This document provides an overview of the Protection of Personal Information Act (POPI) in South Africa, outlining its key purposes and definitions. The POPI Act introduces 8 key principles for lawful personal data processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. It also covers provisions around consent requirements for direct marketing and penalties for non-compliance. The overall aim of the POPI Act is to protect personal information and establish requirements for its lawful processing.

1. Saying ‘I Don’t’: The
requirement of data
subject consent for
purposes of data
processing and
marketing
Ina Meiring

2. PURPOSE
To promote the protection of personal information
processed by public and private bodies;
to introduce [information protection principles] certain
conditions so as to establish minimum requirements for
the processing of personal information;
to provide for the establishment of an Information
[Protection] Regulator;
to provide for the issuing of codes of conduct;
to provide for the rights of persons regarding unsolicited
electronic communications and automated decision
making;
to regulate the flow of personal information across the
borders of the Republic.

3. DEFINITIONS
"data subject" means the person to whom personal
information relates;
"processing" means any operation or activity or any
set of operations, whether or not by automatic means,
concerning personal information, including—
(a) the collection, receipt, recording, organisation,
collation, storage, updating or modification, retrieval,
alteration, consultation or use;
(b) dissemination by means of transmission,
distribution or making available in any other form; or
(c) merging, linking, as well as blocking, degradation,
erasure or destruction of information;

4. DEFINITIONS
"responsible party" means a public or private body or any
other person which, alone or in conjunction with others,
determines the purpose of and means for processing personal
information
POPI applies to the processing of personal information -
entered in a record by or for a responsible party by making
use of automated or non-automated means: Provided that
when the recorded personal information is processed by non-
automated means, it forms part of a filing system or is
intended to form part thereof; and
where the responsible party is—
domiciled in the Republic; or
not domiciled in the Republic, but makes use of automated
or non-automated means that are situated in the
Republic, unless those means are used only to transfer
personal information through the Republic.

5. PERSONAL INFORMATION
"personal information" means information relating to
an identifiable, living, natural person, and where it is
applicable, an identifiable, existing juristic person,
including, but not limited to—
(a) information relating to the race, gender, sex,
pregnancy, marital status, national, ethnic or social
origin, colour, sexual orientation, age, physical or mental
health, well-being, disability, religion, conscience, belief,
culture, language and birth of the person;
(b) information relating to the education or the medical,
financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address,
physical address, telephone number or other particular
assignment to the person;

6. PERSONAL INFORMATION …
(d) the blood type or any other biometric information of
the person;
(e) the personal opinions, views or preferences of the
person;
(f) correspondence sent by the person that is implicitly
or explicitly of a private or confidential nature or further
correspondence that would reveal the contents of the
original correspondence;
(g) the views or opinions of another individual about
the person; and
(h) the name of the person if it appears with other
personal information relating to the person or if the
disclosure of the name itself would reveal information
about the person.

7. CONDITIONS FOR LAWFUL PROCESSING (8
PRINCIPLES)
Principle 1:
Accountability
The responsible party must ensure that the
[principles] conditions and all the measures
that give effect to [the principles] such
conditions, are complied with.

8. PROCESSING LIMITATION (2)
Lawful, minimal (adequate, relevant and not excessive)
Only if –
the data subject consents to the processing;
processing is necessary to carry out actions for the conclusion
or performance of a contract to which the data subject is
party;
processing complies with an obligation imposed by law on
the responsible party;
processing protects a legitimate interest of the data
subject;
processing is necessary for the proper performance of a
public law duty by a public body; or
processing is necessary for pursuing the legitimate interests
of the responsible party or of a third party to whom the
information is supplied.

9. PROCESSING LIMITATION (2)
Personal information must be collected directly from the data
subject, unless -
the information is public;
the data subject has consented to the collection of the
information from another source;
collection of the information from another source would not
prejudice a legitimate interest of the data subject;
collection of the information from another source is necessary—
to avoid prejudice to the maintenance of the law by any
public body; to comply with an obligation imposed by law;
for the conduct of proceedings in any court or tribunal that
have commenced or are reasonably contemplated; in the
[legitimate] interests of national security; or to maintain
the legitimate interests of the responsible party or of a third
party to whom the information is supplied; compliance would
prejudice a lawful purpose of the collection; or compliance is
not reasonably practicable in the circumstances of the
particular case.

10. PURPOSE SPECIFICATION (3)
Personal information must be collected for a specific,
explicitly defined and lawful purpose related to a
function or activity of the responsible party.
Steps must be taken to ensure that the data subject is aware
of the purpose of the collection of the information
Records of personal information must not be retained any
longer than is necessary for achieving the purpose for which
the information was collected or subsequently processed,
unless—
(a) retention of the record is required or authorised by law;
(b) the responsible party reasonably requires the record for
lawful purposes related to its functions or activities;
(c) retention of the record is required by a contract between
the parties thereto; or
(d) the data subject has consented to the retention of the
record.

11. FURTHER PROCESSING LIMITATION (4)
Further processing of personal information must be in
accordance or compatible with the purpose for which it was
collected
To assess whether further processing is compatible with the
purpose of collection, the responsible party must take account
of—
the relationship between the purpose of the intended further
processing and the purpose for which the information has
been collected;
the nature of the information concerned;
the consequences of the intended further processing for the
data subject;
the manner in which the information has been collected; and
any contractual rights and obligations between the parties.

12. INFORMATION QUALITY (5)
The responsible party must take reasonably
practicable steps to ensure that the personal
information is complete, accurate, not
misleading and updated where necessary.
In taking the steps referred to the responsible
party must have regard to the purpose for
which personal information is collected or
further processed.

13. OPENNESS(6)
Must notify the Regulator
The responsible party must take reasonably practicable steps to
ensure that the data subject is aware of—
the information being collected; the name and address of the
responsible party; the purpose ; whether or not the supply of
the information by that data subject is voluntary or mandatory;
the consequences of failure to provide the information; any
particular law authorising requiring the collection of the
information; and further information such as the—
recipient or category of recipients of the information;
nature or category of the information; and
existence of the right of access to and the right to rectify the
information collected,
which is necessary, having regard to the specific circumstances
in which the information is or is not to be processed, to enable
processing in respect of the data subject to be reasonable.

14. OPENNESS(6)
The steps must be taken—
if the personal information is collected directly from the
data subject, before the information is collected, unless
the data subject is already aware of the information
referred to in that subsection; or
in any other case, before the information is collected or
as soon as reasonably practicable after it has been
collected.

15. OPENNESS(6)
It is not necessary for a responsible party to take the steps
required if—
the data subject has provided consent;
non-compliance would not prejudice the legitimate interests of
the data subject;
non-compliance is necessary—
to avoid prejudice to the maintenance of the law by any
public body ;to enforce a law imposing a pecuniary penalty;
to enforce legislation concerning the collection of revenue
as defined in section 1 of the South African Revenue
Service Act, 1997 (Act No. 34 of 1997);for the conduct of
proceedings in any court or tribunal that have been
commenced or are reasonably contemplated; or in the
interests of national security; compliance would prejudice a
lawful purpose of the collection; compliance is not
reasonably practicable in the circumstances of the particular
case; or the information will not be used in a form in
which the data subject may be identified; or be used for
historical, statistical or research purposes.

16. SECURITY SAFEGUARDS (7)
A responsible party must secure the integrity of
personal information in its possession or under its
control by taking appropriate, reasonable technical and
organisational measures to prevent—
loss of, damage to or unauthorised destruction of
personal information; and
unlawful access to or processing of personal
information.

17. SECURITY SAFEGUARDS (7)
The responsible party must take reasonable measures to—
identify all reasonably foreseeable internal and external risks
to personal information in its possession or under its control;
establish and maintain appropriate safeguards against the
risks identified;
regularly verify that the safeguards are effectively
implemented; and
ensure that the safeguards are continually updated in
response to new risks or deficiencies in previously
implemented safeguards.
The responsible party must have due regard to generally
accepted information security practices and procedures which
may apply to it generally or be required in terms of specific
industry or professional rules and regulations.

18. Operators
A responsible party must ensure that an operator which
processes personal information for the responsible party
establishes and maintains security measures (a person who
processes personal information for a responsible party
in terms of a contract or mandate, without coming
under the direct authority of that party)
The processing of personal information by an operator on
must be governed by a written contract between the operator
and the responsible party, which requires the operator to
establish and maintain confidentiality and security measures
to ensure the integrity of the personal information.
If the operator is not domiciled in the Republic, the
responsible party must take reasonably practicable steps to
ensure that the operator complies with the laws, if any,
relating to the protection of personal information of the
territory in which the operator is domiciled.

19. Notification of security compromises
Where there are reasonable grounds to believe that the
personal information of a data subject has been
accessed or acquired by any unauthorised person, the
responsible party, or any third party processing
personal information under the authority of a
responsible party, must notify the—
Regulator; and
data subject, unless the identity of such data subject
cannot be established.

20. DATA SUBJECT PARTICIPATION (8)
A data subject has the right to—
request a responsible party to confirm, free of charge,
whether or not the responsible party holds personal
information about the data subject; and
request from a responsible party the record or a
description of the personal information about the data
subject held by the responsible party, including
information about the identity of all third parties, or
categories of third parties, who have, or have had,
access to the information—
(i) within a reasonable time;
(ii) at a prescribed fee, if any;
(iii) in a reasonable manner and format; and
(iv) in a form that is generally understandable.

21. DATA SUBJECT PARTICIPATION (8)
A data subject may request a responsible party to—
correct or delete personal information about the data
subject in its possession or under its control that is
inaccurate, irrelevant, excessive, out of date,
incomplete, misleading or obtained unlawfully; or
destroy or delete a record of personal information about
the data subject that the responsible party is no longer
authorised to retain.
A responsible party must—
(a) correct the information; or
(b) destroy or delete the information

22. UNSOLICITED ELECTRONIC COMMUNICATION
The processing of personal information for the purpose of
direct marketing by means of any form of electronic
communication is prohibited unless the data subject
has given consent to the processing, or is a customer of
the responsible party.
A responsible party may approach the data subject (not
the customer) once in order to obtain the consent.
“Consent” means any voluntary, specific and informed
expression of will in terms of which a data subject agrees
to the processing of personal information relating to him
or her.
Opt-in provisions are arguably more protective of a data
subject’s rights than opt-out provisions. Responsible
parties should make use of both options to make sure
that the data subject understands and knows what he or
she is consenting and objecting to.

23. UNSOLICITED ELECTRONIC COMMUNICATION
If a customer, may process –
if the responsible party has obtained the contact details of
the data subject in the context of the sale of a product or
service;
for the purpose of direct marketing of the responsible
party’s own similar products or services; and
if the data subject has been given a reasonable
opportunity to object, free of charge and in a manner free
of unnecessary formality, to such use of his, her or its
electronic details—
at the time when the information was collected; and
on the occasion of each communication with the data
subject for the purpose of marketing if the data subject
has not initially refused such use.

24. UNSOLICITED ELECTRONIC COMMUNICATION
Any communication for the purpose of direct marketing
must contain—
details of the identity of the sender or the person on
whose behalf the communication has been sent; and
an address or other contact details to which the
recipient may send a request that such
communications cease.

25. NON-COMPLIANCE
Any person may submit a complaint to the Regulator
Investigate
Act as conciliator/secure a settlement
Refer to a regulatory body
Enforcement notice
Right of appeal (High Court)
Civil remedies: damages, aggravated damages, interest
and legal costs.

26. OFFENCES
Failure to comply with enforcement notice
False statements by witnesses
Penalties: fines and imprisonment
Administrative fine (R1 million)

27. THANK YOU
Ina Meiring
March 2012
Nothing in this presentation should be construed as formal
legal advice from any lawyer or this firm. Readers are
advised to consult professional legal advisors for guidance
on legislation which may affect their businesses.
© 2011 Werksmans Incorporated trading as Werksmans
Attorneys. All rights reserved.