July 2022

1. Governing Texts

The Republic of South Africa has taken significant steps to implement laws and regulations relating to the protection of data and personal information. The COVID-19 pandemic has emphasised the need for laws that regulate the proliferation of data and personal information that have resulted from the utilisation of digital services. The Republic of South Africa has seen its first specific data protection law come into effect on 1 July 2021, joining the rest of the world in protecting the right to privacy in this digital age of the Fourth Industrial Revolution.

1.1. Key acts, regulations, directives, bills

The Constitution of the Republic of South Africa guarantees the right to privacy. Additionally, certain provisions within the Electronic Communications and Transactions Act, 2002 ('ECTA') regulate the electronic collection of personal information, although compliance with these provisions is voluntary. These provisions of the ECTA pertaining to the protection of personal information were repealed on 30 June 2021 (see below).

The Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') was promulgated into law on 26 November 2013, following the President's signature. With the exception of Section 58, of POPIA became fully enforceable on 1 July 2021. Section 58, however, was staggered until 1 February 2022 before it became enforceable. POPIA is wide in its application and impacts all persons processing personal information within the country (or using means from within the country).

Data privacy must also be considered from the perspective of consumer protection law as the Consumer Protection Act, 2008 ('CPA') which was enacted in 2011 and applies to the direct marketing of goods as well as services to consumers telephonically. The provisions under the CPA on direct marketing and unsolicited communications may seemingly overlap with the provisions of POPIA, however, POPIA applies to the specific instance of unsolicited electronic communications.

On 26 May 2021, President Ramaphosa signed the Cybercrimes Bill into an Act of Parliament and a law of the Republic of South Africa as the Cybercrimes Act No. 19 of 2020 ('Cybercrimes Act'). The Cybercrimes Act became enforceable on 1 December 2021 and aims to both create new offences that, for example, criminalise the theft and interference of data, while also modernising existing criminal offences to cater for the particular nature with which many cybercrimes are committed. The objectives of the Cybercrimes Act are therefore to:

• create offences and impose sanctions that relate to cybercrime;
• criminalise the dissemination of harmful data messages; and
• further regulate law enforcement's jurisdiction over cybercrime by granting extensive powers to investigate, search, access and seize articles used in committing an offence, such as computers, databases or networks, etc.

Specific offences created under the Cybercrimes Act include a person's unlawful access – being the unlawful and intentional access to a computer system or a computer data storage medium (commonly referred to as 'hacking'); unlawful interception, interference or acquisition of data, a computer program, a computer data storage medium or a computer system. The 'modernised' criminal offences include cyber fraud – being fraud committed by means of data or a computer program or through any interference with data or a computer program, cyber forgery – being the creation of false data or a false computer program with the intention to defraud; cyber uttering – being the passing-off of false data or a false computer program with the intention to defraud; cyber extortion – being, inter alia, the unlawful and intentional interception of data for the purpose of obtaining any advantage from another person or compelling another person to perform or to abstain from performing any act; and the theft of incorporeal property. Of note, however, is the criminalisation of malicious or harmful communications. These are communications, or rather 'data messages', which:

• incite or threaten damage to property or violence;
• threaten persons with damage to property or violence; and
• disclose an intimate image.

The Promotion of Access to Information Act 2 of 2000 ('PAIA') regulates the access to information and it enables people to gain access to information held by both public and private bodies. In terms of PAIA, an IO ('IO') must be appointed within an organisation to manage the requirements to access information held by that organisation. IOs are appointed automatically by virtue of their position within a private or public entity. However, the advent of POPIA has now expanded the role of an IO, meaning the role of an IO within an organisation is now not only governed by the provisions of PAIA, but also by POPIA.

1.2. Guidelines

In accordance with its powers under POPIA, the Information Regulator published, in December 2018, the Protection of Personal Information Act, 2013 (Act No. 4 Of 2013): Regulations Relating to the Protection of Personal Information ('the Regulations'). The Regulations are mainly administrative in nature and prescribe a number of forms to be used in order to take certain types of action under POPIA including:

• the manner in which an objection to the processing of personal information can be made (Section 2 of the Regulations);
• requests for the correction or deletion of personal information or the destruction or deletion of a record of personal information (Section 3 of the Regulations);
• duties and responsibilities of IOs (to be appointed by each responsible party), which includes obligations relating to impact assessments to be undertaken (Section 4 of the Regulations);
• applications for the Information Regulator to issue industry codes of conduct (Section 5 of the Regulations);
• the manner in which consent is requested for the processing of personal information for direct marketing by means of unsolicited electronic communications (Section 6 of the Regulations);
• submission of complaints or grievances (Section 7 of the Regulations);
• the Information Regulator acting as a conciliator during an investigation (Section 8 of the Regulations);
• the notification requirements of the Information Regulator to provide notification and information to all affected parties to a complaint/investigation (Section 12 of the Regulations); and
• the notification requirements of the Information Regulator to provide notification to affected parties of its intention to carry out assessments or relating to a request by a third party to do so (Section 11 of the Regulations).

The Regulations also provide for various prescribed forms which are required to be utilised when requests or complaints are submitted.

The Information Regulator gazetted a Guideline to Develop Codes of Conduct on 26 February 2021. Chapter 7 of POPIA provides for the development of codes of conduct which may apply to certain types of personal information, specific industries, professions, bodies or specific types of activities. 

The Guideline to Develop Codes of Conduct was published in order to explain the process for the development of codes of conduct by the relevant industry bodies in terms of section 65 of POPIA. The Guideline to Develop Codes of Conduct provides guidance to industry bodies on making and submitting an application for a code of conduct to be approved by the Information Regulator.

On 1 April 2021, the Information Regulator published a Guidance Note on Information Officers and Deputy Information Officers ('the Guidance Note'), which confirmed that the registration of IOs and Deputy IOs is expected to commence on 1 May 2021. In a separate media statement released alongside the Guidance Note on 1 April 2021, the Information Regulator confirmed that such registration will be able to take place via an online portal on the Information Regulator's website. However, this registration portal has been fraught with a host of issues and businesses have since been encouraged to submit a manual registration form to [email protected] while the portal is being restored to a functional state.

The Information Regulator has also published a Guidance Note on Applications for Prior Authorisation, which elaborates on the process to be followed by businesses who are currently processing or intend to process personal information which is subject to prior authorisation.

A business has to apply for prior authorisation from the Information Regulator if they process or intend to process any personal information specifically falling within the specified categories, as per Sections 57 and 58 of POPIA. These categories are:

• processing of unique identifiers (examples of unique identifiers are included in the Guidance Note, which, amongst others, include: bank account numbers or any account number; policy number; identity number; employee number; student number; telephone or cell phone number; or reference number) where these are used for a purpose other than the one for which the unique identifier was specifically intended (at collection) and is linked with information processed by another or other responsible parties;
• processing information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties (e.g. any person contracted to conduct a criminal record enquiry or reference check pertaining to past conduct or disciplinary action);
• information processed for the purposes of credit reporting (e.g. Including the processing activities of credit bureaus); and
• any transfer of special personal information or the personal information of children from South Africa to a third party in a foreign country, where that country does not provide an adequate level of protection for the processing of personal information (i.e. an adequate level of protection requires the recipient of the information to be subject to a law, binding corporate rules or binding agreement which provides a level of protection that effectively upholds principles for reasonable processing of personal information that is substantially similar to the conditions for the lawful processing as mentioned under POPIA).

A responsible party who continues information processing activities that are subject to prior authorisation without the Information Regulator's express approval will be committing an offence and may be liable to a penalty as set out in Section 107 of POPIA. This would include a fine (of up to ZAR 10 million (approx. €580,000)) or imprisonment for a period not exceeding 12 months, or both a fine and imprisonment.

The Information Regulator has also published a Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information in terms of Section 37 and 38 of POPIA ('the Exemption Guidance Note'). In terms of Section 37(1) of POPIA, the Information Regulator may by notice in the Gazette grant an exemption to a responsible party to process certain personal information, even if that processing is in breach of a condition for the lawful processing of such information, or any measure that gives effect to such condition if the Information Regulator is satisfied that the requirements that are stated therein are met.

In terms of Section 38(1) of POPIA, personal information processed for the purpose of discharging a 'relevant function' is exempt from Sections 11(3) and (4), 12, 15, and 18 of POPIA in any case to the extent to which the application of those provisions to the personal information would be likely to prejudice the proper discharge of that function.

The Exemption Guidance Note provides clarity on the process of submitting an application in terms of Section 37 while also guiding responsible parties on the bounds and meaning of what would be considered a 'relevant function' in terms of Section 38.

On 28 June 2021, the Information Regulator published the Guidance Note on Processing of Special Personal Information ('the Special Personal Information Guidance Note'). The purpose of the Special Personal Information Guidance Note was to guide responsible parties who are required to obtain authorisation from the Information Regulator to process special personal information, as provided for in Section 27(2) of POPIA. In terms of Section 27(2) of POPIA, the Information Regulator may, by notice in the Gazette, authorise a responsible party to process special personal information if the Information Regulator is satisfied that such processing is:

• in the public interest; and
• appropriate safeguards have been put in place to protect the special personal information of the data subject.

1.3. Case law

In January 2021, the Facebook-owned messaging platform WhatsApp informed users it was preparing a new privacy policy, under which it could share certain user data, including location and mobile phone numbers, with Facebook and other businesses such as Instagram and Messenger. Against this and on 3 March 2021, the Information Regulator issued a statement about WhatsApp's proposed changes to its privacy policy and questioned its compliance with POPIA.

The Information Regulator's statement highlighted a number of concerns with regard to the revised WhatsApp policy and its application to South Africa, stating the following:

"… it is the Information Regulator's view that the processing of cell phone numbers as accessed on the user's contact list for a purpose other than the one for which the number was specifically intended at collection, with the aim of linking the information jointly with the information processed by other responsible parties (such as Facebook companies) does not require consent from the data subject, but prior authorisation from the IR."

The matter is still ongoing as the Information Regulator has asked the Portfolio Committee on Justice and Correctional Services to request Facebook South Africa (SA) and WhatsApp LLC to appear in Parliament on this matter.

In a separate matter, the National Department of Basic Education ('DBE') issued a notice, on 10 January 2022, that it would stray from the traditional process of publishing the national results of the 2021 Grade 12 final examinations in various national newspapers and news sites. The rationale for this decision stemmed from a consult with the Information Regulator as to the legality of this process in light of POPIA.

However, this decision was met with a significant amount of public outcry and resulted in an urgent application before the North Gauteng High Court which sought to reverse this decision by the DBE. On 18 January 2022, the Honourable Miller J issued a draft order in the North Gauteng High Court, ordering the DBE to ultimately reverse its decision. The order specifically stated that the published results must not reflect the first names and/or surnames of any of the learners. Consequently, the national results were published with the names and surnames of the learners removed.

2. Scope of Application

2.1. Personal scope

POPIA applies to the processing of personal information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.

2.2. Territorial scope

POPIA will apply not only to responsible parties domiciled in South Africa but also to responsible parties outside of South Africa that use means to process in South Africa (unless such means are only used to forward the information through South Africa).

2.3. Material scope

POPIA applies to the processing (widely defined under POPIA to include collection, recording, organising, collating, distributing, modifying, storing, using and destruction) of personal information by a responsible party (being a public or private body or any other person which alone or together with others determines the purpose and means for processing).

All processing of personal information is covered by POPIA. However, POPIA does not apply to personal information processing:

• which is purely personal or household activity;
• by or on behalf of a public body where it involves national security or where its purpose is to prevent or detect unlawful activities (provided that alternative legislation relevant to such activities provides for safeguards to protect personal information);
• by the Cabinet and its committees or the Executive Council of a province;
• related to a court's judicial functions; and
• which is solely for the purpose of journalistic, literary or artistic expression.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

POPIA introduces and provides for the establishment of an independent supervisory authority, namely the Information Regulator, specifically established for the purpose of data protection.

3.2. Main powers, duties and responsibilities

The Information Regulator is responsible for the oversight and enforcement of POPIA and has wide-ranging powers and responsibilities, including in relation to:

• facilitating education, training and awareness on data protection;
• monitoring and enforcing compliance with POPIA;
• consulting with any interested parties on data protection;
• handling complaints from data subjects and/or other parties in relation to data protection;
• research regarding privacy and data protection;
• issuing codes of conduct; and
• facilitating cross border cooperation in the enforcement of privacy laws.

Any person may, either orally or in writing (although oral submissions are to be converted to writing as soon as reasonably practicable), submit a complaint to the Information Regulator in the event of alleged interference. POPIA provides that, after receipt of a complaint, the Information Regulator is obliged to investigate the complaint, act as a conciliator where appropriate and take further action as contemplated by POPIA. In exercising its investigative powers, the Information Regulator may, inter alia:

• summon and enforce the appearance of persons;
• compel the provision of written or oral evidence under oath;
• receive evidence irrespective of whether such evidence is admissible in a court of law; and
• enter and search any premises occupied by a responsible party. Where necessary, the Information Regulator may apply to a judge of the High Court or a magistrate to issue a warrant to enable the Information Regulator to enter and search premises.

4. Key Definitions 

Personal data: 'Personal information' is defined broadly in POPIA to include information relating to both an identifiable, living, natural person, and where applicable, an identifiable juristic person or legal entity, and includes:

• information about a person's race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language, and birth;
• information relating to the education, medical, financial, criminal, or employment history of the person;
• any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;
• the biometric information of the person;
• the personal opinions, views, or preferences of the person;
• correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
• the views or opinions of another individual about the person; and
• the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Sensitive data: POPIA provides for a separate category of information called 'special personal information' which includes all information relating to a person's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or criminal behaviour. POPIA also specifically regulates personal information (of a child).

Data controller: A 'responsible party' is a public or private body that determines the purpose and means for processing personal information of a data subject.

Data processor: An 'operator' is a party that processes personal information on behalf of a responsible party, without coming under the direct authority of the responsible party.

Data subject: Any party to whom personal information relates.

Biometric data: 'Biometrics' means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.

Health data: Not applicable.

Pseudonymisation: POPIA does not provide a definition for pseudonymisation. However, 'de-identify', in relation to personal information of a data subject, means to delete any information that:

• identifies the data subject;
• can be used or manipulated by a reasonably foreseeable method to identify the data subject;
• can be linked by a reasonably foreseeable method to other information that identifies the data subject; and
• 'de-identified' has a corresponding meaning.

5. Legal Bases

In terms of Section 11 of POPIA, personal information may only be processed if:

• the data subject or a competent person where the data subject is a child consents to the processing;
• processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;
• processing complies with an obligation imposed by law on the responsible party;
• processing protects a legitimate interest of the data subject;
• processing is necessary for the proper performance of a public law duty by a public body; or
• processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

5.1. Consent

See section on 'Legal Bases' above.

5.2. Contract with the data subject

See section on 'Legal Bases' above.

5.3. Legal obligations

See section on 'Legal Bases' above.

5.4. Interests of the data subject

See section on 'Legal Bases' above.

5.5. Public interest

See section on 'Legal Bases' above.

5.6. Legitimate interests of the data controller

See section on 'Legal Bases' above.

5.7. Legal bases in other instances

Direct marketing

The processing of a data subject's personal information for the purposes of direct marketing is prohibited unless the data subject has given their consent or the email recipient is a customer of the responsible party. The responsible party must have obtained the details of the data subject through sales of a product or service and the marketing should relate to similar products or services of the responsible party. The data subject must be given a reasonable opportunity to object to the use of his/her personal information for marketing each time the responsible party communicates with the data subject for marketing purposes.

6. Principles

POPIA prescribes eight conditions for the lawful processing of personal information by or for a responsible party, which are as follows:

Accountability

The responsible party must ensure compliance with all the conditions under POPIA and is responsible for implementing such conditions. This will include having to ensure that any third party or service providers (defined as 'operators' under POPIA) also comply with the provisions of POPIA.

Processing Limitation

Processing of personal information must be undertaken lawfully and done in a reasonable manner.

Purpose Specification

Personal information must be collected for a specific, explicitly defined and lawful purpose relating to the responsible party's business.

Further Processing

The further processing of personal information must be undertaken in accordance with, or be compatible with, the purpose for which the personal information was originally collected. It is important to note that further processing will be compatible with the original purpose if:

• the data subject consents;
• the information is in a public record or has been deliberately made public by the data subject;
• further processing is necessary to avoid prejudice to the maintenance of the law by any public body, to comply with obligations imposed by the law or in the interests of national security; or
• further processing is necessary to prevent or mitigate a threat to public health or safety or the life or health of the data subject or anyone else.

Information Quality

The responsible party will need to ensure that the personal information it processes about the data subjects is complete, accurate, not misleading and updated where necessary.

Openness

This condition seeks to ensure transparency between the responsible party and the data subject.

Security Safeguards

The responsible party must secure the integrity of personal information in its possession or under its control with appropriate and reasonable technical and organisational measures to prevent the loss of, damage to or unauthorised destruction of the personal information; and any unlawful access to or processing of personal information.

Data Subject Participation

A data subject, having provided adequate proof of identity, has the right to request the responsible party to confirm, free of charge, whether or not the responsible party holds personal information about that particular data subject. The data subject may then request a description of the personal information, including information about third parties who have had access to the information, within a reasonable time and at a prescribed fee (if any). In addition, the information must be provided to the data subject in a reasonable manner and in a form that is generally understandable. In this regard, it is important to note that PAIA differentiates between records held by public bodies and private bodies and the instances in which access to records may be refused by these respective bodies.

7. Controller and Processor Obligations

The rights and responsibilities of a responsible party are not separately specified and are incorporated in relation to the information protection conditions, in terms of which responsible parties may process (which includes collecting) personal information where, inter alia:

• the information protection conditions are met;
• the processing is performed in a reasonable manner that does not infringe the data subject's privacy and is for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party;
• the data subject has been made aware of, inter alia, the nature of the information being collected, the identity of the responsible party and the purpose of the collection of the information;
• in relation to processing, such processing is adequate, relevant, and not excessive;
• the data subject has consented thereto, or the processing is necessary for the conclusion of a contract, complies with an obligation imposed by law, protects a legitimate interest of the data subject, or is necessary for pursuing the legitimate interests of the responsible party or a third party to whom the information is supplied;
• the personal information is collected directly from the data subject (unless the information has been made public by the data subject, the data subject has consented to collection from another source, the data subject's interests would not be prejudiced by the collection, the collection is necessary per the grounds contemplated in POPIA, and the lawful purpose of the collection would be prejudiced or compliance is not reasonably practicable);
• the data subject will continue to have access to the personal information (subject to certain exemptions); and
• the responsible party has taken appropriate technical and organisational measures to safeguard the security of the information.

POPIA contemplates that a responsible party retains ultimate accountability for an operator and must ensure that an operator or anyone processing personal information on behalf of a responsible party must:

• only do so with the knowledge or authorisation of the responsible party; and
• treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.

Ultimately, a responsible party must ensure a written agreement is concluded with each operator it utilises to process personal information on its behalf.

7.1. Data processing notification

The registration for the processing of personal information is not required or prescribed by POPIA. Section 18 of POPIA prescribes the following notification requirements when collecting personal information from a data subject:

• the information being collected and where the information is not collected from the data subject, the source from which it is collected;
• the name and address of the responsible party;
• the purpose for which the information is being collected;
• whether or not the supply of the information by that data subject is voluntary or mandatory;
• the consequences of failure to provide the information;
• any particular law authorising or requiring the collection of the information;
• the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
• any further information such as the:
  • recipient or category of recipients of the information;
  • nature or category of the information;
  • existence of the right of access to and the right to rectify the information collected;
  • existence of the right to object to the processing of personal information as referred to in Section 11(3); and
  • right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

As mentioned above, if any of the processing activities outlined in Section 57 of POPIA are undertaken by a responsible party, then an application for prior authorisation must be made to the Information Regulator.

In this regard, the responsible party must obtain prior authorisation from the Information Regulator, in terms of Section 58 of POPIA, if it plans to (Section 57(1) of POPIA):

• process any unique identifiers of the data subject for a purpose other than the one for which the identifier was specifically intended for at collection, and with the aim of linking the information together with information processed by other responsible parties;
• process information on criminal behaviour or unlawful/objectionable conduct on behalf of third parties;
• process information for the purpose of credit reporting; or
• transfer special personal information, or information regarding children, to a third party in a foreign country that does not provide an adequate level of protection.

Moreover, the responsible party must not carry out processing that has been notified to the Information Regulator in terms of Section 58(1) of POPIA until the Information Regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conducted (Section 58(2) of POPIA).

Special personal information

7.2. Data transfers

POPIA provides that a responsible party may not transfer personal information about a data subject to a third party in a foreign jurisdiction unless:

• the recipient is subject to a law or contract which:
  • upholds principles of reasonable processing of the information that are substantially similar to the principles contained in POPIA; and
  • includes provisions that are substantially similar to those contained in POPIA relating to the further transfer of personal information from the recipient to third parties;
• the data subject consents to the transfer;
• the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
• the transfer is for the benefit of the data subject and:
  • it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
  • if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.

7.3. Data processing records

Section 17 of POPIA provides that a responsible party must maintain the documentation of all processing operations under its responsibility as referred to in Sections 14 or 51 of PAIA.

7.4. Data protection impact assessment

POPIA Regulation 4(1)(b) requires that a responsible party must undertake a Personal Information Impact Assessment ('PIIA') to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information. A PIIA must:

• describe the nature, scope, context, and purposes of the processing;
• assess necessity, proportionality, and compliance measures;
• identify and assess risks to data subjects; and
• identify any additional measures to mitigate those risks and ensure compliance with the eight conditions for lawful processing.

Notably, when determining an appropriate fine, the Information Regulator is required to consider, among other things, any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information (Section 109 of POPIA).

IO

An IO must ensure that a PIIA is conducted to ascertain that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information (Regulation 4(1)(b) of the Regulations).

7.5. Data protection officer appointment

The IO of a public body is the IO or Deputy IO as contemplated in Section 1 of PAIA, while in a private body, the role is automatically assigned to the 'head' of the private body. In terms of PAIA, the 'head' means:

• in the case of a natural person, that natural person or any person duly authorised by that natural person;
• in the case of a partnership, any partner of the partnership or any person duly authorised by the partnership; and
• in the case of a juristic person, the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer or the person who is acting as such or any person duly authorised by such acting person.

Accordingly, in respect of private bodies, the CEO or equivalent officer is by default the IO. The CEO or managing director of a juristic person may authorise any natural person within the body to act as the IO. Such an authorisation must be in writing and substantially similar to Annexure 'C' annexed to the Guidance Note. It is important to note that despite authorisation to another person, the 'default' IO still retains the accountability and responsibility for any power or function authorised to that person in terms of PAIA and POPIA. Any person who has been authorised to fulfil the role of an IO should be at an executive level or equivalent position and be an employee of the body itself.

Many organisations have asked if the role of an IO could be outsourced to a non-employee. The Guidance Note now unequivocally states in paragraph 5.9 that only an employee of a private body at a level of management and above should be considered for authorisation as an IO of that body. To this end, each subsidiary of a group of companies should appoint and register its own IO, while a further obligation is placed on a multinational entity based outside of South Africa, which must now authorise a person within South Africa as an IO.

The application form for registration of IO is available via the Information Regulator's website here and the portal for the same here. The Information Regulator has noted that it has experienced various technical issues with the portal for registration.

The registration form requires the following information:

• name of the IO and designation;
• name of the deputy IO(s), if appointed; and
• official post and street address, phone, fax number and email address of the IO and any deputy.

Duties of the IO

Regulation 4 of the Regulations relating to POPIA, states that an IO must ensure that:

• a compliance framework is developed, implemented, monitored, and maintained;
• a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with processing conditions stipulated under POPIA;
• a PAIA manual is developed, and copies of such manual are made available to a person upon request and payment of a prescribed fee;
• data subject access measures are developed together with adequate systems to process requests for information or access; and
• internal staff awareness training is conducted on the provisions of POPIA, the POPIA Regulations, Codes of Conduct, if applicable, and information obtained from the Information Regulator.

IOs of a public body are required to submit a report annually to the Information Regulator setting out information such as, for example, the number of requests for access received, the number of requests for access granted or refused, and the number of internal appeals lodged as a result of a request for access being refused. In addition to the responsibilities referred to above, Section 55(1) of POPIA sets out the specific duties and responsibilities of IOs as follows:

• the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information as espoused in Chapter 3 of POPIA;
• dealing with requests made to the body pursuant to POPIA and PAIA;
• working with the Information Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA in relation to the body;
• otherwise ensuring compliance by the body with the provisions of POPIA; and
• as may be prescribed.

With the above in mind, it is important that any organization policies that relate to POPIA/PAIA are continuously updated and amended to cater for the information related to the IOs and the Deputies appointed by them.

At any time when an employee suspects or becomes aware of any actual or potential data breach, they must report such to the IO of that organisation. The IO will then report same to the affected data subjects and the Information Regulator.

Designation and Delegation of Deputy IO

Section 17 of PAIA provides for the designation of Deputy IO in a public body, while Section 56 of POPIA extends the designation of Deputy IOs to private bodies. The Information Regulator has stressed the utilisation of Deputy IO in organisations with large and complex structures to better ensure the extensive obligations placed on an IO are managed and complied with. The Guidance Note provides that the IO must designate one or more Deputy IO as may be necessary to allow for the organisation to be as accessible as reasonably possible. Such a designation must be in writing as seen by Annexure 'B' annexed to the Guidance Note.

Amongst other things, Paragraph 7 of the Guidance Note provides that the designation of a Deputy IO should be cognisant of the fact that a Deputy IO should report to the highest management office within the organisation. This means that only an employee at a level of management and above should ideally be considered for designation as a Deputy IO (Paragraph 7.9). The Deputy IO should further:

• be accessible, (especially to data subjects);
• have a reasonable understanding of the organisation’s operations and processes; and
• should have a good understanding of POPIA and PAIA in order to perform her or his duties (Paragraph 7.11).

Additionally, the Deputy IO should have a reasonable understanding of (Paragraph 7.11. and 7.12. of the Guidance Note):

• POPIA and PAIA in order to execute their duties; and
• the business operations and processes of the body. Employees with institutional knowledge is preferred as a deputy IO.

Paragraph 8 of the Guidance Note further allows the IO to delegate any of its powers or duties conferred or imposed on them a Deputy IO. Such a delegation must be in writing and substantially similar to Annexure 'B' annexed to the Guidance Note. However, it is important to note that despite the designation of or delegation to a Deputy IO, an IO retains the accountability and responsibility for the duties and responsibilities in terms of PAIA and POPIA and the IO is entitled to withdraw or amend the delegation at any time.

Notably, the designated Deputy Informaton Officer(s) of a multinational entity must be based within South Africa (Section 7.13. of the Guidance).

7.6. Data breach notification

There is a general data breach notification obligation under POPIA.

Under POPIA, where there are reasonable grounds to believe that a data subject's personal information has been accessed or acquired by an unauthorised person, the responsible party, or any third party processing personal information under the authority of the responsible party, must notify the Information Regulator and the data subject thereof unless the identity of the data subject cannot be established. Notification to the data subject must be:

• made as soon as reasonably possible after the discovery of the breach;
• sufficiently detailed; and
• in writing and communicated to the data subject by mail (to the data subject's last known physical or postal address), email to the data subject's last known email address, placement in a prominent position on the website of the responsible party, publication in the news media, or as may be directed by the Information Regulator.

The notification must include such detail as to allow the data subject to take protective measures.

A responsible party may be directed by the Information Regulator to publicise the breach where the Information Regulator has reasonable grounds to believe that such publicity would protect the data subject.

POPIA prescribes that an operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

The Information Regulator has noted and published the data breach notifications that have been reported to it on its website.

7.7. Data retention

As part of the 'purpose specification' condition applicable to the processing of personal information, section 14 of POPIA provides that it is important to ensure that the records of a data subject's personal information are not retained for any longer than is necessary for achieving the purpose for which the information was collected or processed. Section 14 states records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:

• retention of the record is required or authorised by law;
• the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
• retention of the record is required by a contract between the parties thereto; or
• the data subject or a competent person where the data subject is a child has consented to the retention of the record.

Records of personal information may be retained for periods in excess of those contemplated above for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.

7.8. Children's data

The personal information of a child is afforded special protection under POPIA. Section 34 of POPIA places a general prohibition on the processing of personal information concerning a child. Section 35 continues to state that the general prohibition will not apply when:

• carried out with the prior consent of a competent person (i.e. the parent or guardian);
• necessary for the establishment, exercise or defence of a right or obligation in law;
• necessary to comply with an obligation of international public law;
• for historical, statistical or research purposes to the extent that:
  • the purpose serves a public interest and the processing is necessary for the purpose concerned; or
  • it appears to be impossible or would involve a disproportionate effort to ask for consent; and
  • sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
  • of personal information which has deliberately been made public by the child with the consent of a competent person.

7.9. Special categories of personal data

Part B of Chapter 3 of POPIA states that one may not process the category of personal information called 'Special Personal Information', which comprises:

• religious or philosophical beliefs;
• race or ethnic origin;
• trade union membership;
• political persuasion;
• health or sex life; or
• biometric information of a data subject.

Or:

Information concerning the criminal behaviour of a data subject to the extent that such information relates to:

• the alleged commission by a data subject of any offence; or
• any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings,

Unless:

• processing is necessary for the establishment, exercise, or defence of a right or obligation in law
• processing is carried out with consent
• processing is necessary to comply with an obligation of International Public Law
• processing is for historical, statistical, or research purposes if it:
• serves a public interest and processing is necessary for the purpose; or
• getting consent is impossible or would involve a disproportionate effort

And:

• there is sufficient guarantee that processing would not adversely affect the privacy of the data subject to a disproportionate extent;  abd
• information is deliberately made public by the data subject.

7.10. Controller and processor contracts

A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures as prescribed under POPIA.

8. Data Subject Rights

8.1. Right to be informed

POPIA contemplates the collection of personal information directly from the data subject, except in some instances, for example, where the information is already contained in, or derived from, a public record, or has deliberately been made public by the data subject, or where the collection of the information from another source would not prejudice a legitimate interest of the data subject.

See Condition 6 on Openness, specifically Section 18 of POPIA, regarding notification to the data subject when collecting personal information.

8.2. Right to access

A data subject, having provided adequate proof of identity, has the right to request the responsible party to confirm, free of charge, whether or not the responsible party holds personal information about that particular data subject. The data subject may then request a description of the personal information, including information about third parties who have had access to the information, within a reasonable time and at a prescribed fee (if any). In addition, the information must be provided to the data subject in a reasonable manner and in a form that is generally understandable.

Such a request by a data subject may be refused by the responsible party on the grounds for refusal or access to records as set out in PAIA. In this regard, it is important to note that PAIA differentiates between records held by public bodies and private bodies and the instances in which access to records may be refused by these respective bodies. Public bodies and private bodies may refuse access to records where, inter alia:

• the disclosure would involve the unreasonable disclosure of personal information about a third party;
• the record contains trade secrets of a third party;
• the record contains confidential information of a third party; or
• the record contains legally privileged documents.

The data subject may also request the responsible party to correct, delete, or destroy personal information about the data subject in its possession or under its control.

8.3. Right to rectification

See section on right to access above.

8.4. Right to erasure

POPIA allows a data subject the right to request that a responsible party correct or delete personal information that is inaccurate, irrelevant, and excessive, or which the responsible party is no longer authorised to retain.

8.5. Right to object/opt-out

As it relates to direct marketing, POPIA specifically governs the direct marketing activities via an electronic communication. Where the consumer is not the customer of the direct marketer, the POPIA follows an opt-in approach, in terms of which the direct marketer has to obtain the consent of the consumer before sending a direct marking communication to such person. In this situation, the direct marketer may only approach the consumer on one occasion in order to obtain the necessary consent (so as to prevent the consumer from being harassed for consent) (Section 69(2) of POPIA).

Where the consumer is a customer of the direct marketer, the Act follows an opt-out approach, in terms of which the direct marketer must give the relevant customer the opportunity to object to the processing of their personal information (Section 69(3) of POPIA). In this situation, the direct marketer may only send a direct marketing communication to the customer if:

• the direct marketer obtained the customer's contact details in the context of the sale of a product or service;
• such contact details were obtained for the purpose of direct marketing in relation to the direct marketer's own products or services that are of a similar nature; and
• the customer is provided with a reasonable opportunity to object to the processing of their personal information. In this regard, the opportunity to object should be provided to the customer at the time when the personal information is collected and, if the customer has not objected to this at the time of collection, the direct marketer must provide such an opportunity on every occasion when a direct marketing communication is sent to the customer.

Under the CPA, consumers have the right to pre-emptively block any direct marketing. Any consumer who has been sent any marketing communication may demand that the persons responsible for initiating the communication desist from sending any further communication to them.

In regard to consent, a data subject may withdraw their consent at any time.

8.6. Right to data portability

While one can make an argument for data portability, such right is not specifically dealt in POPIA or law.

8.7. Right not to be subject to automated decision-making

POPIA also prohibits automated processing of personal information where the data subject will be subjected to a decision which has legal consequences for the data subject or which affects the data subject to a substantial degree. There are certain exceptions to this prohibition.

8.8. Other rights

Not applicable. 

9. Penalties

The Information Regulator is responsible for the investigation and enforcement of POPIA. Please see section on 'Main powers, duties and responsibilities' above.

Any person who hinders, obstructs, or unlawfully influences the Information Regulator, fails to comply with an information or enforcement notice, gives false evidence before the Information Regulator on any matter after having been sworn in or having made an affirmation, contravenes the conditions insofar as they relate to the processing of an account number (i.e. unique identifier) of a data subject, knowingly or recklessly, without the consent of the responsible party, obtains, discloses, or procures the disclosure, sale, or offers to sell an account number of a data subject to another person, is guilty of an offence. This person is liable on conviction to a fine or imprisonment (or both) for a period of no longer than ten years, or to a fine or imprisonment for a period not exceeding 12 months (or both) in respect of the other offences created by POPIA. Currently, the maximum fine which may be imposed is ZAR 10 million (approx. €580,000), although this may change once further regulations are promulgated. Responsible parties have a right to appeal against a decision of the Information Regulator and a data subject has the right to institute a civil action for damages in a court against a responsible party for breach of any provision of POPIA.

9.1 Enforcement decisions

None have been reported as of July 2022.