All publications
POPIA Compliance: More than just the 8 conditions for the lawful processing of personal information

POPIA Compliance: More than just the 8 conditions for the lawful processing of personal information

April 5, 2024
 / 

The Protection of Personal Information Act, 4 of 2013 (“POPIA” or the “Act”) has been in force in South Africa since July 2021. Almost three years in, businesses and data subjects alike should at least have a basic idea of what POPIA is all about and what their rights and obligations are under the Act.

POPIA identifies three main parties:

  • The data subject, who is a person that the personal information belongs to or is about. Under POPIA, a data subject can be a natural person (i.e. an individual) or a juristic person (i.e. legal entities such as companies), and therefore measures need to be put in place to protect the personal information of both individuals and legal entities.
  • The responsible party, who is a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
  • The operator, who is a party who processes personal information on behalf of the responsible party under a contract or mandate.

POPIA sets out 8 conditions that businesses must comply with when processing the personal information of data subjects. These 8 conditions are the foundational principles of POPIA that, when complied with, ensure that a data subject’s personal information is being processed lawfully. However, while these 8 conditions are the foundational principles of POPIA, they are not the only compliance obligations of POPIA.

In addition to the 8 conditions for lawful processing of personal information, POPIA contains a number of additional rights and obligations that are important to be aware of for the purposes compliance.

  1. Processing of special personal information

In addition to the information that POPIA defines as “personal information” it also classifies certain personal information as “special personal information”. The categories of special personal information under POPIA are:

  • Religious or Philosophical beliefs
  • Race or ethnic origin
  • Trade Union membership
  • Political persuasion
  • Health and sex life
  • Biometric information
  • Criminal behaviour (alleged commission of an offence prior to conviction)

In terms of POPIA, special personal information cannot be processed unless authorised under POPIA, either in terms of a general authorisation (as set out in section 27 of POPIA)  or a specific authorisation (as set out in sections 28 – 33 of POPIA).

The general authorisations set out in POPIA include i) where the data subject consents to the processing, ii) if processing is necessary to establish, exercise or defend a right or obligation in law or to comply with an obligation of international public law, iii) if processing is for historical, statistical or research purposes (with specific limitations as set out in section 27(1)(d) of the Act), or iv) if the data subject has deliberately made that information public. The specific authorisations address each category of special personal information individually and give specific authorisations on who may process this information and in which circumstances.

  • Processing of children’s personal information

In addition to regulating when special personal information can or cannot be processed, POPIA also regulates the processing of children’s personal information. A child is regarded as any person under the age of 18.

As a general rule, children’s personal information cannot be processed unless authorised in terms of a general authorisation (as set out in section 35 of POPIA). The general authorisations set out in POPIA include i) where a competent person (parent or legal guardian) has given consent for the child’s personal information to be processed, ii) if processing is necessary to establish, exercise or defend a right or obligation in law or to comply with an obligation of international public law, iii) if processing is for historical, statistical or research purposes (with specific limitations as set out in section 35(1)(c) of the Act), or iv) if the child (with the consent of a parent or legal guardian) has deliberately made that information public.

  • Ensuring the rights of data subjects

POPIA affords data subjects a number of rights. When ensuring compliance with POPIA businesses need to ensure that they have processes in place to ensure that data subject rights can be met. A businesses privacy notice must also set out the data subjects rights in relation to how their personal information is collected and processed.

Some of the rights afforded to data subjects under POPIA include:

  • the right to be notified that his/her personal information is being collected;
  • the right to establish whether a responsible party holds personal information about him/her, the right of access to that personal information, and the right to request rectification of the personal information collected when incorrect or inaccurate (on reasonable grounds and subject to any legal obligation placed on the responsible party in relation to such rectification);
  • the right to withdraw consent to the processing of his/her personal information at any time, where consent is the sole legal basis on which such processing is taking place;
  • the right to object to the processing of his/her personal information in certain circumstances (on reasonable grounds, in the prescribed manner and unless there is an underlying legislative obligation), such as where the personal information is being processed to protect the legitimate interests of the data subject, pursue the legitimate interest of a responsible party or a third party that the personal information has been supplied to, or where the personal information is being processed by a public body to properly perform a public law duty; and
  • the right not to have his/her personal information processed for unsolicited electronic communications together with the right to object, at any time, to his/her personal information being processed for direct marketing purposes.
  • Direct marketing

Direct marketing is regulated by both the Consumer Protection Act, 68 of 2008 (the “CPA”) and POPIA. Both the CPA and POPIA have very similar definitions for direct marketing, but while the CPA regulates all forms of direct marketing, the provisions in POPIA are limited to direct marketing through any form of electronic communication, such as SMS, email, WhatsApp, or automated calling machines.

POPIA defines direct marketing as approaching a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of i) promoting or offering to supply, in the ordinary course of business, any goods or services, or ii) requesting a donation of any kind for any reason.

As mentioned above, POPIA gives data subjects the right to object to the processing of their personal information for direct marketing purposes. POPIA prohibits the processing of personal information for direct marketing by means of any form of electronic communication unless the data subject has consented to receiving direct marketing communications or (subject to the section 69(3) of POPIA) the data subject is an existing customer of the business concerned. Businesses are also only allowed to approach a data subject once for consent to receive direct marketing communications, and provided that such consent has not been withheld previously.

  • Automated decision making

Automated decision making is a decision which i) is based solely on the automated processing of personal information (i.e., there is no element of human intervention or discretion in making the decision); and ii) is based on personal information that provides a profile on the data subject, for example credit-worthiness, work performance, reliability, health, location, conduct or personal preferences; and iii) results in legal consequences for the data subject or affects the data subject to a substantial degree.

In terms of POPIA, automated decision making is prohibited unless:

  • the automated decision relates to the conclusion of a contract and the data subject’s request has been met/approved, or appropriate measures have been taken by the responsible party to protect the data subject’s legitimate interests, including giving the data subject the opportunity to make representations about the decision and to provide sufficient information for the purposes of the automated decision to be taken;  or
  • the automated decision is governed by a law or code of conduct which specifies appropriate measures for protecting the data subject’s legitimate interests.
  • Transborder information flows

POPIA regulates the transfer of personal information outside of South Africa. A responsible party is not permitted to transfer personal information about a data subject to a third party in another country unless:

  • the other country has adequate privacy laws; or
  • there are binding corporate rules (i.e. a group privacy policy) in place that apply to the parties; or
  • there is a binding agreement in place between the parties; or
  • the data subject consents to the transfer; or
  • the transfer is necessary for performing a contract between the data subject and the responsible party; or
  • the transfer is necessary to implement pre-contractual measures that must be taken in response to a data subject’s request; or
  • the transfer is necessary in order to conclude a contract between the data subject and a third party, provided that the contract is in the interests of the data subject; or
  • the transfer is for the benefit of the data subject and it is not reasonably practicable to get the data subject’s consent, and if consent had been requested it is likely that the data subject would have given it.

Responsible parties have an obligation to notify data subjects that they intend to transfer their personal information to another country or to an international organisation and the level of protection that will be afforded to that information by that country or international organisation. Importantly, when special personal information or children’s personal information is involved, prior authorisation (as discussed more fully below) may need to be obtained from the Information Regulator if the responsible party intends to transfer that information to a third party in a foreign country that does not provide an adequate level of protection for the processing of the personal information.

Transborder information flows include the use of cloud services and third party business service providers who are international organisations and do not store and/or process the data in South Africa. Businesses therefore need to ensure that they are compliant with the transborder information flow requirements of POPIA for their cloud and international service providers.

  • Operators (third party processors)

An operator processes personal information for or on behalf of the responsible party under a contract or a mandate, for example an outsourced third party contracted to process or store information on behalf of the business. In terms of POPIA an operator must only process personal information with the knowledge or authorisation of the responsible party and must treat the personal information as confidential and not disclose it (unless required by law or in the proper performance of its duties).

The responsible party remains responsible and liable for the personal information that is processed by the operator (the condition of accountability) and has an obligation to ensure that the operator has and maintains appropriate security safeguards in place in terms of POPIA. POPIA mandates that responsible parties sign a written agreement with each of its operators to ensure that the operator establishes and maintains security measures in compliance with POPIA.

POPIA further places an obligation on operators to immediately notify the responsible party where there are reasonable grounds to believe that the personal information of a data subject (which it is processing for or on behalf of the data subject) has been accessed or acquired by any unauthorised person.

  • The Information Officer

POPIA prescribes that each responsible party must appoint an Information Officer, who must then also be registered as such with the Information Regulator (PAIA and POPIA information officers should be the same). An Information Officer is a person within the business that is tasked with being responsible for safeguarding the personal information processed by the business. Under POPIA, the Information Officer is, by default, the head of the business or company, for example the CEO or Managing Director for medium to large sized businesses and the business owner for small businesses and SMME’s.

The head of the business or company is then allowed to appoint one or more persons as the Deputy Information Officer, to be responsible for POPIA compliance and information security. Any Deputy Information Officer should also be registered as such with the Information Regulator.

POPIA and its regulations have also placed a number of obligations and responsibilities on the Information Officer, which need to be complied with to ensure that the business is POPIA compliant, including i) encouraging and ensuring compliance with POPIA and the 8 conditions for lawful processing, ii) developing internal measures and adequate systems to process request for access to information, addressing these access requests and dealing with complaints made in terms of POPIA, iii) handling investigations conducted by the Information Regulator, iv) developing, implementing and monitoring a POPIA compliance framework, v) conducting preliminary POPIA compliance assessments (i.e. a GAP assessment and personal information impact assessments), vi) conducting training and awareness sessions, and vii) developing a privacy manual.

  • Prior Authorisation

In certain instances, the responsible party will need to obtain prior authorisation from the Information Regulator before it its permitted to start processing certain personal information (unless an industry code of conduct is in place in terms of POPIA). Prior authorisation is only required once, and not each time the personal information is processed, unless the processing departs from the original prior authorisation obtained.

Failing to request prior authorisation when required, or to comply with the processes set out in POPIA for requesting prior authorisation can be an offence under the Act, which could result in a fine or imprisonment of up to 12 months (or both). It is therefore critical for businesses to understand if and when prior authorisation is required under POPIA.

Prior authorisation is required from the Information Regulator in the following instances:

  • to process unique identifiers of data subjects for a purpose other than the purpose collected for, with the aim of linking it with information processed by other responsible parties. A unique identifier is any information used to identify a data subject, for example an identity number, an employee number, a patient number, a bank account number, etc.
  • to process information on criminal behaviour (not criminal history) or unlawful or objectionable conduct for or on behalf of third parties;
  • to process information for the purposes of credit reporting;
  • to transfer special personal information or children’s personal information to a third party in a foreign country that doesn’t provide an adequate level of protection for the processing of personal information in accordance with the Transborder Information Flow provisions of POPIA; or
  • for other types of information processed if the processing of that information carries a particular risk to the data subject’s legitimate interests (as determined by the Information Regulator by law or regulation from time to time).
  • Reporting of Data Breaches

Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person (i.e. a data breach or security compromise), section 22 of POPIA places an obligation on the responsible party to notify both the Information Regulator and the data subject/s affected by the security compromise in writing as soon as reasonably possible after the discovery thereof.

Notification of data breaches is a crucial obligation under POPIA. Failing to notify the Information Regulator and affected data subjects of the security compromise as soon as reasonably possible after the incident has been discovered can result in the Information Regulator imposing larger penalties on the responsible party than it would have as a result of the failure to notify and to comply with the provisions of POPIA, should the security compromise come to the attention of the Information Regulator by other means.

Accordingly, while the 8 conditions for the lawful processing of personal information are the foundational principles of POPIA, they are not the only compliance obligations of POPIA, and when considering its compliance initiatives, businesses must ensure that all of its compliance obligations under POPIA are being considered and achieved.

Share this article