Microsoft Word - OB Disclosure Doc CPA Compliant · Web view2021. 7. 13. · These laws differ...

NICOLAAS JOHANNES MARAIS t/a MARAIS ATTORNEYS

PROTECTION OF PERSONAL INFORMATION ACT (POPIA) TOOLKIT

of 55

TABLE OF CONTENTS

1. INTRODUCTION.........................................................................................................................32. NAVIGATING POPIA COMPLIANCE..........................................................................................3

APPENDIX A – OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION...............46APPENDIX B – REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION..........................................................................................................................................................47APPENDIX C – COMPLAINT REGARDING INTERFERENCE WITH POPIA.................................49

APPENDIX D....................................................................................................................................52

of 55

1. INTRODUCTION

1.1. The Protection of Personal Information Act 4 of 2013 (POPIA) is the South African data

protection legislation.

1.2. POPIA regulates the processing of personal information by both private and public

bodies. It will accordingly have far-reaching implications for Nicolaas Johannes Marais

t/a Marais Attorneys that processes personal information. The consequences of non-

compliance with POPIA are significant and include administrative fines of up to ZAR10

million or even imprisonment in certain circumstances. This is in addition to the

reputational damage Marais Attorneys may suffer as a result of failing to comply with

POPIA.

1.3. The majority of the substantive provisions of POPIA came into force on 1 July 2020.

POPIA makes provision for a transitional period of one year, i.e. until 30 June 2021, by

which time responsible parties must ensure that they are fully compliant with POPIA.

1.4. This POPIA Toolkit is intended to provide advice and assistance on how to interpret

POPIA and offers practical suggestions on how to deal with issues presented by its

requirements.

1.5. Contact details of the team working on this initiative, and who can provide support, are

listed below.

2. NAVIGATING POPIA COMPLIANCE

2.1. To assist you with complying with POPIA and also to help navigate this document the

following questions provide prompts with regard compliance and links to sections of this

Toolkit to help you in understanding the terms and requirements of the regulations.

2.1.1 Am I “processing” “personal information” about a living natural person or an

existing juristic person?

2.1.2 Am I processing special personal information?

2.1.3 Is the personal information contained in a record?

2.1.4 Is the information de-identified?

2.1.5 On what basis am I processing the information – consent or necessity?

2.1.6 Am I determining the purpose of the processing, or am I processing the

of 55

information on behalf of a client? Is the client determining the purpose?

2.1.7 Am I determining the means of the processing?

2.1.8 Am I transferring the personal information outside the borders of South Africa? To

another entity in the Marais Attorneys, or to a third party? Is the third-party subject

to a law similar to POPIA, or to binding corporate rules providing similar

protections as contained in POPIA?

2.1.9 Am I processing personal information of children?

2.1.10 Has the personal information been accessed by an unauthorised person or third-

party?

Issue Guidance notes

Purpose of POPIASection 2

POPIA seeks to give effect to the constitutional right to privacy by regulating the processing of personal information. In doing so, POPIA aims to balance the right to privacy against other rights, such as the right of access to information, and protect important interests, including the free flow of information, which is necessary for commercial activities and trade.

POPIA accordingly:

regulates the manner in which personal information may be processed by Marais Attorneys in accordance with international standards that prescribe minimum requirements for the lawful processing of personal information;

provides data subjects with rights and remedies to protect their personal information from being processed in contravention of the provisions of POPIA; and

establishes measures to promote and enforce the provisions of POPIA.

Key DefinitionsSections 1 and 26

What is personal information under POPIA?Personal information is a key concept under POPIA. It is critically important for Marais Attorneys to understand exactly which information they collect, store, use and share with others constitutes personal information under POPIA.

“Personal information” means any information relating to an identifiable, living natural person, and where applicable, an identifiable, existing juristic person.

It includes the following information:

race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

of 55


the education or the medical, financial, criminal or employment history of the person;

any identifying number, symbol, e-mail address, physical address, telephone number, location information or online identifier or other particular assignment to the person;

the biometric information of the person;

the personal opinions, views or preferences of the person;

correspondence sent by the person that is of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence;

the views or opinions of another individual about the person; and

the name of a person if it appears with other personal information relating to the person, or if the disclosure of the name itself would reveal information about the person.

POPIA regulates the processing of “personal” information – not “private” information. POPIA will accordingly apply to information related to an identifiable person or entity even if the information is contained in a record that is publicly available.

Just because information may constitute personal information, this does not mean you are not allowed to collect it or use it. It means that the information has to be collected, stored, used and shared with others in compliance with POPIA.

When is an individual “identifiable”?

In many cases, it will be clear that an individual is identifiable. For example, if Marais Attorneys holds the names, addresses and remuneration details of its employees in a database, those individuals are identifiable, and this information will constitute their personal information.

In certain circumstances, an individual can become identifiable through the combination of items of personal information that may not constitute personal information individually. For example, a residential address alone may not identify a particular individual, but a combination of a residential address; contact number and gender may indirectly identify an individual. This means that the risk of information constituting personal information under POPIA can increase as more information about an individual is collected and processed.

Under foreign laws, such as EU laws or US laws, there may be a different definition of personal information. These laws differ from POPIA and where information may not constitute personal information under foreign laws, it does not mean that it is not personal information for purposes of POPIA. For example, the General Data Protection Regulation in Europe, commonly known as the GDPR, does not extend the concept of personal information to juristic persons and only applies to the personal information of

of 55


natural persons. POPIA, on the other hand, also applies to juristic persons. The address, telephone number, registration number, trademarks and details of directors and shareholders may constitute the personal information of a juristic person.

Practical example: Marais Attorneys processing consumer purchaser information that refers to the individual by way of a unique reference number (for example, a loyalty card number, provided it is or can reasonably be linked to a particular individual). This will constitute personal information and may fall under the scope of POPIA.

Practical example: Marais Attorneys expresses views relating to an employee’s performance in a performance assessment document. The views expressed will constitute personal information and will fall under the scope of POPIA.

Practical example: Marais Attorneys processes information that, when combined together, can be used to identify a particular individual’s device. This will constitute personal information and may fall under the scope of POPIA. Examples of this kind of information may include:

o names;

o HTTP head information;

o contact details;

o installed functions; and/or

o OS identifier

Practical example: Marais Attorneys processes the information of an entity relating to its pricing structures, service offerings and marketing campaigns. Similarly, information regarding the entity’s registration number, physical address, list of directors and contact details would constitute the personal information of that entity and may fall under the scope of POPIA.

What is special personal information under POPIA?

POPIA prescribes a higher level of protection on the processing of a special category of personal information, namely special personal information. The following categories of information are regarded as special personal information:

a person’s religious or philosophical beliefs;

a person’s race or ethnic origin;

the trade union membership of the person;

a person’s political persuasion;

a person’s health or sex life or biometric information; and

the criminal behaviour of a person.

This special category of personal information appears to have been

of 55


informed by the EU directive on the processing of personal data which regards substantially the same information as sensitive personal data, the processing of which is subject to additional protections.

Special personal information must not be processed unless it is on one or more of the justifiable grounds as provided for in POPIA. In many cases, the individual’s consent will be required. However, there are other justifications, which Marais Attorneys may be able to rely on when seeking to process special personal information. See ‘The processing of special personal information’ below.

It is important to note that a photograph and/or video recording may constitute special personal information. This is because, amongst other things, a person’s biometric information and race may be gleaned from a photograph or video recording.

Practical example: Marais Attorneys that are processing consumer health information when carrying our research on the effectiveness of certain medicines will be dealing with special personal information when it processes information about identifiable patients.

Practical example: Special personal information of employees may be processed by Marais Attorneys for purposes of its operations, for example, information relating to an employee’s race or trade union membership.

Practical example: Marais Attorneys that is using photographs or video recordings for facial recognition purposes will be processing special personal information (race and biometric information).

What is processing?

Processing under POPIA and means any activity, operation, or set of operations, whether or not by automatic means, concerning personal information. It includes, for example:

the collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration or use of information;

the transmission or distribution of information or making it available in any other form; and

the merging, linking, degradation, erasure or destruction of information.

Processing is accordingly widely defined under POPIA and any activity, operation or function performed by Marais Attorneys concerning personal information is likely to be regarded as processing personal information for purposes of POPIA.

Practical example: Marais Attorneys collects and stores information relating to a customer in order to provide the necessary services to the customer. Such activities would constitute the processing personal information for purposes of

of 55


POPIA.

Practical example: Marais Attorneys reviews the personal information stored on its database and erases certain of the information no longer required for its purposes. Such activities would constitute the processing personal information for purposes of POPIA.

What is a record?

POPIA only regulates the processing of personal information contained in a “record”.

A record means any recorded information, regardless of form or medium, in the possession or under the control of a responsible party. It does not matter that the record was not created by the responsible party – if it is under its control or in its possession, POPIA will apply. It also does not matter when the record came into existence.

A record would include any of the following:

writing on any material;

information produced, recorded or stored by means of a tape recorder, video recorder, computer equipment, or other device and any material derived from information so produced, recorded or stored;

a label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;

a book, map, plan, graph or drawing;

a photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable (with or without the aid of other equipment) of being reproduced.

Practical example: if Marais Attorneys records personal information in any form or manner will be regarded as having entered personal information into a record for purposes of POPIA.

Practical example: Where two individuals discuss the personal information of an employee or a consumer in the corridor of Marais Attorneys, this discussion would not constitute personal information entered into a record. However, should the two individuals contact each other telephonically to discuss the personal information and such telephone call is recorded, this would constitute personal information entered into a record.

Practical example: Marais Attorneys takes handwritten notes of an employee’s performance during a performance review. The handwritten notes would be regarded as a record under POPIA.

Practical example: if Marais Attorneys uses devices for facial recognition purposes. The photograph or video recordings of the facial recognition would be regarded as a record under POPIA.

of 55


The Role PlayersSections 1, 39, 40, 55

The data subject

The data subject is the person to whom the personal information relates. The data subject may be an individual natural person or a juristic person (such as a company or a trust).

The data subjects for purposes of Marais Attorneys’ operations may include employees, individual consumer purchasers, company customers and service providers.

The responsible party

The responsible party is a private or public body or any other person, which, alone or in conjunction with others, determines the purpose of and means for processing of personal information. In other jurisdictions, such as Europe, a responsible party is commonly referred to as a data controller. Under POPIA, only responsible parties have the obligation to ensure compliance with POPIA.

An operator

An operator is a person or entity who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct control of the responsible party. Accordingly, an operator does not determine the purpose of and means for the processing of personal information but acts on the instructions of the responsible party.

Unlike the GDPR in Europe, operators are not directly responsible for complying with POPIA, because they are required to follow the responsible party’s instructions, and it is the responsible party that would be at risk of enforcement proceedings and the imposition of fines by the Information Regulator. However, operators may have contractual obligations under their agreement with the responsible party and they may be contractually required to indemnify the responsible party in appropriate circumstances.

It is accordingly important that Marais Attorneys know whether they are processing personal information as a responsible party or an operator as this determines their obligations and potential liabilities. We point out that Marais Attorneys can be both a responsible party and an operator in relation to certain processing activities.

Generally, Marais Attorneys will be the responsible party in relation to the processing of personal information of its employees and/or contractors. Marais Attorneys will, however, be an operator when processing its client’s personal information in circumstances where it is acting upon an instruction or mandate of the client in relation to the processing of personal information. However, it is possible for Marais Attorneys to be a responsible party in relation to its client’s personal information, for example, where Marais Attorneys determines the purpose and means of the processing, or jointly with the client decides the means or purpose for which the personal information will be

of 55


processed.

The guidance below may help you to determine whether you will be regarded as a responsible party, or an operator, or both when processing personal information.

Marais Attorneys is likely to be a responsible party where it decides one or more of the following:

Whether to collect personal information;

What personal information to collect;

What the personal information will be used for;

Whether the personal information may need to be disclosed or transferred to a third party recipient;

How long to retain the personal information for; and/or

Whether to delete or erase personal information in its possession.

An operator acts according to a responsible party’s instructions. However, an operator may decide one or more of the following without necessarily being treated as a responsible party:

How to store the personal information;

What security safeguards should be implemented to protect the integrity and confidentiality of the personal information;

What method should be used to process the information;

The method for ensuring the retention of personal information; or

The means to delete or erase the personal information.

Practical example: Marais Attorneys appoints a payroll provider to pay its employees’ monthly salaries. Marais Attorneys provides the payroll provider with the names and employee numbers of the employees who should be paid, the amount that must be paid to the respective employees, the date when payment must be made, the bank account details of the employees, the employees’ leave balances, and details regarding deductions, such as trade union subscriptions. The payroll provider may decide on the software or method to use to make the payments but is subject to the instructions provided by Marais Attorneys. Marais Attorneys will be the responsible party and the payroll provider will be the operator.

Practical example: Marais Attorneys enters into a contract with a client to carry out the client’s marketing campaigns. The client provides instructions to Marais Attorneys as to the purpose of the campaigns and how they should be conducted, for example, what market material should be distributed, to whom, and on what date. Even though Marais Attorneys had decided what method to use to distribute the marking material, its functions are determined and defined by the instructions and mandate of the

of 55


client. The client will accordingly be the responsible party and Marais Attorneys will be an operator.

Practical example: Marais Attorneys is requested by a client to carry out a survey in respect of a certain product. The client determines the broad scope of the survey. Marais Attorneys recruits the panelists, determines the questions to be answered and decides the personal information to be collected for purposes of the survey; and it then uses the results for its own market research purposes. Marais Attorneys may be a responsible party and an operator in these circumstances, even though it is carrying out the survey upon the instructions of a client.

The Information Regulator

The Information Regulator is the regulatory body that has been established in order to monitor and ensure compliance with the provisions of POPIA. The Information Regulator is also required to deal with requests in terms of the Promotion of Access to Information Act, 2 of 2000 (PAIA). The Information Regulator will accordingly monitor and enforce the provisions of both POPIA and PAIA from 1 July 2021.

The Information Officer and deputy Information OfficersThe Information Officer for purposes of POPIA is the head of a private body as contemplated in PAIA. In other words, it will be the chief executive officer of Marais Attorneys.

The Information Officer has a number of duties under POPIA and POPIA requires a responsible party to register the Information Officer, and its deputy Information Officers with the Information Regulator (see ‘The registration and duties of an Information Officer under POPIA’ below).

The duties of the Information Officer may be delegated to deputy Information Officers. This delegation must be done in writing.

When will POPIA apply?Section 3

POPIA will only apply to the processing of personal information entered in a record by or for a responsible party, where the responsible party is:

domiciled in South Africa, or

not domiciled in South Africa but makes use of automated or non- automated means situated in South Africa (unless those means are used only to forward personal information through South Africa).

“Automated means” refers to any equipment capable of operating automatically in response to instructions given for the purpose of processing personal information.

Implications for Marais Attorneys

The fact that the provisions of POPIA will apply to the processing

of 55


of personal information entered in a record by or for a responsible party in South Africa means that the majority of the processing of personal information conducted by Marais Attorneys in South Africa will fall under the scope of POPIA. This means that Marais Attorneys will need to ensure that they comply with the provisions of POPIA, in particular the principles for lawful processing (see ‘Eight principles for lawful processing under POPIA’ below).

POPIA presents a great opportunity for Marais Attorneys situated in South Africa to conduct an audit and create an inventory of the personal information that they hold. This includes identifying:

o The type of personal information that is collected and stored relating to consumers, employees, contractors and other entities.

o The purpose for which the personal information is collected, for example, for HR purposes, market research or the provision of services.

o How the personal information is collected and from whom, for example, is it directly collected from the data subject or from public records?

o What the personal information is used for by Marais Attorneys, for example payment of remuneration to employees or market research on behalf of clients.

o Whether the personal information is transferred to third parties in countries situated outside of South Africa.

The inventory and details relating to personal information processed by Marais Attorneys will assist Marais Attorneys in complying with the principles for lawful processing, which include the requirement to retain records for the processing activities in place at Marais Attorneys.

It is also an opportunity for Marais Attorneys to identify possible measures to reduce the amount of personal information held. There are various reasons why Marais Attorneys should seek to limit the personal information they collect and process, including:

o The processing limitation in POPIA encapsulates the principle of minimality, which requires that the processing of personal information should be adequate, relevant and not excessive.

o It mitigates Marais Attorney’s exposure to a potential data breach or security compromise.

o It reduces the amount of work and costs required to ensure compliance with the provisions of POPIA.

In an effort to reduce the volume of personal information held, Marais Attorneys can consider opportunities to avoid receiving personal information where they can use de-identifiable information to achieve certain of their purposes. The processing of personal information that has been de-identified will not fall under the scope of POPIA (see ‘When will POPIA not apply’

of 55


below).

Action to take:

It is important to determine whether the processing of personal information falls within the scope of POPIA. The following flowchart is designed to assist Marais Attorneys in determining whether the processing of personal information is subject to POPIA.

Is the personal information entered into a record by

Marais Attorneys or client?

NO

POPIA will not apply

YES

Is Marais Attorneys or client situated in South Africa?

NO Does Marais Attorneys or client use automated means situated in South Africa (unless only to forward personal information

through South Africa)?

YESYES

NO

Is the personal information sufficiently de-identified to the extent that it cannot be linked

to a specific individual?

YES

POPIA will not apply

NO

Does the processing fall under any of the other

exceptions provided in POPIA (as set out below)?

YES POPIA will not apply

NO POPIA will apply

When will POPIA not apply?Sections 6 and 7

POPIA will not apply to the following:

the processing of personal information that is not entered in a record, i.e. thoughts and speech that is not recorded.

the processing of personal information in the course of a purely personal or household activity, e.g. photographs of family members on a mobile phone.

the processing of personal information that has been de-identified to the extent that it cannot be re-identified again.

the processing of personal information by or on behalf of a public body which involves (i) national security, defence or public safety or (ii) the prevention or detection of unlawful activities or the prosecution of offenders.

the processing of personal information by the Cabinet and its committees or the Executive Council of a province.

The processing of personal information relating to the judicial functions of a court.

the processing of personal information solely for the purpose of

of 55


journalistic, literary or artistic expression to the extent that this is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.

A responsible party who processes personal information exclusively for journalistic purposes must comply with any applicable code of ethics that provides adequate safeguards for the protection of personal information.

When is personal information considered to be de-identified?

For purposes of POPIA, the term “de-identify” means to delete information that, and the term “re-identify” means to resurrect information that:

1. identifies the data subject;

2. can be used or manipulated by a reasonably foreseeable method to identify the data subject; or

3. can be linked by a reasonably foreseeable method to other information that identifies the data subject

with “de-identified” and “re-identified” having a corresponding meaning.

Accordingly, de-identification involves modifying the personal information so that no data subjects can be identified from it or reasonably be re-identified by linking it to other available information.

It is important to note that if information relates to an individual that can be singled out, even through an identifier such as a cookie ID, the information will not be de-identified for purposes of POPIA.

De-identified personal information does not fall within the scope of POPIA as the personal information cannot be linked to an identifiable individual. This means that it can be processed without being concerned about the requirements of POPIA (but is it important to bear in mind that the information may still be confidential or commercially sensitive upon which a client may have imposed certain restrictions that will need to be complied with by Marais Attorneys).

There may also be circumstances in which Marais Attorneys can receive aggregated personal information. For example, if Marais Attorneys is considering acquiring an entity and conducts a due diligence exercise, it could request the total remuneration figures rather than requesting a list of each individual’s salary and benefits.

We also point out that encryption techniques do not necessarily de- identify personal information. Encrypting personal information may ensure compliance with the obligations under POPIA to safeguard personal information against unauthorised access or a security compromise, but it does not prevent an individual from being identified from the personal information by Marais Attorneys.

Action to take:

of 55


The following flowchart may assist Marais Attorneys when considering the possible de-identification or aggregation of personal information:

Do you need to hold information about particular individuals NO Hold aggregated information

YES

Do you need to be able to identify who the particular individuals are?

NOHold de-identified information

YES

Hold personal information but minimise what is held

Eight principles for lawful processing under POPIA

Chapter 3, Part A

Sections 8 to 25

POPIA establishes 8 principles for the processing of personal information. These principles are referred to as the conditions for lawful processing of personal information and are as follows:

1. Accountability

2. Processing Limitation

3. Purpose specification

4. Further processing limitation

5. Information quality

6. Openness

7. Security safeguards

8. Data subject participation

A responsible party that seeks to process personal information will need to do so in accordance with these eight conditions. It is important to note that these conditions do not stand in isolation and often interlink with one another. They therefore need to be viewed and applied holistically.

The eight conditions are not applicable to the processing of personal information to the extent that such processing is excluded from the operation of POPIA (as set out above) or if the Information Regulator has granted an exemption in this regard.

Principle 1 – Accountability

The responsible party must ensure that the conditions for lawful processing, and all the measures that give effect to such conditions, are complied with. The conditions must be complied with at the time of the determination of the purpose and means of the processing of personal information and during the

of 55


processing itself.

This means that the responsible party is the party who is ultimately held responsible for compliance with the conditions, regardless of whether or not the personal information has been provided to an operator to process for or on behalf of the responsible party.

Practical example: Marais Attorneys appoints a service provider to process its employees’ personal information for purposes of paying its employees’ remuneration. Marais Attorneys will be responsible to ensure that the service provider complies with the provisions of POPIA.

As the responsible party will be required to demonstrate compliance with the principles for lawful processing of personal information, it will be required to maintain documentation of its processing operations. This should include details of the personal information processed and the purpose for which it was processed, whether the personal information was shared, with whom and why, and when the purpose is fulfilled, whether the information has been deleted and if not, why. The documentation should also stipulate the security measures taken to safeguard the personal information.

In order to ensure that the principles of lawful processing are complied with, POPIA requires responsible parties to appoint and register an Information Officer. One of the duties of the Information Officer is to monitor and ensure compliance with the provisions of POPIA (see ‘The registration and duties of an Information Officer under POPIA’ below).

One of the factors that will contribute to ensuring that Marais Attorneys, or a client, is able to demonstrate compliance with POPIA is the training of relevant personnel. Marais Attorneys should accordingly ensure that personnel who take decisions about, or are involved in, the processing of personal information, should receive appropriate training on the requirements of POPIA, which should be tailored to the company’s specific processing operations.

Principle 2 – Processing limitation

Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject unnecessarily. In addition, personal information may only be processed if, given the purpose for which it is processed, the processing is adequate, relevant and not excessive. This encapsulates the principle of minimality and requires Marais Attorneys to only collect personal information that is strictly necessary for the lawful purpose they seek to achieve.

POPIA sets out the justifications for the processing of personal

of 55


information. In this regard, there is a widely held misconception that personal information may only be processed if the data subject has consented to the processing. This is not so. In terms of South African common law, the right to privacy may be restricted in broadly two circumstances, i.e. where consent is given or where necessity dictates. This principle has been carried through in relation to the processing of personal information.

POPIA accordingly provides that personal information may be processed if:

1. the data subject consents to the processing (see ‘How do we deal with consent?’ below);

2. processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;

3. processing complies with an obligation imposed by law on the responsible party;

4. processing protects a legitimate interest of the data subject;

5. processing is necessary for the proper performance of a public law duty by a public body; or

6. processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

Practical example: Marais Attorneys processes an employee’s personal information in order to pay the employee her/his remuneration in accordance with her/his employment contract. The processing of the employee’s personal information for this purpose is necessary for the performance of a contract to which the data subject is a party.

Practical example: Marais Attorneys process certain information relating to their clients when onboarding clients to comply with the provisions of the Financial Intelligence Centre Act, 2001. The processing of this information is to comply with an obligation imposed by law on Marais Attorneys.

Practical example: Marais Attorneys may be able to process personal information for the following legitimate interests of the Marais Attorneys: (i) intra-group transfers of employee personal information for administrative or performance purposes; (ii) transferring a debt to a debt collection agency; or (iii) sending personal information of its employees to its clients for purposes of providing certain services.

If Marais Attorneys seeks to rely on the justifications of (i) protecting a legitimate interest of the data subject; (ii) ensuring the proper performance of a public law duty by a public body or

of 55


(iii) to pursue its legitimate interests or that of a third party, POPIA provides the data subject with the right to object at any time to the processing on reasonable grounds, unless legislation provides for such processing.

For purposes of objecting to the processing of personal information, the Regulations published under POPIA provide that the data subject must submit the objection to Marais Attorneys using Form 1 which is annexed to the Regulations. Marais Attorneys is also required to provide such reasonable assistance as may be necessary to the data subject to enable her or him to complete Form 1.

A copy of Form 1 is attached to this POPIA Toolkit marked Appendix A for your ease of reference.

If there is a reasonable basis for the data subject to object to the processing, then Marais Attorneys may no longer process the personal information on these grounds, but may do so if there is another ground present, such as an obligation in law.

The processing limitation also seeks to regulate the collection of personal information. In this regard, POPIA requires personal information to be collected directly from the data subject, subject to a few limited circumstances.

It is not necessary to collect the personal information directly from the data subject where:

1. The information is contained in or derived from a public record or has deliberately been made public by the data subject;

2. The data subject has consented to the collection of the information from another source;

3. The collection of the information from another source would not prejudice a legitimate interest of the data subject;

4. The collection of the information from another source is necessary:

o for the maintenance of law or prosecution of offences by any public body;

o to comply with an obligation imposed by law;

o for the conduct of proceedings in any court or tribunal;

o in the interests of national security; or

o to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;

5. compliance would prejudice a lawful purpose of the collection; or

of 55


6. compliance is not reasonably practicable in the circumstances of the particular case.

The starting point is accordingly for Marais Attorneys to collect personal information directly from the data subject concerned. However, if Marais Attorneys is unable to collect the personal information directly from the data subject, it needs to ensure that it collects the personal information under the circumstances contemplated by POPIA as set out above.

Practical example: Marais Attorneys uses personal information of a client which it obtained from the client’s public website, such as its contact details, services or details relating to its management team. This is information that has been made deliberately public and would not need to be collected directly from the data subject, i.e. the client.

Practical example: An employee consents to Marais Attorneys obtaining details of her/his employment history directly from their tertiary institution. This would be justified under POPIA.

Principle 3 – Purpose specification

Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.

POPIA compels the responsible party to take reasonable steps to ensure that the data subject is aware of the purpose of the collection of personal information, unless the responsible party is exempt from doing so.

There is a balance to be struck by Marais Attorneys between describing the purposes for which personal information is collected at a general level or describing them more specifically. Describing the purposes too generically increases the risk of a finding that the purpose was not specifically defined. However, providing too detailed purposes may limit Marais Attorneys’ options going forward. We would suggest that Marais Attorneys use a general description and then provide specific scenarios. In this regard, it is important that the data subject is able to have a clear understanding of the purpose of the processing of their personal information.

Practical example: Marais Attorneys will process employees’ personal information for human resources functions, including payroll administration, performance development, training programmes, and the provision of benefits.

Practical example: Marais Attorneys will process clients’ personal information for marketing purposes, including providing details in relation to marketing campaigns and techniques and the legal requirements pertaining to the marketing of certain products.

of 55


As part of the purpose specification requirements, POPIA regulates the retention of records containing personal information. In this regard, records of personal information may not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed. There are a few exceptions to this rule, including where:

1. Retention of the record is required or authorized by law;

2. The responsible party reasonably requires the record for lawful purposes related to its functions or activities;

3. Retention of the record is required by a contract between the parties; or

4. The data subject has consented to the retention of the record.

Records of personal information may also, however, be retained in excess of these periods if it is for historical, statistical or research purposes and if the responsible party has established appropriate safeguards against the records being used for any other purposes.

Practical example: Marais Attorneys retains employment details of a former employee for a period of three years from date of termination of employment in accordance with the provisions of the Basic Conditions of Employment Act, 1997. This is a retention period prescribed by law.

Practical example: Marais Attorneys stipulates a retention period of 4 years in its terms and conditions for the recruitment of applicants, for purposes of using the applicant’s details for positions that may become available in future. The applicant consents and this is then an agreed retention period.

Practical example: Information about a consumer’s behaviour collected through the use of cookies must only be retained for as long as the information is required for the purpose for which it was collected.

Further, POPIA specifically seeks to regulate the retention of a record of personal information where Marais Attorneys has used a record of personal information to make a decision about the data subject. In this regard, Marais Attorneys is required to retain the record for such period as may be required or prescribed by law or a code of conduct for a period which will afford the data subject a reasonable opportunity to request access to the record. This will have to be determined on a case-by-case basis.

Practical example: Information about an applicant for employment is kept for 12-18 months after the recruitment decision on the basis that Marais Attorneys would require the information in order to defend a claim of alleged unfair

of 55


recruitment discrimination. In terms of the Employment Equity Act such claims must be instituted within 6 months of the date of alleged unfair discrimination, but the late filing may be condoned upon good cause shown.

Where Marais Attorneys is no longer authorised to retain a record of personal information, it is required to destroy or delete the record or to de-identify it as soon as reasonably practicable. The destruction or deletion of the record must be done in a manner that prevents its reconstruction in an intelligible form.

Marais Attorneys should accordingly consider each category of personal information held by it, for what purpose and for how long the personal information needs to be retained. If it may no longer be retained in accordance with the provisions of POPIA, Marais Attorneys should either delete or de-identify the personal information.

Principle 4 – Further processing limitation

POPIA provides that the further processing of personal information must be compatible with the purpose for which it was collected. In order to assess whether further processing is compatible with the purpose, the following factors must be taken into account by the responsible party:

o the relationship between the purpose of the intended further processing and the initial purpose for which the information was collected;

o the nature of the information concerned;

o the consequences of the intended further processing for the data subject;

o the manner in which the information has been collected; and

o any contractual rights and obligations between parties.

To assist responsible parties with the implementation of this condition, POPIA provides guidance on the circumstances where the further processing of personal information will be considered compatible with the purpose for which it was collected. These circumstances include:

1. Where the data subject has consented to the further processing of the information;

2. Where the information is available in or derived from a public record or has deliberately been made public by the data subject;

3. Where the further processing is necessary:

o for the maintenance of law or prosecution of offences

of 55


by any public body;

o to comply with an obligation imposed by law;

o for the conduct of proceedings in any court or tribunal;o in the interests of national security;

o to prevent or mitigate serious or imminent threat to public health or safety or to the life or health of an individual

4. The information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; or

5. The further processing of the information is in accordance with an exemption granted by the Information Regulator.

Practical example: If Marais Attorneys is collecting personal information of individuals for an event it is organising, it may be a compatible purpose to then use that personal information for marketing purposes.

Practical example: If Marais Attorneys collects an employee’s banking details in order to pay the employee her/his remuneration, it would be a compatible purpose to use the personal information to facilitate payment of an incentive or bonus scheme.

It is of course preferable for Marais Attorneys’ privacy/processing notice to specify, as far as possible, all the purposes for which the personal information is likely to be used. This might limit the circumstances in which Marais Attorneys will be required to consider whether a further purpose, which was not specified in the privacy notice, is compatible with the purposes specified.

Having said this, there may be circumstances in which Marais Attorneys wishes to process personal information for purposes that were not envisaged at the outset. In these circumstances, the cautious approach would be for Marais Attorneys to provide the data subject concerned with information relating to the new purpose and any additional information that may be relevant prior to commencing with the secondary processing.

Principle 5 – Information Quality

Having regard to the purpose for which the personal information is collected or processed, the responsible party must take reasonably practicable steps to ensure that the information is complete, accurate, not misleading, and updated where necessary.

Marais Attorneys should accordingly take reasonable steps to ensure that personal information in its possession is accurate

of 55


and where this is not the case, to rectify or erase the personal information without delay.

Practical example: Marais Attorneys may circulate a notification to its employees annually requesting them to confirm that the personal details of the employee that Marais Attorneys has on record are still accurate or to provide any changes that have been made to the personal information by the employee.

Principle 6 – Openness

This condition requires a responsible party to take reasonably practicable steps to ensure that the data subject is aware of certain information, including:

o the type of personal information being collected;

o where the information is being collected from, if it is not directly from the data subject

o the name and address of the responsible party;

o the purpose for which the information is collected;

o whether the supply of the information by the data subject is voluntary or mandatory;

o the consequences of failure to provide the personal information;

o any particular law authorizing or requiring the collection of the information;

o whether the responsible party intends to transfer the information to a foreign country and the level of protection afforded to the information by that country;

o any further information, such as:

the recipient or category of the recipients of the personal information;

the nature or category of the personal information;

the existence of the right of access to information;

the right to object to the processing of personal information; and;

the right to lodge a complaint with the Information Regulator.

This information should be provided in a concise, transparent and easily accessible form using clear and plain language. The information may be provided in writing or by other means, for example, electronically or by the use of graphics.

Where personal information is being collected directly from the data subject, these notification requirements must be adhered to before the information is collected, unless the data subject is already aware of the processing. Where the personal

of 55


information is being collected from a third party, the notification requirements must be made before the information is collected or as soon as reasonably practicable after it has been collected.

If Marais Attorneys intends to again collect the same or similar type of personal information for the same purpose, it is not required to re-notify the data subject.

POPIA also provides for certain circumstances where it will not be necessary for Marais Attorneys to comply with these notification requirements, for example if notification would prejudice a lawful purpose of the collection.

Practical example: If an employee is suspected of having committed misconduct in the form of setting up a business in competition with Marais Attorneys, prior notification may cause the deletion of the incriminating evidence and may thus jeopardise a lawful purpose of the collection.

Practical example: where a Marais Attorneys is collecting information directly from individuals, for example, when undertaking market survey or on a ‘contact us’ section on its websites, it must provide the information as set out above at the time of collection.

Practical example: where Marais Attorneys is an advertising network, it should take steps to ensure that publishers’ privacy notifications contain the information as set out above required by POPIA. This includes making sure that appropriate obligations are included in the service agreements with the publishers. The information should also be made available on Marais Attorneys’ website, and the information is brought to the attention of the data subject.

This is a great opportunity for Marais Attorneys who are subject to POPIA to review their internal and external privacy notifications and ensure that they address all the information as set out above. The review should include privacy notifications provided by operators who collect and process personal information on behalf of Marais Attorneys, for example, website publishers. Marais Attorneys should review their contracts with these parties to ensure that they contain appropriate provisions requiring the other party to provide all the information required by law.

In reviewing and revising privacy notifications, Marais Attorneys should bear in mind the guidance above on what constitutes personal information (see ‘Key definitions’ above). Privacy notices that have been written with other jurisdictions in mind may describe personal information differently or fail to include certain information required by POPIA. These privacy notifications will need to be adapted accordingly.

of 55


Principle 7 – Security Safeguards

The responsible party is required to secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, and unlawful access to or processing of personal information.

In order to achieve this, the responsible party must take reasonable measures to:

o identify reasonable foreseeable risks to personal information in its possession or under its control;

o establish and maintain appropriate safeguards against identified risks;

o regularly verify that the safeguards are effectively implemented; and

o ensure that safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

In this regard, POPIA requires a responsible party to have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry of professional rules and regulations.

The measures to be implemented to secure the integrity of the personal information in Marais Attorneys’ possession relate to personal information stored electronically or in hardcopy.

Practical example: As part of the security measures relating to personal information stored electronically, Marais Attorneys must ensure that the personal information on laptop computers issued toemployees is at least protected by encryption and anti-viral software.

Practical example: where Marais Attorneys deals with a specific category of personal information that may constitute special personal information, additional security measures may need to be implemented, such as limiting access to the information to certain authorised individuals.

Practical example: As part of the security measures relating to personal information stored in hard copy, Marais Attorneys should ensure that the personal information is stored in a locked room or cabinet and limit access to the room/cabinet to only certain authorised individuals.

Practical example: To the extent that employees are dealing with personal information in the performance of their day-to-day duties, Marais Attorneys should ensure that it has a policy in place regulating the employees’ use of that information and

of 55


ensuring that the employees are subject to confidentiality obligations and take reasonable measures to safeguard the information in their possession.

The conditions of security safeguards also regulates the use by the responsible party of an operator to process the personal information and data breaches (see ‘How does POPIA regulate the use of Operators’ and ‘Data breaches’ below)

Principle 8 – Data subject participation

POPIA strengthens a number of data subject rights under the current law, such as the right to access information. Responsible parties are under an obligation to notify data subjects of these rights in the relevant privacy notification (as set out above).

In terms of POPIA, a data subject has the right to:

1. request confirmation from the responsible party as to whether personal information about her/him/it is held by the responsible party;

2. request from the responsible party the record or a description of the personal information held;

3. request details in respect of the identity of third parties or categories of third parties who have, or have had, access to the information.

4. request a responsible party to correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or has been obtained unlawfully,

5. to destroy or delete a record of personal information about the data subject that the responsible party is no longer authorized to retain; or

6. to submit a complaint to the Information Regulator.

The right to confirmation and access

When the data subject exercises her/his/its right to request confirmation from Marais Attorneys as to whether it holds personal information about her/him/it, this would simply entail Marais Attorneys confirming it holds personal information or not. Marais Attorneys will not be required to provide a description of the personal information it holds relating to the data subject.

Practical example: a previous client of Marais Attorneys asks whether it holds any personal information relating to it since the termination of the relationship between the client and Marais Attorneys.

When a data subject exercises her/his/its right to request

of 55


access to a record or a description of the personal information held, Marais Attorneys will be required to respond to the request in a reasonable time and manner that is generally understandable. Marais Attorneys may also charge the data subject a fee in respect of the request. In this regard, POPIA requires Marais Attorneys to provide the data subject with a fee estimate and Marais Attorneys may require the data subject to pay a deposit for all or part of the fee.

Marais Attorneys may refuse to answer a request only on the basis of the grounds of refusal as set out in the Promotion of Access to Information Act (PAIA) (as mentioned above). The grounds of refusal include:

o Protecting the privacy of a third party: Marais Attorneys may be obliged to refuse access to a record, or part thereof, if the record involves the unreasonable disclosure of personal information about a third party, for example, another employee.

o Protecting confidential information or the commercial records of a third party: Marais Attorneys may refuse disclosure of a record, or part thereof, on the grounds that it contains: (i) its trade secrets or that of a third party; (ii) its financial, commercial or technical information or that of a third party, the disclosure of which is likely to cause harm to Marais Attorneys or the third party concerned.

o Protecting confidential information in terms of an agreement: Marais Attorneys may refuse a request for access to a record if the disclosure will amount to breach of a duty of confidence owed to a third party in terms of an agreement or contract.

o Protecting the safety of a person or juristic person: Marais Attorneys must refuse to disclose the information where such disclosure could compromise the safety of an individual or property.

POPIA provides that if there is a request for access to personal information and part of that information may or must be refused in terms of PAIA, every other part must be disclosed. For example, Marais Attorneys cannot refuse to provide a client or employee with a 50-page investigation report where only 3 pages contain confidential information. It would be required to provide the data subject with access to the 47 pages which do not disclose confidential information relating to its operations.

Practical example: an employee who is a witness in a sexual harassment case requests a copy of the sexual harassment investigation report prepared by Marais Attorneys. A portion of the report may contain personal information relating to the victim and alleged perpetrator of the alleged sexual harassment. Marais Attorneys may be required to provide the

of 55


employee with access to the portions of the report that relate to her/him and might be able to redact the report accordingly.

The right to correct or delete

A data subject can request Marais Attorneys to correct or delete the personal information held by Marais Attorneys.

The question then arises whether Marais Attorneys is obliged to comply with such a request from a data subject? The answer is no, it will not be obliged to comply with such a request. In this regard, where agreement cannot be reached between Marais Attorneys and the data subject, and if the data subject so requests, Marais Attorneys must take steps to attach the request for correction or deletion to the information in such a manner that it will always be read with the information, and confirm that the information has not been corrected or deleted as per the request. Marais Attorneys should notify the data subject of the action that has been taken as a result of the request.

Practical example: a client requests that their contact details be corrected on Marais Attorneys’ system. If the client’s contact details are inaccurate, Marais Attorneys should accept the request and correct the personal information accordingly.

Practical example: an employee requests Marais Attorneys to correct her/his bad performance appraisal form on the basis that the employee does not agree that he/she is performing poorly. Should Marais Attorneys have grounds to believe that the employee is in fact performing poorly, it does not have to correct or change the performance appraisal form but must attach the employee’s request to the performance appraisal form.

A data subject who wishes to exercise his/her/its right to request a correction or deletion of personal information, or the destruction or deletion of a record, must submit a request to the responsible party using Form 2 as attached to the POPIA Regulations.

A copy of Form 2 is attached to this POPIA Toolkit marked Appendix B for your ease of reference.

The right to submit a complaint

A data subject has the right to submit a complaint to the Information Regulator alleging an interference with the protection of her/his/its personal information. An interference with the protection of the personal information of a data subject consists of any breach of the eight principles for the lawful processing of personal information or certain other provisions of POPIA.

A data subject who wishes to submit a complaint must submit

of 55


such a complaint to the Information Regulator using Form 5 as attached to the POPIA Regulations.

A copy of Form 5 is attached to this POPIA Toolkit marked Appendix C for your ease of reference.

The processing of special personal informationChapter 3, Part B

Sections 26 to 33

General Rule

POPIA contains a general prohibition against the processing of special personal information by a responsible party, subject to certain exceptions. These exceptions include:

1. where the data subject has consented to the processing;

2. where the processing is necessary for the establishment, exercise or defence of a right or obligation in law;

3. where the processing is necessary to comply with an obligation of international public law;

4. where the information has deliberately been made public by the data subject;

5. Where the processing is for historical, statistical or research purposes and:

6. the purpose of the processing serves a public interest;

o the processing serves this public interest;

o it is impossible or would involve a disproportionate effort to obtain consent; and

o sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;

7. where the processing falls under the specific circumstances provided for in sections 28 to 33 of POPIA (as set out in detail below); or

8. where the Information Regulator authorises the processing upon an application by the responsible party, provided that such processing is in the public interest and appropriate safeguards have been put in place to protect the personal information.

As POPIA provides for a general prohibition on the processing of special personal information, Marais Attorneys should only process special personal information where it is strictly necessary and can be justified on one of the grounds as set out above. One of the most common grounds used to process special personal information is consent (see ‘How we deal with consent’ below)

When processing special personal information, Marais Attorneys is still required to ensure compliance with the eight principles for the lawful processing of personal information. Given the sensitive nature of the information, Marais Attorneys

of 55


should take extra care in ensuring that the special personal information in its possession is subject to heightened security safeguards and confidentiality undertakings where required.

As mentioned above, POPIA provides for specific circumstances in which a particular category of special personal information may be processed. These are generally referred to as the “internal justifications”, as these justifications apply in respect of the specific type of special personal information concerned. To the extent that certain of these circumstances may apply to the Marais Attorneys, we set out a summary of these provisions below.

Race or ethnic origin

The prohibition of processing of the data subject’s race or ethnic origin does not apply if the processing is carried out to:

1. identify data subjects, but only if it is essential for this purpose; and

2. comply with laws and measures designed to protect or advance persons or categories of persons disadvantaged by unfair discrimination.

Practical example: Marais Attorneys may process details relating to an employee’s race for purposes of submitting its annual employment equity report as may be required in terms of the Employment Equity Act, 1998.

Trade union membership

The prohibition of processing of the data subject’s trade union membership does not apply to the processing by the trade union to which the data subject belongs, or the trade union federation to which the trade union belongs, if it is necessary to achieve the aims of the trade union or federation.

In these circumstances, the information may not be supplied to third parties without the data subject’s consent.

Practical example: Marais Attorneys employees join a trade union and provide Marais Attorneys with requests for the deduction of union subscriptions in accordance with section 13 of the Labour Relations Act. Processing of this information is permitted because it is done with the express, written consent of the employee concerned.

Health or sex life

The prohibition of processing of the data subject’s health or sex life does not apply to the processing by, among others, administrative bodies, pension funds, employers or institutions working for them, if the processing is necessary for the implementation of laws or agreements, or the re-integration of or support for workers entitled to benefit in connection with sickness or work incapacity.

of 55


Practical example: Marais Attorneys screen employees and clients when entering its premises to comply with the National Disaster Management Regulations implemented in respect of the Covid-19 pandemic.

Practical example: an employee of Marais Attorneys becomes temporarily disabled and Marais Attorneys processes the employee’s medical reports in order to reasonably accommodate the employee in the workplace.

The processing of personal information concerning a data subject’s health or sex life may only take place subject to an obligation of confidentiality, unless the responsible party is required by law or in connection with their duties to communicate the information to other parties who are authorised to process the information.

How does POPIA deal with personal information of children?Section 34 and 35

Who is a child?

For purposes of POPIA, a child means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning himself or herself.

Children have specific protections under POPIA as they may have less awareness of their rights and the associated risks of their personal information being processed.

When can you process the personal information of children?

POPIA contains a general prohibition on the processing of personal information concerning a child. Accordingly, as a general rule, Marais Attorneys may not process personal information concerning a child.

There are, however, certain exceptions to this general prohibition on the processing of personal information of children.

Where Marais Attorneys is in the position to determine the age of an individual and such individual is a child for purposes of POPIA, they should first consider whether it is able to exclude the processing of the child’s personal information all together. For example, it may be reasonably practicable to obtain the prior consent of the competent person.

Where a deliberate decision is taken to collect personal information from children (such as when conducting market research in relation to children), Marais Attorneys should obtain consent from a parent or other competent person unless it is clear that another ground for the processing as set out above is available.

In cases where Marais Attorneys are not able to determine precisely the age of an individual (for example, in the context of online advertising, where the company merely holds a unique

of 55


ID and information about the web pages visited), Marais Attorneys should consider whether there are any steps that they can take to reduce the risk of inadvertently processing personal information about children or minimise the extent of the processing. For example, an advertising network may decide not to include adverts for products or services targeted at children, or not to serve adverts where inferred demographics indicate that the individual is likely to be a child.

How do we deal with consent under POPIA?

What is consent?

For purposes of POPIA, consent means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. The data subject should be informed of the purpose of the processing of the personal information and the likely recipients of the information in order to make an informed decision about whether or not to consent to the processing.

When should we rely on consent?

Consent is one of the grounds under which personal information and special personal information can be processed. Consent is not, however, the only basis for the processing of personal information under POPIA. As explained above, there may be other grounds under POPIA upon which personal information and/or special personal information may be processed – such as where it is necessary to comply with an obligation imposed by law.

Where Marais Attorneys seeks to rely on consent to process personal information, POPIA places a burden of proof on Marais Attorneys to demonstrate that the data subject has provided her/his/its or their consent to the processing, that the consent was given voluntarily, and that it was specific and informed.

Marais Attorneys should not seek to rely on consent as the only ground for processing personal information. This doesn’t mean consent should not be used. As explained below, there will be circumstances where it is appropriate and necessary to obtain consent. However, because consent is required to be a voluntary, specific and informed expression of will, there is a risk that the validity of a data subject’s consent may be challenged. In addition, a data subject may withdraw their consent at any time. In these circumstances, if there is no other ground for the processing of personal information, Marais Attorneys may not be permitted to carry on with the processing. Accordingly, Marais Attorneys should assess whether another ground for processing (such as the performance of a contract or legitimate interests) is available and record the grounds upon which they are relying when processing the personal information.

If Marais Attorneys decides that other grounds are available,

of 55


consent can still be obtained as a ‘fall-back’ in case those other grounds are challenged. If, however, there is no other ground available and Marais Attorneys is relying on consent alone (which may be the case in relation to special personal information), Marais Attorneys will need to be particularly careful about ensuring that consent has been validly obtained.

Marais Attorneys should note that direct marketing via unsolicited electronic communications (including automated calling systems, fax, email and SMS) generally require a data subject’s consent under POPIA. However, there is an exception to this where Marais Attorneys is processing customers’ personal information for direct marketing purposes where the customers’ details have been obtained in the context of a sale of a similar product or service.

Ensuring the validity of consent

A data subject may consent to the processing of personal information through ticking a box when visiting a website that depicts a privacy/processing notice, or through other conduct that clearly indicates their informed agreement to the proposed processing of the personal information. However, failure to tick an opt-out box is not informed consent and will not be valid consent under POPIA.

In order to ensure that the consent is a specific and informed expression of will, the consent should be provided in relation to a clear privacy/processing notification or policy, rather than being addressed in a clause in a long set of terms and conditions. It should accordingly be distinguishable from other matters.

Consent will not be voluntarily given if the data subject has no genuine choice or is unable to refuse or withdraw consent without detriment.

Practical example: in the employment context, there may be an imbalance of power between Marais Attorneys and an employee may feel obliged to provide their consent in circumstances where their job security may be at risk. It would therefore be preferable for Marais Attorneys to be able to justify the processing of employee personal information on other grounds, such as the legitimate interests of Marais Attorneys.

Practical example: Consent by an employee upfront in an employment contract to undergo medical examinations whenever required by Marais Attorneys will not pass muster, because it would not be specific and informed.

Implications for Marais Attorneys

Marais Attorneys should review their use of consent to establish:

o What processing purposes are relying on a data subject’s consent;

of 55


o Whether consent is the only ground that may be used in those circumstances; and

o Whether the consent wording or methods used meet the requirements under POPIA.

To rely on consent, Marais Attorneys must be able to demonstrate that the data subject has provided consent. This means that Marais Attorneys who use consent as a ground for processing personal information must keep a record of the consents obtained. Marais Attorneys should consider what evidence will be required, which should at least include copies of consent or website forms and other content so that Marais Attorneys can demonstrate how the consent was obtained.

When Marais Attorneys collects personal information as a third party on a publisher’s website (for example, where it acts as an advertising network), Marais Attorneys will be responsible for ensuring that the necessary consent has been obtained. In practice, however, third parties usually have no direct interface with the user, and will not be able to obtain consent directly, meaning that Marais Attorneys will be reliant on the publisher to obtain consent. It is therefore important that Marais Attorneys’ contracts with publishers contain appropriate provisions requiring the publishers to make adequate disclosures and obtain informed consent from users.

As data subjects are able to withdraw their consent at any time under POPIA, it is important for Marais Attorneys to make a mechanism available for the withdrawal of consent. For example, a web page where the user can opt-out of the processing of their personal information by Marais Attorneys.

Cross-border transfers under POPIASection 72

Transfers of personal information outside of South Africa, both to other affiliated companies and to external third parties, are regulated under POPIA.

POPIA contains a general prohibition on the transfer of personal information of data subjects to a third party in a foreign country. To the extent that Marais Attorneys has a valid reason to transfer a data subject’s personal information to a third party outside of the borders of South Africa, Marais Attorneys should ensure that one of the exceptions to the general prohibition against such processing, set out in POPIA, applies.

Practical example: Marais Attorneys transfers personal information to a client in the United States subject to a data transfer agreement entered into between the parties which requires the third party to comply with the principles of the lawful processing of personal information as set out in POPIA. This may be regarded as an agreement that provides an adequate level of protection.

Practical example: Marais Attorneys transfers employees’

of 55


personal information to a payroll provider in the United Kingdom to process payment of their thirteenth cheque/annual bonus. The transfer may be necessary for the performance of the employment contract between the employee and Marais Attorneys. The United Kingdom has data protection legislation in place that affords similar protection to what is contained in POPIA, and such transfer would be permissible.

Safe harbour exemption

As set out above, the safe harbour exemption requires the third party recipient of the personal information in a foreign country (who can be a responsible party or an operator) must be subject to a law, binding corporate rules or an agreement, which provides an “adequate level of protection”.

POPIA unfortunately does not specify which countries would be regarded as having laws that provide an adequate level of protection or the manner in which such countries will be identified for purposes of POPIA. We hope to receive further guidance from the Information Regulator in this regard.

It is worth noting that POPIA was drafted to align with the provision of the previous Data Protection Act in Europe. Europe has since adopted the GDPR but a number of similar principles have been retained in the GDPR. Accordingly, we are hopeful that European countries that are subject to the GDPR will be regarded as having an adequate level of protection for purposes of POPIA (for example, Germany, Ireland, France).

In the absence of a law that provides an adequate level of protection, POPIA allows Marais Attorneys to establish binding corporate rules or an agreement to provide for adequate level of protection of the personal information. For purposes of POPIA, “binding corporate rules,” means personal information processing policies within a group of undertakings, which are adhered to by a responsible party or operator within that group when transferring personal information to another entity within that group in a foreign country.

When is prior authorisation from the Information Regulator required?Sections 57 to 59

In certain circumstances, POPIA requires a responsible party to obtain authorisation from the Information Regulator prior to processing the personal information of a data subject. Such prior authorisation is required only once and not each time that the personal information is received or processed, except where the processing departs from that which has been authorised initially.

Practical example: Marais Attorneys is required by a client to conduct criminal record checks of its employees on behalf of the client. In these circumstances, the client will be required to obtain prior authorisation from the Information Regulator before Marais Attorneys will be able to commence processing the

of 55


personal information.

Practical example: Marais Attorneys is required to transfer details relating to an employees’ race as part of the marketing of services to a third party in India. India is unlikely to be regarded as having an adequate level of protection and as race constitutes special personal information, Marais Attorneys will be required to obtain the Information Regulator’s prior authorisation.

In circumstances where Marais Attorneys will require the prior authorisation of the Information Regulator, it may not carry out the processing of the personal information that has been notified to the Information Regulator until the Regulator has completed its investigation, or until the Regulator has confirmed that it will not conduct a more detailed investigation.

The Information Regulator is required to inform Marais Attorneys in writing within 4 weeks of the date of notification whether it will conduct a more detailed investigation. Such a more detailed investigation may not exceed a period of 13 weeks. If the Information Regulator does not issue a decision within this period (or a shorter period as may have been indicated), Marais Attorneys may assume a decision in its favour and may continue with the processing.

If Marais Attorneys fails to request prior authorisation from the Information Regulator, the responsible party will be guilty of an offence and liable for a fine and/or imprisonment.

How does POPIA regulate the use of Operators?Sections 20 and 21

POPIA regulates the use by a responsible party of an operator (as defined) to process personal information (see ‘The Role Players’ above).

Where information is processed by an operator on behalf of a responsible party: (i) the responsible party must be aware of the processing and must have authorized the processing, and (i) the operator must treat the personal information as confidential and not disclose it, unless required by law or in the course of the proper performance of its duties.

POPIA further provides that there must be a written contract between the responsible party and the operator for the processing of the information on behalf of the responsible party in terms of which:

o the operator must undertake to establish and maintain appropriate security measures to ensure the integrity and confidentiality of the information; and

o the operator must take appropriate, reasonable technical and organisational measures to prevent a) loss of, or damage to, or unauthorised destruction of personal information, and b) unlawful access to or processing of personal information.

of 55


The operator is required to immediately notify the responsible party concerned where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person.

Practical example: Marais Attorneys appoints a payroll provider to pay its employees’ monthly salaries on behalf of Marais Attorneys. Marais Attorneys will be the responsible party and the payroll provider will be the operator. Marais Attorneys will accordingly be required to enter into a written contract with the payroll provider, which, amongst other things, places obligations on the payroll provider to put in place adequate security measures to protect the personal information.

Implications for Marais Attorneys Where Marais Attorneys is determining the purpose of

processing personal information in respect of employees and clients, it will be the responsible party and would need to ensure compliance with the above requirements when appointing an operator to process the personal information on its behalf. As set out above, Principle 1 – Accountability provides that a responsible party will always be held liable to ensure compliance with the provisions of POPIA. This means that in the event that an operator breaches the provisions of POPIA, the responsible party may be held liable.

It is accordingly crucial for Marais Attorneys who seeks to appoint an operator to enter into a written agreement requiring the operator to comply with the provisions of POPIA when processing the personal information. Depending on the relationship between the parties, Marais Attorneys may want to require the operator to sign an indemnity in which it indemnifies Marais Attorneys for any loss or damage suffered as a result of the operator failing to comply with the provisions of POPIA.

Data BreachesSection 22

POPIA requires responsible parties to notify both (i) the Information Regulator and (ii) the data subject concerned (unless the identity of the data subject cannot be established) about a data breach.

What is a data breach?

For purposes of POPIA, a data breach occurs where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person. A data breach under POPIA is accordingly widely defined and can encompass a number of potential security compromises to personal information held by Marais Attorneys.

Practical example: Marais Attorneys employee leaves documents containing client information on an aeroplane and is unable to retrieve them. In these circumstances, there

of 55


are reasonable grounds to believe that the personal information of the client has been acquired by an unauthorised person.

Practical example: Marais Attorneys’s IT systems are compromised as a result of an employee clicking a fraudulent link. Upon investigation by the IT department, it appears that certain personal information was not encrypted and could have been accessed by an authorised third party. In these circumstances, there may be reasonable grounds to believe that an authorised individual has accessed personal information stored on Marais Attorneys’ systems.

Notifying Marais Attorneys

If it is known or suspected that a data breach has taken place, the individual with that knowledge is under strict obligation to inform the relevant Marais Attorneys’ Information Officer immediately. There are no exceptions to this requirement. Marais Attorneys in South Africa should ensure that all employees are aware of this requirement and the process of notifying the Information Officer.

This obligation to report a data breach is very important and a failure by a person to notify a data breach may be subject to appropriate disciplinary action.

Notification to the Information Regulator and data subject

POPIA requires the notification to the Information Regulator and the data subject/s to be made as soon as reasonably possible after the discovery of the data breach, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the data breach and to restore the integrity of the information system.

A notification to a data subject may, however, be delayed if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines that the notification will impede on criminal investigation by the public body concerned.

Marais Attorneys who has reasonable grounds to believe that a data breach has occurred should accordingly notify the Information Regulator in writing as soon as possible. There is no time frame prescribed by POPIA for the notification and appropriate advice must be obtained in each instance.

Practical example: Experian South Africa experienced a data breach in which it accidentally handed over the personal details of 24 million South Africans and nearly 800 000 businesses to a fraudster. The data breach was purportedly discovered by Experian on 22 July 2020. Yet, Experian approached the Information Regulator on 6 August 2020 for a meeting. The Regulator received a report from Experian on 14 August 2020.

of 55


The Information Regulator found that Experian failed to comply with the notification requirements in POPIA as POPIA clearly states that notification must be made as soon as reasonably possible after the discovery of the data breach. The Information Regulator found that the delay in reporting constituted a breach of POPIA.

Implications for Marais Attorneys Where Marais Attorneys processes personal information as an

operator on behalf of client and a data breach occur, Marais Attorneys must immediately notify the client after becoming aware of a data breach. Clients may request Marais Attorneys to notify them of data breaches within unrealistic timeframes, for example 12 hours. This should be considered carefully and Marais Attorneys should not agree to timeframes, which they will be unable to meet in practice given its operations.

Marais Attorneys should also avoid assuming obligations to notify a client of a “potential” or “possible” data breach. Notifications should be limited to circumstances where a data breach has occurred as defined in POPIA above. Any time periods for notification should also begin only once the data breach has come to Marais Attorney’s attention since there may be a delay between the breach occurring and Marais Attorneys detecting the breach.

If Marais Attorneys is a responsible party (either alone or jointly with a client), it should be careful not to agree to restrictions that might prevent it from meeting its notification obligations under POPIA. For example, provisions that prevent Marais Attorneys from notifying the Information Regulator of a data breach without client’s prior approval should be avoided.

The registration and duties of an Information Officer under POPIASections 55 and 56

Regulation 4

Registration of Information officers and deputy Information Officers

POPIA requires every responsible party (regardless of its size or form) to appoint and register an Information Officer with the Information Regulator.

Information Officers are, by virtue of their positions, appointed automatically in terms of PAIA. The Information Officers for purposes of POPIA are the same Information Officers as referred to in PAIA. In this regard, the Information Officer in relation to a private body means the head of a private body as contemplated in PAIA. In respect of private bodies, this would be the Chief Executive Officer, Managing Director or equivalent officer of Marais Attorneys, or any person duly authorised by that officer.

Having regard to the extensive duties and responsibilities assigned to an Information Officer as set out below, it is unlikely that a Chief Executive Officer would have the capacity to

of 55


perform these duties and responsibilities. The Chief Executive Officer or equivalent officer may, however, authorise any person to act as the Information Officer and such authorisation is required to be in writing.

In terms of the Guidance Note on Information Officers and Deputy Information Officers recently published by the Information Regulator (the Guidance Note), any person authorised as the Information Officer should be at an executive level or equivalent position. Further, to ensure accessibility of a private body, the Information Officer of a multinational entity based outside of South Africa should authorise a person within South Africa as an Information Officer and each subsidiary of a group of companies should appoint and register its Information Officer with the Regulator. Despite the authorisation to another person, the ‘default’ Information Officer retains the accountability and responsibility for any power or function authorised to that person in terms of POPIA.

In addition, depending on the structure and size of an organisation, POPIA allows a responsible party to designate one or more individuals as Deputy Information Officers as may be necessary to allow for the responsible party to be as accessible as reasonably possible. It appears from PAIA and the Guidance Note that only employees of the responsible party can be designated as Deputy Information Officers. The designation of Deputy Information Officers, if any, by the responsible party must be in writing.

It may be a good idea in larger organisations to appoint a number of Deputy Information Officers and assign them particular duties and responsibilities under POPIA. In this regard, the Guidance Note provides the following assistance to organisations to identify the appropriate employees for the role:

o any Deputy Information Officer should report to the highest management office within the organisation. This means that only an employee at a level of management and above should ideally be considered for designation as a Deputy Information Officer;

o the Deputy Information Officer should be accessible, have a reasonable understanding of the organisation’s operations and processes, and should have a good understanding of POPIA and PAIA in order to perform her/his duties; and

o the Deputy Information Officer should be provided with sufficient time and adequate resources to devote to matters concerning POPIA and PAIA.

In addition to the Information Officer, Marais Attorneys will also be required to register the Deputy Information Officers appointed with the Information Regulator.

of 55


This registration must be done by 1 July 2021. In this regard, the Guidance Note provides that an Information Officer must either: (i) complete and submit an online registration form or (ii) complete the registration from attached to the Guidance Note manually and submit it to the Information Regulator’s offices (either by delivering the form to its physical address, or by email to: [email protected]). .

In order to speed up the registration process, the Information Regulator has encouraged organisations to submit their applications for registration online and is developing an online portal in this regard, which portal is expected to be live by the end of April 2021. Accordingly, the Information Regulator has indicated that the registration process will commence from 1 May 2021.

A template letter for the appointment of an Information Officer and deputy Information Officers is attached to this POPIA Toolkit marked Appendix D for your ease of reference.

Only once the Information Officer and Deputy Information Officers, if any, are registered with the Information Regulator, are they allowed to commence their duties under POPIA.

Duties of an Information Officer

POPIA prescribes certain duties of that an Information Officer is required to comply with. These duties include:

o ensuring that the responsible party complies with the provisions of POPIA, including the conditions for the lawful processing of personal information;

o dealing with requests made to the responsible party under POPIA;

o assisting the Information Regulator with any investigations conducted in respect of the responsible party; and

o any other duties as may be prescribed from time to time.

In addition to the duties set out in POPIA above, the POPIA Regulations prescribe additional duties to be performed by Information Officers, which include ensuring that:

o a compliance framework is developed, implemented, monitored and maintained;

o a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.

o a manual is developed, maintained and made available as prescribed in terms of PAIA;

of 55


o internal measures are developed together with adequate systems to process requests for information; and

o internal awareness sessions are conducted regarding the provisions of POPIA and the Regulations.

The Information Officer’s contact details should be published on the Marais Attorneys’ internet and communicated to employees.

Enforcement of the provisions of POPIAChapter 10

Sections 73 to 99

The enforcement regimes introduced under POPIA are extensive and there is a significant risk of a responsible party incurring liability as a result of a failure to process personal information lawfully and in accordance with the provisions of POPIA.

Complaints Complaints regarding alleged interference with the protection of

the personal information of a data subject may be submitted to the Regulator, in writing. The Regulator may also, of its own initiative, commence an investigation into the interference with the protection of the personal information of a data subject.

Upon receipt of a complaint, the Information Regulator is empowered to do one of the following:

Conduct a pre-investigation

In these circumstances, the Information Regulator should inform the complainant, the data subject (if it is not the complainant) and any person alleged to be aggrieved of the Information Regulator’s intention to conduct an investigation.

The Information Regulator should also inform the Marais Attorneys concerned of the details of the complaint and the right to submit a written response to the complaint.

Act as a conciliator If it appears from the complaint or the Marais Attorneys’

response that it may be possible to secure a settlement between the parties and, if appropriate, a satisfactory assurance against the repetition of an action that is the subject-matter of the complaint, the Information Regulator may use its best endeavours to secure such a settlement and assurance.

Decide to take no action or to take further action The Information Regulator can decide not to take any action, or

require no further action, in respect of the complaint if:

o the length of time that has elapsed between the date when the dispute arose and the date on which the complaint was made is such that an investigation is no longer practicable or desirable;

o the subject matter of the complaint is trivial;

o the complaint is frivolous or vexatious or not made in

of 55


good faith;

o the complainant does not desire action to be taken or continued;

o the complainant does not have a sufficient personal interest in the subject matter of the complaint; or

o the complainant has failed to follow the process set out in an applicable code of conduct.

The Information Regulator will be required to inform the complainant of the decision and the reasons for it.

Conduct a full investigation The Information Regulator may conduct a full investigation into

the complaint and in this regard:

o summon the appearance of persons before the Information Regulator and compel them to give oral or written evidence on oath, and to produce records;

o administer oaths;

o receive and accept evidence, whether on oath or by affidavit or otherwise;

o enter the premises of the responsible party;

o conduct an interview with any person in any premises.

The Information Regulator must inform the complainant and the Marais Attorneys as soon as reasonably practicable of the outcome of the investigation. This might be:

o that there was no interference with the processing of the personal information of the data subject;

o that the complaint is referred to the Enforcement Committee;

o that an enforcement notice is served;

o that an enforcement notice is cancelled; or

o that an appeal against the enforcement notice is allowed, the notice is substituted or the appeal is dismissed.

Refer the complaint to the Enforcement Committee After completing the investigation, the Information Regulator

may refer the matter to the Enforcement Committee for consideration. The Enforcement Committee may make a recommendation regarding any action that may need to be taken against Marais Attorneys in terms of POPIA, or against an Information Officer or head of a private body in terms of PAIA.

If the Information Regulator is satisfied, having considered the recommendation by the Enforcement Committee, that there

of 55


was interference with the processing of a data subject’s personal information, the Information Regulator may serve an enforcement notice on Marais Attorneys.

Marais Attorneys has a right to appeal against the enforcement notice in the High Court having jurisdiction.

Take such further action as contemplated by POPIA In appropriate circumstances, the Regulator may cancel an

enforcement notice.

Consequences of non- compliance with the provisions of POPIAChapter 10 and 11

A failure to comply with the provisions of POPIA exposes Marais Attorneys to financial and/or criminal liability. This means a bigger stick for the Information Regulator and more rights for data subjects.

It is anticipated that the following consequences could arise following an issue of non-compliance with POPIA by Marais Attorneys:

1. The imposition of an administrative fine by the Information Regulator of up to ZAR10 million.

2. Imprisonment in certain circumstances as provided for in POPIA (see further detail below).

3. Reputational damage as a result of a data breach or failing to comply with the provisions of POPIA.

4. Compensation or damages claims brought by a data subject to the Information Regulator (at the request of a data subject). This could also include class actions.

5. Litigation for breach of contracts brought by third parties involved with Marais Attorneys.

Criminal offences Certain actions will constitute criminal offences under POPIA,

namely:

o hindrance, obstruction or unlawful influence of the Information Regulator or anyone acting on its behalf or under its direction in the performance of the Information Regulator’s duties and functions;

o breach of the duty of confidentiality by a person acting on behalf of or under the direction of the Information Regulator;

o intentional obstruction of a person in the execution of a warrant;

o failure to comply with an enforcement notice;

o making false statements, knowing that they are false or recklessly making a statement which is false in a material respect;

o failure, without sufficient cause, to comply with any summons

of 55


to appear before the Information Regulator to give evidence or produce books or documents; and

o certain acts in connection with the bank account number of a data subject.

Upon conviction, the person having committed an offence may be liable to a fine or imprisonment.

of 55

APPENDIX A – OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION

FORM 1

OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION IN TERMS OF SECTION 11(3) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)

REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018[Regulation 2]

Note:1. Affidavits or other documentary evidence as applicable in support of the objection may be attached.2. If the space provided for in this Form is inadequate, submit information as an Annexure to this Form

and sign each page.3. Complete as is applicable.

A DETAILS OF DATA SUBJECTName(s) and surname / registered name of data subject:Unique Identifier/ Identity Number

Residential, postal or business address:

Code ( )

Contact number(s):

Fax number / E-mail address:

B DETAILS OF RESPONSIBLE PARTY

Name(s) and surname / registered name of responsible party:


Code ( )

Contact number(s):

Fax number/ E-mail address:

C REASONS FOR OBJECTION IN TERMS OF SECTION 11(1)(d) to (f) (Please provide detailed reasons for the objection)

Signed at .......................................... this ...................... day of ...........................20………...

............................................................Signature of data subject/designated person

of 55

APPENDIX B – REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION

FORM 2

REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION OR DESTROYING OR DELETION OF RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 24(1) OF THE

PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO.4 OF 2013)


Note:1. Affidavits or other documentary evidence as applicable in support of the request may be attached.2. If the space provided for in this Form is inadequate, submit information as an Annexure to this Form

and sign each page.3. Complete as is applicable.

Mark the appropriate box with an "x".

Request for:

Correction or deletion of the personal information about the data subject which is in possession or under the control of the responsible party.

Destroying or deletion of a record of personal information about the data subject which is in possession or under the control of the responsible party and who is no longer authorised to retain the record of information.

A DETAILS OF THE DATA SUBJECTName(s) and surname / registered name of data subject:

Unique identifier / Identity Number:


Code ( )

Contact number(s):

Fax number/E-mail address:

B DETAILS OF RESPONSIBLE PARTYName(s) and surname / registered name of responsible party:


Code ( )Contact number(s):Fax number / E-mail address:

C INFORMATION TO BE CORRECTED / DELETED / DESTRUCTED / DESTROYED

of 55

D REASONS FOR *CORRECTION OR DELETION OF THE PERSONAL INFORMATION ABOUT THE DATA SUBJECT IN TERMS OF SECTION 24(1)(a) WHICH IS IN POSSESSION OR UNDER THE CONTROL OF THE RESPONSIBLE PARTY; and orREASONS FOR *DESTRUCTION OR DELETION OF A RECORD OF PERSONAL INFORMATION ABOUT THE DATA SUBJECT IN TERMS OF SECTION 24(1)(b) WHICH THE RESPONSIBLE PARTY IS NO LONGER AUTHORISED TO RETAIN.(Please provide detailed reasons for the request)


...........................................................................Signature of data subject/ designated person

of 55

APPENDIX C – COMPLAINT REGARDING INTERFERENCE WITH POPIA

FORM 5

COMPLAINT REGARDING INTERFERENCE WITH THE PROTECTION OF PERSONAL INFORMATION/COMPLAINT REGARDING DETERMINATION OF AN ADJUDICATOR IN TERMS OF

SECTION 74 OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)


Note:1. Affidavits or other documentary evidence as applicable in support of the request may be attached.2. If the space provided for in this Form is inadequate, submit information as an Annexure to this

Form and sign each page.3. Complete as is applicable.

Mark the appropriate box with an "x".

Complaint regarding:

Alleged interference with the protection of personal information

Determination of an adjudicator.

PART IALLEGED INTERFERENCE WITH THE PROTECTION OF THE PERSONAL INFORMATION IN TERMS OF SECTION

74(1) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (Act No. 4 of 2013)

A PARTICULARS OF COMPLAINANT

Name(s) and surname / registered name of data subject:

Unique Identifier / Identity Number:


Code ( )

Contact number(s):

Fax number/ E-mail address :

B PARTICULARS OF RESPONSIBLE PARTY INTERFERING WITH PERSONAL INFORMATION

Name(s) and surname/ Registered name of responsible party:


of 55

Code ( )

Contact number(s):

Fax number / E-mail address:

C REASONS FOR COMPLAINT(Please provide detailed reasons for the complaint)

PART IICOMPLAINT REGARDING DETERMINATION OF

ADJUDICATOR IN TERMS OF SECTION 74(2) OF THE PROTECTION OF PERSONALINFORMATION ACT, 2013 (ACT NO. 4 OF 2013)

A PARTICULARS OF COMPLAINANTName(s) and surname/registered name of data subject:Unique Identifier/ Identity Number:


Code ( )

Contact number(s):


B PARTICULARS OF ADJUDICATOR AND RESPONSIBLE PARTY

Name(s) and surname of adjudicator:

Name(s) and surname of responsible party/registered name:


Code ( )

Contact number(s):


C REASONS FOR COMPLAINT (Please provide detailed reasons for the grievance)

of 55


.......................................................................Signature of data subject/ designated person

of 55

APPENDIX D

CONFIRMATION AS INFORMATION OFFICER

(In terms of section 55 of the Protection of Personal Information Act, 2013 (POPIA) and Section 1 of the Promotion of Access to Information Act, 2000 (PAIA))

Dear [insert name of Information Officer]

RE: DUTIES AND RESPONSIBILITIES IN TERMS OF PAIA AND POPIA

We confirm that the Company is incorporated and registered in South Africa. Marais Attorneys conducts its business in various jurisdictions, including South Africa.

In your capacity as Chief Executive Officer of the Company, you are regarded as the head of the Company for purposes of the provisions of the Promotion of Access to Information Act, 2000 (PAIA), as well as the Company’s Information Officer for purposes of the Protection of Personal Information Act, 2013 (POPIA).

You are required to comply with all duties and responsibilities imposed on you in terms of PAIA and POPIA respectively. Please refer to Annexure A regarding the duties and responsibilities in terms of POPIA and PAIA.

You may designate up to [insert number, e.g. 3] deputy Information Officers to assist you with the performance of these duties and responsibilities. Such designation and delegation must take place in writing and must be confirmed, in writing, to the Company’s Board of Directors within 14 days of the designation/delegation having been made.

Please note that notwithstanding the designation of deputy Information Officers or the delegation of your duties and responsibilities, you shall remain accountable and responsible for the performance of these duties.

Please direct any questions you may have pertaining to your duties and responsibilities in terms of PAIA and/or POPIA to [insert name].

Yours sincerely

_________________________

Chairman of the Board of Directors Date:Place:

ACKNOWLEDGEMENT

I hereby acknowledge my duties and responsibilities of the Company’s head for purposes of PAIA and its Information Officer for purposes of POPIA.

_________________________

Name and Surname Date:Place:

of 55

DESIGNATION AND DELEGATION OF AUTHORITY TO THE DEPUTY INFORMATION OFFICER

(In terms of section 56 of the Protection of Personal Information Act, 2013 (POPIA) and Section 1 of the Promotion of Access to Information Act, 2000(PAIA))

I, the undersigned,

_________________________ (Name of the Information Officer)

confirm that I am the head of Marais Attorneys Proprietary Limited (Company) for purposes of the Promotion of Access to Information Act (PAIA), and the Company’s Information Officer for purposes of the Protection of Personal Information Act (POPIA). The Company is incorporated and registered in South Africa. The Company conducts its business in various jurisdictions, including South Africa.

I hereby designate you, [insert name of the person being designated], as a Deputy Information Officer of the Company. Furthermore, I hereby delegate to you the powers, duties and responsibilities as conferred or imposed on me by POPIA and PAIA in respect of the Company’s operations in South Africa. Please refer to Annexure A regarding the duties and responsibilities in terms of POPIA and PAIA respectively.

This designation and delegation shall be effective from [insert date] and shall [expire on [insert date] OR [terminate upon written notice to you to this effect].

Please be advised that I shall be entitled to exercise any of the powers, duties and responsibilities conferred herein at any time, and shall be entitled to amend and/or withdraw any of the powers, duties and responsibilities delegated to you from time to time.

_________________________

Information Officer Date:Place:

By my signature herein below, I hereby accept the delegation and designation as the Deputy Information Officer as set out herein.

_________________________

[Name of the designate] Date:Place:

of 55

ANNEXURE A

DUTIES AND RESPONSIBILITIES OF AN INFORMATION OFFICER IN TERMS OF SECTION 55 OF POPIA AND REGULATION 4 OF THE REGULATIONS ISSUED IN TERMS OF POPIA

The encouragement of compliance by the Company with the conditions for the lawful processing of personal information;

Ensuring that a compliance framework is developed, implemented, monitored and maintained;

Ensuring that a personal information impact assessment is done to ensure that adequate measures and standards exist in order to ensure compliance with the conditions of lawful processing;

Developing internal measures and systems to process requests for access to information;

Conducting internal awareness sessions regarding the provisions of POPIA, the Regulations and any applicable Guidelines or Codes of Conduct;

Dealing with requests made to the Company pursuant to the provisions of POPIA;

Working with the Information Regulator in relation to investigations conducted in terms of POPIA; Ensuring compliance by the Company with the provisions of POPIA;

Cooperate with all applicable regulatory bodies, including the Enforcement Committee and/or the Information Regulator, as may be required;

Any other duties that may be prescribed from time to time.

DUTIES AND RESPONSIBILITIES OF THE HEAD OF THE PRIVATE BODY IN TERMS OF PAIA

Compiling and regularly updating the Company’s Manual in accordance with the provisions of section 51 of PAIA. (Please note that the wilful or gross negligent failure to comply with this requirement constitutes a criminal offence under PAIA);

Dealing with requests for access to records made to the Company in terms of Part 3 of PAIA; Ensuring compliance with court orders in terms of Part 4, Chapter 2 of PAIA;

Cooperate with all applicable regulatory bodies, including the Information Regulator and the Human Rights Commission as may be required;

Any other duties that may be prescribed from time to time.

Microsoft Word - OB Disclosure Doc CPA Compliant · Web view2021. 7. 13. · These laws differ...

Documents

Transcript of Microsoft Word - OB Disclosure Doc CPA Compliant · Web view2021. 7. 13. · These laws differ...