1. Definitions. “Personal information” refers to just about any information by which a particular person or company can be identified, and includes race, sex, gender, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, birth, education, medical, financial, criminal or employment history, e-mail address, physical address, telephone number, location information, biometric information, personal opinions and private correspondence, and of course the name. “Processing” refers to just about any action that can be applied to information, including collecting, receiving, recording, organising, collating, storing, updating, modifying, retrieving, atering, consulting or using, disseminating, merging, linking as well as restricting, erasing and destructing.
2. The purpose of POPIA is to strike a balance between the right to privacy on the one hand, and the right of access to and the free flow of information on the other hand.
3. POPIA applies to people and companies processing personal information in South Africa.
4. There are eight “principles” for the processing of personal information. Particularly sensitive information, and information about children, is deemed “special” and is subject to special treatment.
5. Data subjects have specific rights, including to be notified that information about him, her or it (company) is being processed, to be granted access to that information, and to request correction or deletion of that information.
6. POPIA does not apply to personal or household activities, to information that has been “de-identified” and to some government bodies, including the Cabinet and the courts.
7. POPIA does not apply to journalistic, literary and artistic expressions.
8. Accountability Someone is held accountable for compliance with the law, and that someone is the “Responsible Party”. While practicalities of compliance can be delegated to an “operator” or “processor”, final responsibility lies with the Responsible Party. Companies should appoint an Information Officer to deal with POPI (and PAIA) compliance, which should be registered with the Regulator.
9. Processing Limitation When a Data Subject gives consent to a Responsible Party to process his or her personal information, s/he gives this consent for a particular purpose. Any processing of that information is restricted to that particular purpose (and to the “Further Processing Limitation” principle below). Consent must in principle be received directly from that particular person, and recorded.
13. Purpose Specification The Responsible Party must clearly notify the Data Subject of the specific, explicitly defined and lawful purpose of processing information.
15. Further Processing Limitation Further processing of personal information (by third parties) must be compatible with the purpose for which consent was initially given by the Data Subject.
16. Information Quality Personal information must be ac- curate and up-to-date. In our understanding, at the very least this means that the Responsible Party must make it possible for the Data Subject to access the information to verify its accuracy.
17. Openness Arguably the most fundamental principle of data processing regulations like POPI and GDPR, is transparency. This means that a Data Subject must be made aware of the fact that personal data is being processed, its purpose and its destination (who will get access to the information) as well as the Responsible Party responsible for the processing. An important aspect of transparency for Data Controllers, is the “paper trail” – controllers should at all time be able to provide evidence of meetings and staff education, on how data was processed, and measures taken to promote compliance with the law. Data Controllers must always make Data Subjects aware of instances where personal information is collected and the policy that governs them, preferably before the data is collected. Data Controllers must also keep a manual (PAIA), which includes the system of storage and the steps that can be taken by Data Subjects to remedy non-compliance or to revoke consent.
19. Security Safeguards The Data Controller must safeguard personal information by means of reasonable, appropriate, regularly verified, up-to-date, industry-standard measures. In case of a security breach, the data subjects that are affected by the breach, and the Information Regulator, must be notified as soon as reasonably possible (GDPR states “72 hours”) in writing.
23. Data Subject Participation Every Data Subject has the right to access, request a correction or deletion and object to the processing of personal information. This means that data controllers need to provide the personal information they have stored and a list of people that have access to this information at the Data Subject’s request, as per the data controller’s PAIA manual.
36. Having said all that, the Information Regulator may grant exemptions for public interest, including national security, crime prevention, research and free expression.
39. An independent, impartial national body is established to supervise POPIA: the Information Regulator.
The Information Regulator’s duties and powers include education on POPIA, monitoring and enforcing compliance with POPIA, consultation, handling of complaints, research, issuing codes of conduct and cross-border cooperation.
55. The person responsible for compliance with POPIA and dealing with requests in terms of POPIA or from the Information Regulator, is the Information Officer. This is in principle the head of the company. However, the head of the company can delegate these functions, but cannot delegate responsibility in terms of POPIA.
57. With regard to some personal information, prior authorisation is required from the Information Regulator before that information may be processed, or before particular actions may be taken with regard to that information.
60. The Information Regulator may issue codes of conduct for certain sectors of society.
61. This may be done on the Regulator’s initiative, or on the initiative of a representative body of any industry, profession or vocation.
63. A code of conduct may prescribe its own procedures for dealing with complaints and disputes.
69. Direct electronic marketing is prohibited, unless consent has been given, or the data subject is an existing customer. Marketers may approach potential data subjects only once, to ask for consent. Consent can only be given in the prescribed form (Form 4 of the Regulations) All electronic marketing messages must include an opportunity to unsubscribe.
70. If (any of) your personal information is included in a public directory, printed or electronic, you must be given the opportunity to object, edit or remove that information.
71. Automated processing can never give rise to legal consequences for the Data Subject.
72. Personal information may only be shared across borders if the recipient is subject to adequate conditions for processing of personal information, the data subject consents, the transfer is to his or her or its benefit and necessary.
74. Any person may submit a complaint to the Information Regulator, to which the Regulator may respond with an investigation, a conciliation, a referral to the Enforcement Committee, or request legal action such as enter and search warrants.
Parties can appeal within 30 days after receipt of the Regulator’s notice.
99. Civil actions may be instituted in case of non-compliance with POPIA.
100. Hindering or influencing the Information Regulator is an offence.
103. Failure to comply with the Regulator’s notices, is an offence.
105. Contravention of section 8 (the eight principles) is an offence, if it is of a serious and persistent nature, and, to the Responsible Party’s knowledge, likely to cause serious damage or distress.
The Magistrates’ Court has jurisdiction.
111. Fees may be prescribed for Data Subjects to request access to information.
114. Full compliance with POPIA is required one year after POPIA comes into effect.