South African Data Privacy Law: Certain provisions of POPI coming into force
Article Date: 17 July 2020
Article written by : Shani Weake (Candidate Attorney)
The commencement of certain provisions of the Protection of Personal Information Act (POPI) was gazetted and effective from the 1st July 2020.
The POPI Act essentially reinforces Section 14 of our Constitution in respect of our Right to Privacy.
Furthermore, the POPI Act contains certain provisions that creates a number of onerous obligations for “Responsible Parties” in regards to the processing of “Personal Information” of “Data Subjects”.
“Personal Information” includes, but is not limited, to:
- An identity number;
- Gender and sexual orientation;
- Blood type and biometric information;
- Religious beliefs; and
- Any information pertaining to criminal, financial and/or employment history.
The application and the consequences of the POPI Act spreads far and wide, as many institutions process Personal Information on a daily basis, therefore this commentary seeks to prepare and inform those who shall be affected by this Act, as of the 1st July 2020.
WHAT HAPPENS AFTER THE 1ST JULY 2020?
Anyone processing Personal Information in South Africa will have a period of 1 (one) year to ensure that they comply with the various requirements enforced by the POPI Act.
Non-compliance with the provisions of POPI after the 1st July 2021, may result in serious consequences including penalties, civil proceedings, criminal offences and fines up to R10 000 000.00 (Ten Million Rand).
The relevant Sections that will take effect from the 1st July 2020 are:
- Sections 2 to 38;
- Sections 54 to 109;
- Section 111; and
- Sections 114(1), (2) and (3).
These Sections state the following:
- Processing of any personal information will only be allowed if the Responsible Person (the person collecting the Personal Data) obtains a consent from the Data Subject or, alternatively, in specific circumstances as permitted in the POPI Act;
- The conditions for lawful processing of Personal Information, ensures that:
- the Responsible Person complies with all the conditions listed in the Act, at the time of determination of the purpose, the means of processing and during the processing itself;
- the information is processed lawfully, reasonably and that it is adequate, relevant and not excessive;
- the information is collected for a specific purpose;
- the responsible person does not retain the information for longer than necessary, and must delete or destroy the information, after they are no longer authorised to retain it;
- steps are taken to safeguard against the information collected being inaccurate, in complete, misleading and outdated;
- integrity, confidentiality and prevention of damage or unlawful access;
- it provides for ways in which the Data Subject may participate in the collection of his/her personal information;
- The limitations on processing special personal information, such as children’s information, health information, race, biometrics, to name a few;
- Codes of conduct that may be issued by the Information Regulator;
- The procedures for dealing with complaints;
- Provisions regulating to direct marketing by means of unsolicited electronic communication; and
- Enforcement thereof.
Going forward organisations will need to pay significant attention to the POPI Act and the Personal Information it collects, the way in which they process it, together with the various practical and business appropriate steps to prevent non-compliance thereof. Failure to do so, will impact one’s reputation and commercial competence as well as create the risk of legal prosecution.
|1. South African Data Privacy Law: Certain provisions of POPI coming into force (17 July 2020)|
|2. Mediation & the Role it plays for our Children (30 August 2018)|
|3. Step by Step Guide to Mediation in the Magistrates Court (29 August 2018)|