Support Centre

South Africa - Data Protection Overview

September 2019

1. THE LAW

1.1. Key Acts, Regulations, Directives, Bills 

The Constitution of the Republic of South Africa guarantees the right to privacy. Additionally, certain provisions within the Electronic Communications and Transactions Act, 2002 ('ECTA') regulate the electronic collection of personal information, although compliance with these provisions is voluntary.

The Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') was promulgated into law on 26 November 2013, following the President's signature. POPIA is wide in application and will, subject to certain exclusions detailed therein, impact all persons processing personal information. The Act will commence on a date to be determined by the President by proclamation in the Government Gazette. Different dates of commencement may be determined in respect of different provisions of POPIA. Certain sections of POPIA, on the proclamation by the President of the Republic of South Africa, came into effect as of 11 April 2014. The provisions of POPIA which came into effect relate to the definitions section under POPIA and the provisions dealing with the establishment of the office of the Information Regulator (as well as its powers, duties and functions) are already in effect. On 26 October 2016, the office bearers of the Information Regulator (effective from 1 December 2016 for a period of five years) were officially appointed and the Information Regulator held its inaugural meeting on 1 December 2016. Advocate Pansy Tlakula has been appointed as the chairperson of the Information Regulator.

Responsible parties (as defined below) will have 12 months from the commencement date of POPIA to become fully compliant with the legislation. A responsible party may, however, in terms of Section 114(2) of POPIA, be granted an extended grace period not exceeding three additional years if such responsible party is granted such extension (upon request) by the Minister in consultation with the Information Regulator.

Data privacy must also be considered from the perspective of consumer protection law as the Consumer Protection Act, 2008 ('CPA'), which was enacted in 2011, applies to the direct marketing of goods and services to consumers. The provisions under the CPA on direct marketing and unsolicited communications may overlap with the provisions under POPIA when it becomes fully effective.

1.2. Guidelines

In accordance with its powers under POPIA, the Information Regulator published, in December 2018, the Protection of Personal Information Act, 2013 (Act No. 4 Of 2013): Regulations Relating to the Protection of Personal Information ('the Regulations'). The Regulations are mainly administrative in nature and prescribe a number of forms to be used in order to take certain types of action under POPIA including:

  • the manner in which an objection to the processing of personal information can be made (Section 2 of the Regulations);

  • requests for the correction or deletion of personal information or the destruction or deletion of a record of personal information (Section 3 of the Regulations);

  • duties and responsibilities of information officers (to be appointed by each responsible party), which includes obligations relating to impact assessments to be undertaken (Section 4 of the Regulations);

  • applications for the Information Regulator to issue industry codes of conduct (Section 5 of the Regulations);

  • the manner in which consent is requested for processing of personal information for direct marketing by means of unsolicited electronic communications (Section 6 of the Regulations);

  • submission of complaints or grievances (Section 7 of the Regulations);

  • the Information  Regulator acting as a conciliator during an investigation (Section 8 of the Regulations);

  • the notification requirements of the Information Regulator to provide notification and information to all affected parties to a compliant/investigation (Section 12 of the Regulations); and

  • the notification requirements of the Information Regulator to provide notification to affected parties of its intention to carry out assessments or relating to a request by a third party to do so (Section 11 of the Regulations).

The Regulations also provide for various prescribed forms which are required to be utilised when requests or complaints are submitted.

1.3. Case Law

In light of the fact that POPIA is not yet fully operational, there has not yet been any reported case law in terms of which a litigant has based a claim on POPIA. Regardless of this fact, however, POPIA will impose onerous obligations on responsible parties and it is, therefore, anticipated that a plethora of case law will develop rapidly once POPIA is fully in operation.

2. SCOPE OF APPLICATION

2.1. Who do the laws/regs apply to?

POPIA applies to the processing (widely defined under POPIA to include collection, recording, organising, collating, distributing, modifying, storing, using and destruction) of personal information by a responsible party (being a public or private body or any other person which alone or together with others determines the purpose and means for processing). It will apply not only to responsible parties domiciled in South Africa but also responsible parties outside of South Africa that use means to process in South Africa (unless such means are only used to forward the information through South Africa).

2.2. What types of processing are covered/exempted?

All processing of personal information is covered by POPIA, however it does not apply to personal information processing:

  • as a purely personal or household activity;

  • by or on behalf of a public body where it involves national security or where its purpose is to prevent or detect unlawful activities (provided that alternative legislation relevant to such activities provides for safeguards to protect personal information);

  • by the Cabinet and its committees or the Executive Council of a province;

  • relating to a courts judicial functions; and

  • which is solely for the purpose of journalistic, literary or artistic expression.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

POPIA introduces and provides for the establishment of an independent supervisory authority, namely the Information Regulator, specifically established for the purpose of data protection.

3.2. Main powers, duties and responsibilities

The Information Regulator is responsible for the oversight and enforcement of POPIA, and has wide-ranging powers and responsibilities, including in relation to:

  • facilitating education, training and awareness on data protection;

  • monitoring and enforcing compliance with POPIA;

  • consulting with any interested parties on data protection;

  • handling complaints from data subjects and/or other parties in relation to data protection;

  • research regarding privacy and data protection;

  • issuing codes of conduct; and

  • facilitating cross border cooperation in the enforcement of privacy laws.

Any person may, either orally or in writing (although oral submissions are to be converted to writing as soon as reasonably practicable), submit a complaint to the Information Regulator in the event of alleged interference. POPIA provides that, after receipt of a complaint, the Information Regulator is obliged to investigate the complaint, act as a conciliator where appropriate and take further action as contemplated by POPIA. In exercising its investigative powers, the Information Regulator may, inter alia, summon and enforce the appearance of persons, compel the provision of written or oral evidence under oath, receive evidence irrespective of whether such evidence is admissible in a court of law, and enter and search any premises occupied by a responsible party. Where necessary, the Information Regulator may apply to a judge of the High Court or a magistrate to issue a warrant to enable the Information Regulator to enter and search premises.

4. KEY DEFINITIONS | BASIC CONCEPTS

Personal Data: 'Personal information' is defined broadly in POPIA to include information relating to both an identifiable, living, natural person, and where applicable, an identifiable juristic person or legal entity, and includes:

  • information about a person's race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth;

  • information relating to the education, medical, financial, criminal or employment history of the person;

  • any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

  • the biometric information of the person;

  • the personal opinions, views or preferences of the person;

  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

  • the views or opinions of another individual about the person; and

  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Sensitive Data: POPIA provides for a separate category of information called 'special personal information' which includes all information relating to a person's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or criminal behaviour. POPIA also specifically regulates personal information (of a child).

Data Controller: POPIA distinguishes between a 'responsible party' and an 'operator', and this distinction can be reconciled with the definitions typically attributed to a data controller and data processor, respectively. A responsible party is a public or private body that determines the purpose and means for processing personal information of a data subject.

Data Processor: An 'operator' is a party that processes personal information on behalf of a responsible party, without coming under the direct authority of the responsible party.

Data Subject: POPIA defines a 'data subject' as any party to whom personal information relates.

5. NOTIFICATION | REGISTRATION

5.1. Requirements and brief description

No registration or notification requirements for the processing of personal information are prescribed by POPIA other than prior authorisation with regard to certain limited categories of processing under Section 57 of POPIA, which relates to the cross-border transfer of special personal information or personal information concerning children.

6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES

The rights and responsibilities of a responsible party are not separately specified, and are incorporated in relation to the information protection conditions, in terms of which responsible parties may process (which includes collecting) personal information where inter alia:

  • the information protection conditions are met;

  • the processing is performed in a reasonable manner that does not infringe the data subject's privacy and is for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party;

  • the data subject has been made aware of, inter alia, the nature of the information being collected, the identity of the responsible party and the purpose of the collection of the information;

  • in relation to processing, such processing is adequate, relevant and not excessive;

  • the data subject has consented thereto, or the processing is necessary for the conclusion of a contract, complies with an obligation imposed by law, protects a legitimate interest of the data subject, or is necessary for pursuing the legitimate interests of the responsible party or a third party to whom the information is supplied;

  • the personal information is collected directly from the data subject (unless the information has been made public by the data subject, the data subject has consented to collection from another source, the data subject's interests would not be prejudiced by the collection, the collection is necessary per the grounds contemplated in POPIA, the lawful purpose of the collection would be prejudiced or compliance is not reasonably practicable);

  • the data subject will continue to have access to the personal information (subject to certain exemptions); and

  • the responsible party has taken appropriate technical and organisational measures to safeguard the security of the information.

7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES

POPIA contemplates that a responsible party retains ultimate accountability for an operator and must ensure that an operator or anyone processing personal information on behalf of a responsible party must:

  • only do so with the knowledge or authorisation of the responsible party; and

  • treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.

A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures as prescribed under POPIA.

POPIA prescribes that an operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

8. DATA CONTROLLER AND PROCESSOR AGREEMENTS

There are no data controller or data processor agreement rights under POPIA. However, please note that there are operator obligations.

9. DATA SUBJECT RIGHTS

Under POPIA, personal information may only be processed if the data subject (or a competent person where the data subject is a child) expressly consents to the processing of the personal information, unless the exclusions with regard to consent apply. The consent of the data subject is not required where the processing of personal information:

  • is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;

  • complies with an obligation imposed by law on the responsible party;

  • protects a legitimate interest of the data subject;

  • is necessary for the proper performance of a public law duty by a public body; and

  • is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

It is to be noted that a data subject may withdraw his/her consent at any time.

POPIA also contemplates the collection of personal information directly from the data subject, except in some instances, for example, where the information is already contained in, or derived from, a public record, or has deliberately been made public by the data subject, or where collection of the information from another source would not prejudice a legitimate interest of the data subject.

POPIA allows a data subject the right to request that a responsible party correct or delete personal information that is inaccurate, irrelevant and excessive, or which the responsible party is no longer authorised to retain.

10. DATA PROTECTION OFFICER

10.1. DPO – compulsory appointment (yes/no)

It is compulsory to appoint an Information Officer.

The Information Officer, in relation to a public body, is defined as the head of a private body, as contemplated in Section 1 of the Promotion of Access to Information Act, 2000 (Section 1 of POPIA).

10.2. Requirements

POPIA provides for the appointment of Information Officers in respect of both public and private bodies.

The Information Officers will be responsible for encouraging compliance with the provisions of POPIA, dealing with any requests made to that body, and cooperating with the Regulator in respect of any investigations by the Regulator in relation to that body. An Information Officer may delegate its responsibilities to a Deputy Information Officer under POPIA.

The Information Regulator is empowered to make further regulations regarding the responsibilities of Information Officers in the future.

11. DATA BREACH NOTIFICATION

11.1. General obligation (yes/no)

There is a general data breach notification obligation under POPIA.

11.2. Sectoral obligations

There is a general data breach notification obligation under POPIA. No sectoral breach notifications are applicable at this stage under POPIA. Under POPIA, where there are reasonable grounds to believe that a data subject's personal information has been accessed or acquired by an unauthorised person, the responsible party, or any third party processing personal information under the authority of the responsible party, must notify the Information Regulator and the data subject thereof, unless the identity of the data subject cannot be established. Notification to the data subject must be:

  • made as soon as reasonably possible after the discovery of the breach;

  • sufficiently detailed; and

  • in writing and communicated to the data subject by mail (to the data subject's last known physical or postal address), email to the data subject's last known email address, placement in a prominent position on the website of the responsible party, publication in the news media, or as may be directed by the Information Regulator.

The notification must include such detail as to allow the data subject to take protective measures.

A responsible party may be directed by the Regulator to publicise the breach where the Information Regulator has reasonable grounds to believe that such publicity would protect the data subject.

12. SANCTIONS

The Information Regulator is responsible for the investigation and enforcement of POPIA.

Any person may, either orally or in writing (although oral submissions are to be converted to writing as soon as reasonably practicable), submit a complaint to the Information Regulator in the event of alleged interference. POPIA provides that, after receipt of a complaint, the Information Regulator is obliged to investigate the complaint, act as a conciliator where appropriate and take further action as contemplated by POPIA. In exercising its investigative powers, the Information Regulator may, inter alia, summon and enforce the appearance of persons, compel the provision of written or oral evidence under oath, receive evidence irrespective of whether such evidence is admissible in a court of law, and enter and search any premises occupied by a responsible party. Where necessary, the Information Regulator may apply to a judge of the High Court or a magistrate to issue a warrant to enable the Information Regulator to enter and search premises.

Any person who hinders, obstructs or unlawfully influences the Information Regulator, fails to comply with an information or enforcement notice, gives false evidence before the Information Regulator on any matter after having been sworn in or having made an affirmation, contravenes the conditions insofar as they relate to processing of an account number (i.e. unique identifier) of a data subject, knowingly or recklessly, without the consent of the responsible party obtains or discloses or procures the disclosure, sells or offers to sell an account number of a data subject to another person, is guilty of an offence and liable on conviction to a fine or imprisonment (or both) for a period of no longer than ten years, or to a fine or imprisonment for a period not exceeding 12 months (or both) in respect of the other offences created by POPIA. Currently, the maximum fine which may be imposed is ZAR 10 million (approx. €684,710), although this may change once further/final regulations are promulgated. Responsible parties have a right of appeal against a decision of the Information Regulator and a data subject has the right to institute a civil action for damages in a court against a data controller for breach of any provision of POPIA.

13. ADDITIONAL RELEVANT TOPICS

13.1. Data Transfers and Outsourcing

POPIA provides that a responsible party may not transfer personal information about a data subject to a third party in a foreign jurisdiction unless:

  • the recipient is subject to a law or contract which:

    • upholds principles of reasonable processing of the information that are substantially similar to the principles contained in POPIA; and

    • includes provisions that are substantially similar to those contained in POPIA relating to the further transfer of personal information from the recipient to third parties;

  • the data subject consents to the transfer;

  • the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request;

  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party, or the transfer is for the benefit of the data subject;

  • it is not reasonably practicable to obtain the consent of the data subject to that transfer; and

  • if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.

13.2. Employment

The general provisions under POPIA will apply equally to any personal information processed as part of a data subject's employment. POPIA does specifically include a data subject's employment history within the definition of personal information.

13.3. Data Retention

The retention of records specified under applicable legislation will apply by operation of law. The trigger for the application of data retention requirements will therefore depend on the activities conducted by a responsible party.

Under POPIA data retention provision will apply to all responsible parties who are responsible for collecting, processing, transferring and using employee, customer or supplier information.

In terms of POPIA, records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:

  • retention of the record is required or authorised by law;

  • the responsible party reasonably requires the record for lawful purposes related to its functions or activities;

  • retention of the record is required by a contract between the parties thereto; and

  • the data subject or a competent person, where the data subject is a child, has consented to the retention of the record.

Notwithstanding the above exceptions, records of personal information may be retained for periods in excess of those mentioned for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.

13.4 Electronic marketing

The CPA deals with a consumer's right to restrict unwanted direct marketing, while the ECTA regulates unsolicited electronic communications.

Under the CPA, consumers have the right to pre-emptively block any direct marketing. Any consumer who has been sent any marketing communication may demand that the persons responsible for initiating the communication desist from sending any further communication to them. The ECTA has similar provisions and specifically requires that each electronic message be accompanied by an option to cancel (i.e. opt-out) a subscription to a mailing list and also requires the sender of the message to provide specific identifying information, including name and contact information.

Under POPIA, data subjects have certain rights with respect to unsolicited electronic communications (i.e. direct marketing by means of automatic calling machines, facsimile machines, SMSs or emails). The processing of a data subject's personal information for the purposes of direct marketing is prohibited, unless the data subject has given its consent or the email recipient is a customer of the responsible party. The responsible party must have obtained the details of the data subject through sales of a product or service and the marketing should relate to similar products or services of the responsible party. The data subject must be given a reasonable opportunity to object to the use of its personal information for marketing each time the responsible party communicates with the data subject for marketing purposes.

POPIA also prohibits automated processing of personal information where the data subject will be subjected to a decision which has legal consequences for the data subject or which affects the data subject to a substantial degree. There are certain exceptions to this prohibition.

14. OTHER SPECIFIC JURISDICTIONAL ISSUES

Not applicable.