REMEMBER THE POPIA PRINCIPLES AND CONDITIONS WHICH APPLY TO A RESPONSIBLE PARTY…………..
In terms of POPIA, all persons (Responsible Parties) who process another person’s personal information (Data Subject) are compelled to comply with POPIA
THREE KEY AREAS TO CONSIDER SERIOUSLY:
Furthermore, in terms of section 18 of POPIA
(1) If Personal Information is collected, the Responsible Party must take reasonably practicable steps to ensure that the Data Subject is aware of—
(a) the information being collected and where the information is not collected from the Data Subject, the source from which it is collected;
(b) the name and address of the Responsible Party;
(c) the purpose for which the information is being collected;
(d) whether or not the supply of the information by that Data Subject is voluntary or mandatory;
(e) the consequences of failure to provide the information;
(f) any particular law authorising or requiring the collection of the information;
(g) the fact that, where applicable, the Responsible Party intends to transfer the information to a third country or international organisation and the level of protection afforded
to the information by that third country or international organisation;
(h) any further information such as the—
(i) recipient or category of recipients of the information;
(ii) nature or category of the information;
(iii) existence of the right of access to and the right to rectify the information collected;
(iv) existence of the right to object to the processing of Personal Information as referred to in section 11(3);
(v) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the Data Subject to be reasonable.
(2) The steps referred to in subsection (1) must be taken—
(a) if the Personal Information is collected directly from the Data Subject, before the information is collected, unless the Data Subject is already aware of the information referred to in that subsection; or(b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
This detail is housed under a document known as a “Processing Notice”. This section 18 legal requirement has to be performed by the Responsible Party.
……. AND THE RIGHTS OF THE DATA SUBJECT
In turn, a Data Subject, as per their Constitutional right to privacy, is given certain rights under POPIA, namely the right not to have his or her or its personal information used without their knowledge or in an unlawful manner.
In terms of section 11 of POPIA, headed “Consent, justification and objection”, a Data subject is not required to give consent to the processing of its Personal Information, if:
11 (1)
(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
(c) processing complies with an obligation imposed by law on the responsible party;
(d) processing protects a legitimate interest of the data subject;
(e) processing is necessary for the proper performance of a public law duty by a public body;
(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
Where consent is required, this does not have to be in the form of a contract, as consent it is defined as being “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.
One should also note that in terms of section 11, a data subject may withdraw his, her or its consent, as referred to in subsection 11 (1) (a) at any time or in the case of processing carried out as per section (b)- (f) may object, at any time, to the processing of personal information in the prescribed manner, to such processing or use, unless legislation provides for such processing.
Taking these sections under consideration, we are therefore of the view that, before a Responsible Party processes a Data Subject’s personal Information, the Responsible Party has to provide a data subject with a notice setting out:
- the information being collected including the nature or category of the information;
- where the information is not collected from the data subject, the source from which it is collected;
- the purpose for which the information is being collected;
- whether or not the supply of the information by that data subject is voluntary or mandatory;
- the consequences of failure to provide the information;
- any particular law authorising or requiring the collection of the information;
- the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
- recipient or category of recipients of the information;
- nature or category of the information;
- the existence of the right of access to and the right to rectify the information collected;
- the existence of the right to object to the processing of personal information as referred to in section 11(3); and
- the right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator
Regarding consent, we again are of the opinion that consent does not have to be obtained if the processing is done in order to:
- conclude and manage a contract;
- comply with a law or legal obligation or public duty;
- to protect or pursue at the responsible Parties, Data Subject or a Third parties, legitimate interest.
Looking at the various reasons why an organisation ordinarily processes another’s personal information, 99% of the time, such reasons, we believe will be for contractual, legal or legitimate interest purposes.
As result, consent which can be obtained by way of an action or indication (known as implied consent) or which can be given by applying a wet ink physical signature to a document or a tick to a box, (known as express consent) is only needed when the above cannot be shown.
In summary we are of the opinion that consent from data subjects, by way of a written signed physical document is not a requirement, and one can process a data subjects’ personal information, in most cases, without consent, so long as the data subject has been made away of the processing activities under the Processing Notice, which is required under Section 18 of POPIA.
We are also of the view that there is no legal requirement or obligation to obtain express consent from a Data Subject to processing its special personal information, in the form of a wet ink signature.
Have you performed your obligation as a Responsible Party under section 18 of POPIA.
Have you the required Processing Notices in Place?
If not- we can help.
Implementing POPIA is not an easy task. The Legal Team can assist you with your POPIA requirements by supplying you with Generic or Customised Templates. Please contact us for further information should you need any assistance. |