensitive personal data.

 

Are there any formalities to obtain consent to process sensitive personal data?

The formalities are the same as those for consent to process personal data (see above).

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

The default position is that the head of a company is the “information officer”. The information officer need not be registered with the Information Regulator.

Companies may designate and must register with the Information Regulator any number of deputy information officers as is necessary to perform the duties and responsibilities of the information officer. There is no fee associated with this registration.

What are the duties of a data protection officer?

The information officer’s responsibilities (and, where delegated to deputy information officers, the deputy information officers’ responsibilities) include: (i) the encouragement of compliance by the responsible party with the conditions for lawful processing of personal information; (ii) dealing with requests, including data subject access requests; and (iii) working with the Information Regulator in relation to investigations.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Personal information may be processed only if all measures that give effect to the processing comply with the eight “conditions for lawful processing of personal information”. One of those conditions is accountability.

Are privacy impact assessments mandatory?

POPIA does not make privacy impact assessments mandatory.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

When personal information is collected, a responsible party must take reasonably practicable steps to ensure that the data subject is aware of: (i) the information being collected and the source of the information; (ii) the name and address of the responsible party; (iii) the purpose for which the information is being collected; (iv) whether or not the supply of the information by the data subject is voluntary or mandatory; (v) the consequences of failing to provide the information; (vi) any particular law authorising or requiring the collection of the information; (vii) whether the responsible party intends to transfer the information to a third country or international organisation, and the level of protection afforded to the transferred information; and (viii) any further information which is necessary to enable the processing to be reasonable in the circumstances.

If the information is collected directly from the data subject these steps must be taken before the information is collected. If the information is collected from a third party, the steps must be taken either before the information is collected or as soon as reasonably practicable thereafter.

There are exceptions in the POPIA to the requirement that fair processing information be provided, such as where: (i) the data subject has consented to the non-compliance and non-compliance would not prejudice a legitimate interest of the data subject; (ii) where non-compliance is necessary to avoid prejudice to the maintenance of the law by any public body; or (iii) where compliance is not reasonably practicable in the circumstances of the particular case.

Rights to access information

Data subjects have the right to request, free of charge, confirmation of whether or not a responsible party holds personal information about them.

Data subjects also have the right to request the record, or a description of the personal information being held by the responsible party, as well as information concerning the identity of all third parties who have had access to the personal information. This may be subject to a prescribed fee and the responsible party may require the payment of a deposit.

Rights to data portability

There is no right to data portability.

Right to be forgotten

A data subject may request a responsible party to delete personal information in the responsible party’s possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

Objection to direct marketing and profiling

A data subject may object, at any time, to the processing of personal information for the purposes of direct marketing.

For direct marketing by means of any form of electronic communication, a data subject must be provided with the opportunity to object to the processing of personal information at the time when the personal information was collected, and on the occasion of each communication with the data subject for this purpose. 

If a data subject has objected to the processing of their personal information for direct marketing purposes, the responsible party may no longer process the personal information.

Other rights

A data subject may object, at any time, to processing of personal information that is being carried out subject to the following processing rules: (i) the processing protects a legitimate interest of the data subject; (ii) the processing is necessary for the proper performance of a public law duty by a public body; or (iii) the processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The POPIA requires responsible parties to secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, and unlawful access to or processing of personal information.

In order to give effect to this general security obligation, responsible parties must take reasonable measures to: (i) identify all reasonably foreseeable internal and external risks to personal information; (ii) establish and maintain appropriate safeguards against the risks identified; (iii) regularly verify that the safeguards are effectively implemented; and (iv) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

Specific rules governing processing by third party agents (processors)

The processing of personal information by operators (akin to data processors) must be in accordance with a written contract which ensures that the operator establishes and maintains the same security measures required of the responsible party (see above).

An operator must notify the responsible party immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorised person.

Notice of breach laws

A responsible party is obliged to notify both the Information Regulator and data subjects where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorised person.

This notification must occur as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. The notification to the data subject must meet certain manner and form requirements.

The Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of information if the Information Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The POPIA contains a restriction on the transfer of personal information outside South Africa.

Transfers can take place if the transfer satisfies one or more of the following conditions: (i) the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for lawful processing in the POPIA (including, where applicable, in respect of data subjects that are legal entities); (ii) the data subject consents to the transfer; (iii) the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request; (iv) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or (v) the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject to the transfer but if it were the data subject would be likely to give it.

Notification and approval of national regulator (including notification of use of Model Contracts)

Notification and approval of the Information Regulator must be obtained only where a responsible party seeks to transfer special personal information or personal information of a child to a third country without adequate protection.

Use of binding corporate rules

Binding corporate rules are specifically referred to in the provisions of the POPIA dealing with transfer of personal information to third countries.

Binding corporate rules are defined to mean personal information processing policies, within a group of undertakings (a controlling undertaking and its controlled undertaking), which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country.

_____________________________________________________________________ Top

Enforcement

Fines

Where a responsible party is alleged by the Information Regulator to have committed a criminal offence (including a failure to comply with an Enforcement Notice) under the POPIA, an administrative fine may be imposed by the Information Regulator for an amount of up to ZAR 10 million (approximately €685,000). The responsible party who receives an administrative fine can, instead of paying it, elect to be tried in court on a charge of having committed the alleged offence in terms of the POPIA.

Imprisonment

The Information Regulator can issue an Enforcement Notice for breach of the conditions for lawful processing. Failure to comply with that Enforcement Notice is a criminal offence, punishable by a term of imprisonment not exceeding 10 years, or a fine, or both.

Unlawfully obstructing the Information Regulator’s investigation; providing false information to the Information Regulator; or unlawfully dealing with an account number assigned to a data subject by a financial institution are also criminal offences punishable by a term of imprisonment not exceeding 10 years, or a fine, or both.

Failure to notify processing that is subject to prior authorisation from the Information Regulator (such as the transfer of special personal information to a third country without adequate protection); intentionally obstructing the execution of a search warrant issued to the Information Regulator; making a knowingly false statement to the Information Regulator in response to an enforcement or information notice; and failure to produce evidence when summoned to do so by the Information Regulator are criminal offences punishable by imprisonment for a period not exceeding 12 months, or a fine, or both.

Compensation

Data subjects have a statutory right under the POPIA to institute a civil action for damages for interference with their personal information, whether or not there is intent or negligence on the part of the responsible party.

A court may award the data subject: (i) compensation for patrimonial and non-patrimonial loss suffered; (ii) aggravated damages; (iii) interest; and (iv) costs of suit.

Other powers

The Information Regulator, on its own initiative, or at the request by or on behalf of an information officer or head of a private body or any other person, may make an assessment of whether a public or private body’s policies and implementation generally complies with the provisions of POPIA.

Practice

At the time of writing, the substantive obligations in POPIA are not in force and no enforcement practices have been established.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

There are no specific ePrivacy laws but the POPIA does contain provisions relating to direct marketing.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

POPIA does not expressly regulate the use of cookies. However, “online identifiers” do fall within the definition of personal information, so cookies may be subject to general data protection regulation under the POPIA.

Regulatory guidance on the use of cookies

There is no regulatory guidance on the use of cookies.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

It is only possible to send direct marketing e-mails to data subjects if their consent has been obtained, or if the data subjects are customers of the responsible party and: (i) their contact details have been obtained in the context of the sale of a product or service; (ii) they are marketed to for the purpose of marketing the responsible party’s own similar products and services; and (iii) they have been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to the use of their contact details at the time the information was collected and on the occasion of each communication with the data subject for the purposes of marketing.

Subscribers may be approached for consent only once. They must also be provided with the opportunity to object to the receipt of the e-mails on the occasion of each communication.

Conditions for direct marketing by e-mail to corporate subscribers

There is no distinction between the conditions for direct marketing to individual subscribers and corporate subscribers. (Personal information in the POPIA includes information relating to legal entities).

Exemptions and other issues

An exemption similar to the similar products and services exemption applies, see above.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The conditions are the same as those for e-mail marketing.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

See above.

Exemptions and other issues

See above.

_____________________________________________________________________ Top