Prior Authorisation

Prior Authorisation

The Protection of Personal Information Act 4 of 2013 (“POPIA“) requires that a responsible party obtain prior authorisation for certain processing of personal information where the specific processing of certain personal information is likely to cause a higher risk to the data subject. 

Unless exempt, a responsible party must apply for prior authorisation in the following instances:

  • Processing of unique identifiers. Where the responsible party processes a unique identifier for a purpose other than the purpose specifically intended at collection of the identifier AND with the aim of linking the information with information processed by other responsible parties. 

Unique identifiers include for example any account numbers; policy number; identity number; employee number; student number; or unique reference number.

  • Criminal, unlawful or objectionable behaviour. Where the responsible party processes information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties

For example, where the responsible party is a company that carries out background check services on behalf of their clients.

  • Credit reporting. Where the responsible party processes personal information for credit reporting purposes. 

For example, credit bureaus and other persons processing information for credit reporting purposes. 

  • Cross border transfers of special and children’s personal information.  Where special or children’s personal information is transferred to a third party in a country that does not have adequate data protection laws. The current position is that the Information Regulator requires responsible parties to make a determination as to whether the country in which the third party is located has adequate laws and apply for authorisation to transfer the personal information to those countries (which transfers must be subject to contractual safeguards) who do not have adequate laws.                                                                                                                             
  • As further determined by the Regulator. The Information Regulator may determine that certain categories or types of information processing carries a particular risk for the legitimate interests of the data subject, in which case, a responsible party will need to apply for prior authorisation in respect of such information processing.

Unless a code of conduct has been published by the Information Regulator in respect of specific processing that is subject to prior authorisation, a responsible party will need to apply for prior authorisation to continue processing personal information that falls within the above categories of information / processing.  To date, the Credit Bureau Association has applied for a code of conduct for the processing by credit bureaus of personal information for credit reporting purposes. 

For most clients, the categories of processing that may be particularly applicable is the processing of unique identifiers, processing for credit reporting purposes and the transfer of special and children’s personal information cross border (for example, where medical information is processed for insurance purposes and transferred to countries without adequate data protection laws, most notably, the USA).   

Where a responsible party is required to apply for prior authorisation in terms of section 58(1), the Act requires that the responsible party must suspend its processing of the personal information subject to the prior authorisation application once the application has been submitted and until the Information Regulator has approved the application or found that prior authorisation is not necessary. Section 58(1) will however only become effective from 1 February 2022, so responsible parties will not need to suspend their processing for applications submitted before 1 February 2022, but if the Regulator has not finalised its consideration of the application, the position in law is that the responsible party will be required to suspend processing from 1 February 2022

Get in touch if you would like to discuss whether your processing may be subject to a prior authorisation application, and if you have any other questions about the implications of these provisions of POPIA.

The importance and value of a privacy policy

The importance and value of a privacy policy

The Protection of Personal Information Act 4 of 2013 (“POPIA“) is now effective, since 1 July 2021, meaning that compliance with the act is required. The focus of this post is on the value of a privacy policy/notice and how it can help you comply with your POPIA obligations when processing personal information. One of the obligations that POPIA places on a responsible party processing personal information is to inform data subjects about their rights in respect of their personal information and how and why the responsible party is processing their personal information (section 18). A privacy policy (or in some jurisdictions referred to as a privacy notice) is a tool widely used to comply with this notification obligation. In this blog, we discuss some of the aspects that are important to include in your privacy policy. 

What personal information you are collecting. It is important to inform the data subject what personal information of theirs you are collecting and processing, and whether you are collecting that information directly from them or from another source. The definition of personal information has a very broad ambit, and in South Africa, personal information includes information of both individuals and juristic persons.  Personal information includes, amongst others, name, identity or registration number, contact details, IP addresses and cookies, payment information, views and opinions and children’s or special (such as medical information and fingerprints) personal information. 

Why you are collecting and processing the personal information. The data subject must be informed for what purpose you are collecting the information – for example, identifying and contact information to create and manage an account with the data subject, address to deliver the goods that the data subject is ordering, consent records for purposes of sending marketing communications, etc.  

The responsible party also needs to inform the data subject whether the information that is being supplied is being provided voluntarily or whether it is mandatory to provide that information, and what the consequences are for not providing the information. 

Disclosure of personal information. Many responsible parties will need to disclose personal information of their customers to third parties for various purposes, and a privacy policy can be used to inform the data subject of the general reasons why their information might be shared. For example, an online retailer might make use of a third party delivery service to deliver goods, and will need to share contact information and address with the delivery service. Our view is that a privacy policy need not set out the specific third parties with whom information is shared and what information is shared with each party, but it should inform the data subject the general reasons why information might need to be shared. The privacy policy should also inform data subjects when information is shared cross border (i.e. outside of SA) and ensure the data subject that the recipient of the information complies with the minimum POPIA requirements.  

Data subject rights. The responsible party will also need to inform the data subject about his/her/its rights in respect of the personal information. These rights include the right to object to or restrict processing, right to erasure of personal information, right to request that information is corrected or updated and to request access to the personal information held by the responsible party. 

Complaints. Data subjects have the right to lodge a complaint about the processing of their personal information with the Information Regulator, and a privacy policy should set out the contact details of the Information Regulator. This section of the privacy policy can also be used to request that data subjects first approach you with any complaints that they may have before approaching the Regulator. 

Conclusion. Please get in touch with us if you have questions regarding your POPIA compliance in general, whether your privacy policy is POPIA compliant or if you require a privacy policy, and whether you may also need to comply with data protection laws prescribed in other jurisdictions (such as the GDPR).

Your service agreements, The CPA and ECTA

Your service agreements, The CPA and ECTA

Following on from a previous article on service agreement essentials, this article considers some of the important provisions of the Consumer Protection Act 68 of 2008 (“CPA“) and the Electronic Communications and Transactions Act 25 of 2002 (“ECTA“) that will likely apply when your customer qualifies as a ‘consumer’ (in terms of consumer laws). These should be carefully considered when preparing your service agreement, customer policies or terms and conditions.

A CPA ‘consumer’ is an individual or juristic person (company or CC) with an asset value or annual turnover that does not exceed R 2 000 000 and usually applies to all transactions between suppliers and consumers. ECTA applies to electronic transactions and does not differentiate between individuals and juristic persons, so applies to both. Unless an agreement is specifically excluded from the ambit of the CPA and/or ECTA, these acts will apply wherever the customer is a ‘consumer’. In our view, some of the important provisions of the CPA and ECTA to bear in mind when contracting with consumers and preparing your service agreements, are sections 14 (Expiry and renewal of fixed-term agreements) and 17 (Consumer’s right to cancel advance reservation, booking or order) of the CPA, and sections 42 (Scope of application) and 44 (Cooling-off period) of ECTA.

If a transaction is concluded electronically, and ECTA applies, the supplier will also need to comply with other ECTA obligations. These include providing the consumer with certain information set out in section 43. This calls for the disclosure of certain information about the supplier and requires the supplier to provide the consumer with an opportunity to review the entire transaction and costs and withdraw from the transaction before placing the final order. For online transactions, systems therefore need to enable this.

Returns and cooling off rights (for non-defective goods and services)

A cooling off right allows a consumer to return goods or cancel an order for services without reason where the consumer has simply changed his/her mind. Consumers have a “cooling off” right, but only in the following circumstances:

  • For sales that are not concluded online, there is a 5 day cooling off period for sales resulting from direct marketing. This means that the supplier directly approached the customer to sell him/her the goods and the customer bought the goods as a result of the direct marketing. This is a right in terms of section 16 of the CPA and allows the consumer to return the goods within 5 business days of delivery or cancel the transaction 5 business days after it was concluded.
  • If an online sale, ECTA provides a 7 day cooling off period (and there is no direct marketing requirement as per the CPA), but there are some exceptions to this cooling off right and not all goods/services can be returned. For services, the cooling off right lapses as soon as the services are used, and certain other transactions are also excluded from the cooling off right including certain financial services, auctions, consumable foods, customised goods, software that has been unsealed by the consumer, newspapers, periodicals, magazines and books, gaming and lottery transactions (see section 42(2) of ECTA).

In these cases, the customer has the right to a full refund when returning the goods within the prescribed period, but the customer will have to pay the costs associated with returning the goods to the supplier.

It is important to remember that the return policies of suppliers and retailers generally provide extended rights to consumers. If the consumer is returning goods outside his/her CPA/ECTA rights, then the terms of the return policy of the supplier will apply and both the consumer and the supplier will need to comply with those terms. This means that if, as the supplier, you offer better return rights than those provided for in the CPA/ECTA, you will be bound by the more generous terms offered in your returns policy.

Cancellation fees and deposits 

Section 17 provides that a supplier may require a deposit to be paid for an advance booking, reservation or an order for goods or services that will be supplied at a future date, and furthermore that a supplier may charge a reasonable cancellation penalty if the consumer cancels the advanced booking, reservation or order.  What is reasonable depends on the circumstance, but the cancellation penalty will be unreasonable where it exceeds a fair amount. To determine what is fair in the circumstances, the supplier must consider the nature of the booked goods or services, the length of notice, the potential to find an alternative customer and general industry practice.

Fixed term agreements

Fixed term contracts are very common and often a valuable mechanism that can be used by a supplier to ensure guaranteed income for a minimum period. These agreements are subject to the terms set out in section 14 of the CPA, which requires both suppliers and consumers to comply with specific requirements regarding the maximum term of the agreement, termination (before the agreed term ends), notice periods and cancellation fees.

The maximum duration of a fixed term agreement is 24 months, however this term can be extended where the additional period is to the consumer’s financial benefit. A common example of this is a cell phone contract that extends over 36 months, thereby allowing the consumer a longer period to pay for the device.

A consumer may cancel a fixed-term agreement on the expiry of the agreement without penalty (the consumer will remain liable to the supplier for any amounts owed to the supplier under the agreement until the date of cancellation), or at any other time (during the fixed term) by giving the supplier 20 business days of notice. Where the agreement is cancelled before the end of the fixed term, the supplier may charge the consumer a reasonable cancellation penalty. A cancellation penalty must be reasonable and must not have the effect of negating the consumer’s right to cancel the fixed term agreement. The regulations to the CPA have set out a list of aspects that must be considered when determining what a reasonable cancellation penalty would be.

A supplier may also cancel a fixed term agreement, but only if the consumer has breached the agreement. If the agreement has been breached (for example, the consumer hasn’t paid the monthly fee), the supplier must give the consumer written notice that the agreement will be cancelled if the consumer does not remedy the breach (pay the monthly fee) within 20 business days. In that case, the consumer will still be liable to the supplier for any amounts owed to the supplier at the date of cancellation.

If you have a fixed term agreement, you will also need to consider section 14 if your agreement automatically renews for additional fixed terms or continues on a month to month basis after the initial fixed term ends.

*Importantly, section 14 of the CPA does not apply to fixed term agreements where the consumer is a juristic person, regardless of the annual turnover or asset value of the juristic person.

Conclusion

The above sections of the CPA and ECTA are only a few of the important aspects to consider when preparing your service agreement, and the pertinent sections will differ depending on your specific business and industry. It is important to make sure that your policies on returns, booking fees and deposits (and when these would be forfeited) are set out clearly and that your customer is aware of and understands these policies. If entering into fixed term agreements, you need to ensure that your cancellation penalty is reasonable and that your customer understands both the implications of them cancelling the agreement prematurely and what will happen at the end of the fixed term.

Get in touch to discuss these aspects and other important CPA and ECTA provisions that may be applicable to your business.

Will marketing be able to stand the test of time?

Will marketing be able to stand the test of time?

In a previous life, suppliers could pretty much market as and how they wanted to. They could choose to whom, how, and what they wanted to market. Marketing messages were innovative, interesting and exciting (albeit not always true….).

This changed when a global emphasis on consumer and privacy rights started to emerge. In South Africa the position has not been any different and suddenly suppliers need to start considering complicated legal concepts like a “legitimate interest” when all they want to do is market their goods or services.

Data protection laws, like South Africa’s Protection of Personal Information Act, 4 of 2013 (“POPIA“), the EU’s General Data Protection Regulation, 2016/679 (“GDPR“) and Mauritius’ Data Protection Act, 2017 (“DPA“), all require that a lawful basis exists to use personal information – also for direct marketing.

WHAT IS A LAWFUL BASIS FOR PROCESSING PERSONAL INFORMATION?

These lawful bases are generally very similar across the different pieces of legislation in the different countries, and include various grounds, for example:

  • Consent – it seems obvious that if a person agrees to it, then the information may be used.
  • A requirement in law – again obvious that if there is a law that requires you to use information in a certain way, then you must do it – whether the person consents (and likes it) or not.

The most interesting one though, is the so called “legitimate interest” of the supplier or the person whose information it is. In terms of this lawful basis of use, it is lawful for a supplier to use personal information for direct marketing purposes, if the marketing is in the legitimate interests of the supplier. This begs the question: what would constitute a legitimate interest, especially considering that it is not defined by the law?

LEGITIMATE INTERESTS

A three stage ‘test’ has been derived from the GDPR:

  1. Purpose – is there a legitimate reason or purpose for the processing? (Potentially yes – the supplier wants to increase sales through marketing).
  2. Necessity – is processing the information necessary for that purpose? (Potentially yes – how else will he increase sales?).
  3. Balance – is the legitimate interest overridden by the interests, rights and freedoms of the data subject? (This is the more difficult one as a balancing act between the supplier and person needs to be considered).

This is unfortunately a rather technical legal approach to the question and will require that the specific facts of each matter be considered before determining whether the legitimate interest justification ground can be relied on.

ADDITIONAL LEGISLATIVE REQUIREMENTS

It is important to take note that in addition to the general justification grounds, specific legislation or provisions may require consent in certain circumstances. If this is the case, it will not be possible for a supplier to rely on the legitimate interest justification ground in all circumstances. An example is section 69 of POPIA which requires consent for electronic direct marketing in certain specified circumstances, for example, if you want to electronically market to someone who is not your customer yet. This means that if the intended marketing falls within the ambit of the section 69 consent requirements, the supplier will not be able to rely on the legitimate interest justification ground and will indeed need to obtain consent before being able to lawfully do the electronic marketing.

CONCLUSION

Sometimes you will need consent to do direct marketing. And sometimes you will be able to rely on your legitimate interests to do direct marketing. Make sure you understand your rights and obligations.

Please get in touch with us if you’d like advice on the specifics covered in this blog post or data protection laws in general. Although we are South African lawyers, we have experience in various data protection laws, including the GDPR, and the data protection acts of Mauritius and Botswana, amongst others.

GDPR: Data processing agreements and binding corporate rules

GDPR: Data processing agreements and binding corporate rules

The General Data Protection Regulation (EU) 2016/679 (“GDPR“) became effective on 25 May 2018 and has a substantial impact on anyone who processes personal data of data subjects (individuals). The scope of the GDPR extends beyond the borders of the European Union (“EU“) and is therefore something that likely impacts most businesses that have an international footprint or clientele in the EU.

The GDPR requires certain rules to be complied with when personal data is processed in order for the security of the personal data to be maintained and for the protection of the fundamental right to privacy. These rules must be implemented by the data controller (the party that determines the purposes for which and how data is processed) throughout the stages of processing and requires the data controller to ensure that any third party processing the data on behalf of the controller (referred to as data processors) comply with the rules relevant to them as well.

In any given scenario, there may be multiple parties that act as data controllers and data processors in respect of the same personal data – commonly referred to as joint-controllers and joint-processors. All these parties must still comply with the GDPR and the two most common manners in which this is done is through data processing agreements and binding corporate rules. In this post, we look at these two mechanisms and discuss the differences between them and when each should be used.

Data processing agreements (“DPAs”)

Data processing agreements (“DPAs“) are most commonly used where a data controller appoints a third party to process personal data on behalf of and for the benefit of the controller. The processor is only authorised to process the data on the instructions of the controller and is limited from using the personal data for its own purposes. Processors are usually third party companies that provide a service to the controller and don’t form part of the group of companies that the controller is part of.

The appointment of data processors is subject to the controller and processor complying with the relevant requirements of the GDPR. The GDPR sets out express requirements that must be met by controllers when appointing processors, including that the processor must be appointed in terms of a written agreement (the DPA) and which agreement must include provisions relating to the further requirements that processors must comply with. Some of these include:

  • the purposes for which the data may be processed;
  • the duration of the agreement;
  • limitation of processing to the written instructions of the controller;
  • a duty of confidentiality on the processor in respect of the personal data;
  • duty to take appropriate organisational and technical security measures;
  • the rules regarding the appointment of sub-processors; and
  • liability of the processor in respect of the personal data.

Binding Corporate Rules (“BCRs”)

Binding corporate rules (“BCRs” or “Rules“), although similar to DPAs, regulate the processing of personal data between companies within a group of companies. They are like a code of conduct, allowing multinational companies to transfer data internationally to members of the group that are located in countries that may be considered to not provide an adequate level of data protection. Although some countries in which the members of the group conducts business may  have their own data protection laws and requirements in respect of processing personal information,  the BCRs aim to ensure that all the companies within a group meet, at a minimum, the standards required by the GDPR (and which will result in the companies falling within the GDPR’s ambit, complying with their legislative obligations).

Article 47 of the GDPR sets out the requirements regarding what BCRs must specify and the Rules that a group of companies develops must be approved by an EU regulatory authority. In brief, BCRs must further be legally binding and apply to all members of a group of companies, they must include provisions about the enforceable rights that data subjects have in respect of the processing of their personal data and must meet the further requirements of article 47, including:

  • the details of the group of companies;
  • information regarding the data that is transferred, the type of processing that is carried out and the purposes for such processing, and the third countries to which the data is transferred;
  • the data processing and protection principles that are applicable and the rights of data subjects in regard to the processing and protection principles;
  • the duties and tasks of the data protection officer who oversees the group’s compliance with the rules and the GDPR;
  • the complaint process that data subjects may use;
  • how the group of companies trains its employees in respect of the GDPR; and
  • the various requirements in respect of enforcing the rules, reporting on compliance with the rules and cooperation with the various regulatory authorities.

Conclusion

Binding Corporate Rules and Data Processing Agreements have the same broad goal: to ensure compliance with the GDPR when processing personal information where the processing is carried out by more companies than just the data controller. The application of these mechanisms depends on who is carrying out the processing. The territory in which the processing is being done will further impact the substance of these agreements.

It is important, from both a GDPR and POPI perspective, that data protection requirements are adhered to and that businesses make use of the various tools available to them to ensure that they comply with these rules.

Displayed prices differing from actual price – which must I pay?

Displayed prices differing from actual price – which must I pay?

Recently we have noticed a few retailers displaying notices in their stores stating that even where shelf prices have not been updated to reflect the updated value added tax (“VAT“) rate on certain products (now being 15%), and the shelf display price still reflects VAT to be 14% on that product, consumers will be charged for those products at the new VAT rate of 15% at the till point. In practice it means that the price on display may be R114 but at till point the price would be R115. From a Consumer Protection Act (“CPA“) point of view, this raised a few concerns, the biggest being whether a consumer can be legally obligated to pay a higher price than the price displayed.

The VAT rate increase

For the first time in many years, the VAT rate was increased from 14% to 15% on all taxable goods or services supplied by VAT registered vendors, effective from 1 April 2018. Although the increase is only 1% (which seems like a negligible amount), this will have a large impact on consumers and businesses alike, and according to estimates, will ultimately bring in an estimated R22,9 billion for government.

The VAT increase started to apply on1 April 2018, and you can expect to pay VAT at the new rate on any invoices issued or payments made from 1 April 2018. However, if goods were supplied or services rendered before 1 April 2018, you will not be required to pay VAT at 15% on those goods or services, even if only paying for them after 1 April. Therefore, where you are paying for services in arrears or purchased goods on credit during the interim period (22 February 2018 – 31 March 2018), make sure that you are paying the correct VAT rate for those goods and services, even if you are only paying for them after 1 April 2018.

The CPA provisions on prices

The CPA, in section 23(3), requires suppliers to display the price in relation to any goods that are displayed for sale. Further on in section 23(6), the CPA states that a supplier must not require a consumer to pay a price that is higher than the displayed price or, where more than one price is displayed for the same good/service, the supplier must not require the consumer to pay the higher of the two (or more) prices.

Therefore, suppliers are required to display the price that the consumer will pay for goods/services when displaying goods/services for sale and must not require consumers to pay more than this displayed price – “the price you see is the price you pay”.

However, section 23(7) states that subsection (6) does not apply where the price of any goods or services are determined by or in accordance with public regulation.

Applicability in practice

When reading the CPA, it is clear that, as a consumer, you should only be required to pay the actual price displayed and the lowest price displayed where there are multiple displayed prices. However, section 23(7) of the CPA “throws a spanner in the works” with the VAT rate increase and the requirement to pay a price that is more than the displayed price.

The VAT Act is “public regulation” for purposes of section 23(7) of the CPA, and where suppliers are VAT vendors, VAT will be added to goods and services and VAT will therefore be a determining factor used to calculate the price of goods and services. So, the rule that the supplier may not charge an amount higher than the price displayed will not apply in the scenario where the displayed price differs to the amount charged due to the VAT increase.

Further to this exception in section 23(7) of the CPA, the commissioner for SARS granted permission, in terms of proviso (iii) of section 65 of the VAT Act, for suppliers to require consumers to pay the increased VAT rate on goods and services despite the displayed price still indicating that VAT is included at 14% PROVIDED that the supplier prominently displays notices at the entrances to the premises and at all points where payments are made (i.e. consumers must be aware of these notices when in the store).

Conclusion

Generally speaking, consumers do not have to pay a higher price than the price displayed and where there are two prices for the same product displayed, the consumer can insist on paying the lower price.

Regarding the VAT increase, this CPA “right” is not available where the supplier has adequately notified consumers that the displayed prices may differ from prices at till point – due to the VAT increase. Suppliers have until 31 May 2018 to ensure that their shelf display prices have been updated to account for the VAT increase and to remove the notices in store that shelf and till prices may differ.

Treating customers fairly – a requirement in terms of fais

Treating customers fairly – a requirement in terms of fais

In terms of the Financial Advisory and Intermediary Services Act 37 of 2002 (“FAIS“), The Financial Services Board (“FSB“) published the Treating Customers Fairly (“TCF“) outcomes as the foundation of the FSB’s objectives for consumer protection and market conduct. The need for these outcomes is because of the imbalances previously experienced between financial services consumers and regulated financial entities, rendering consumers vulnerable to market conduct abuse. As financial products are complex, poor decision making and bad advice in respect of these products can lead to unintended consequences being experienced and suffered by a consumer a long time after the transaction was entered into.

The aim of TCF

The TCF outcomes are aimed at reducing market conduct risks and protecting consumers of financial products. The outcomes must be delivered to consumers throughout the product life cycle and at all stages of the relationship with the consumer. The TCF outcomes must be incorporated throughout the company so that everyone understands what TCF is and so that they can apply it.

The TCF outcomes address certain issues that are common in all industries. The outcomes may assist companies and consumers in instances where consumers have unrealistic expectations about the financial products/services being offered by companies even where the consumer was treated fairly; and on the other hand, where a consumer with a low level of understanding about the product/service is satisfied with the service received from the company but is unaware that he/she has been treated unfairly.

The key principles

TCF focuses on two key principles:

  1. ensuring that consumers understand the risks and benefits of the financial products/services they are investing in; and
  2. minimising the sale of unsuitable products/services to consumers.

What TCF is not

TCF is not about creating satisfied consumers at all costs. A satisfied consumer can still be treated unfairly and not know that he/she was treated unfairly.

TCF does not absolve consumers from making decisions and taking responsibility for such decisions – consumers still have a responsibility to know what they are getting into and to take responsibility for their decisions.

It also does not mean that all companies must do business in an identical manner – as long as business is done fairly and transparently, TCF requirements will be met.

The 6 TCF outcomes

  1. Culture: consumers should be confident that they are dealing with companies where TCF is central to the corporate culture;
  2. Products and services: products and services marketed and sold in the retail market should be designed to meet the needs of identified consumer groups and should be targeted according to such identified groups;
  3. Clear and appropriate information: consumers must be provided with clear information and kept appropriately informed before, during and after point of sale (i.e. throughout the product/service’s life-cycle);
  4. Consumer advice: where advice is given, it must be suitable and should take account of the consumer’s circumstances;
  5. Product performance expectations: products should perform in the way that consumers have been led to expect and service must similarly be of an expected acceptable standard; and
  6. Post-sale barriers: consumers must not face unreasonable post-sale barriers imposed by companies when they want to change products, switch providers, submit a claim or make a complaint.

Conclusion

The TCF outcomes were created to ensure that the fair treatment of consumers is imbedded in the culture of companies operating in the financial services industry. The outcomes must be implemented throughout the life-cycle of the product/service, meaning that financial service providers have a duty to continuously ensure that consumers are treated accordingly.

Enforcement of the TCF outcomes will occur through a range of deterrents with the objective of preventing unfair treatment of consumers, and may be penalised through mechanisms such as intensive and intrusive supervision, naming and shaming of offenders, and financial penalties.

Essentially, the ultimate goal of TCF is to ensure that the financial needs of consumers are suitably met through a sustainable industry. If a financial services provider aims to achieve the outcomes, the direct effects should be appropriate financial products and services and heightened transparency in the industry.

POPIA: responsible parties and operators

POPIA: responsible parties and operators

Our previous POPIA articles have examined various aspects of the Protection of Personal Information Act 4 of 2013 (“POPIA“) at length, most notably, the various conditions for processing personal information.  In this post, we will examine the roles of “responsible party” and “operator” in terms of POPIA and what each of these roles entails, along with the rights and responsibilities of the roles.

The main purpose of POPIA is to regulate the use of personal information (as defined by POPIA and summarised below) and to provide for adequate security measures to protect personal information, and the different parties in a relationship will have to comply with these measures in certain ways. Therefore, these roles are important to consider as they have a profound impact on the relationships between responsible parties and operators and also affect the way in which information is processed and used.

What do these terms mean?

  • responsible party” means the party who determines the purpose of and means for processing personal information. This decision may be made alone or in conjunction with another party.
  • operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, but does not come under the direct authority or control of the responsible party.
  • processing” means any activity (including automatic means) concerning personal information, and includes the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use, distribution by means of transmission, distribution or making available in any other form or merging, linking, and restriction, degradation, erasure or destruction of information.
  • personal information” is information relating to an identifiable, living person and is not limited to information relating to race, gender, marital status, pregnancy, ethnicity, age, health, disability, religion, language, culture, education and employment, criminal history, identity number, contact details, biometric information, personal opinion, etc.

What is the difference between a responsible party and an operator?

As set out above, responsible parties determine the purpose for processing information, what information is processed, for how long and how it is processed. Where an operator is involved, the responsible party will still determine the purpose for processing etc, but will outsource the processing of the information to the operator. The responsible party therefore still makes all decisions in relation to the information and the operator acts in accordance with these decisions and on the instructions from the responsible party.

The responsible party remains ultimately accountable for ensuring that POPIA is complied with by both itself and all operators providing services to the responsible party. The outsourcing or sub-contracting of any processing activities to operators does not absolve the responsible party from liability. If the operator contravenes POPIA, the responsible party will still be held liable by the Information Regulator.

The importance of contracts when appointing an operator

As with many other relationships, a contractual agreement between a responsible party and operator will prove very useful and high highly recommended in order to definitively address and govern the roles of each party and the boundaries of the relationship.

An agreement between the responsible party and operator should address, at the least, the following points:

  • That the operator only acts within the ambit of the agreement/mandate with the responsible party;
  • The purpose for processing of the information;
  • What information may be processed by the operator;
  • What the operator may or may not do with the information outside of the processing mandate;
  • A duty to protect the information received, not share it with third parties without consent, to keep the information received confidential and to otherwise act within the ambit of POPIA;
  • Limit the operator from appointing further operators without the responsible party’s knowledge or consent; and
  • Liability for the operator*.

Liability for the operator

As mentioned above, the responsible party will be held ultimately liable by the Information Regulator for a breach of POPIA by the operator. The Information Regulator will impose this liability on the responsible party where the breach occurred within the scope of the mandate agreement between the responsible party and the operator and will not be diverted to the operator where the breach is as a result of the operator’s failure to uphold the principles of POPIA.

Therefore, the agreement between the responsible party and the operator is extremely important for the responsible party as this agreement can result in the responsible party holding the operator liable for any claims that the Information Regulator and/or data subjects (the people whose personal information is being processed) bring against the responsible party as a result of a breach of POPIA by the operator. A liability clause will allow the responsible party to bring a claim for any loss suffered by the responsible party as a result of the operator’s negligence or breach of POPIA.

Some relief for a responsible party in this regard is where an operator breaches POPIA where the operator has exceeded its mandate. In these circumstances, the operator is seen to be acting as a responsible party in regard to the personal information as the operator is determining the purposes and means of processing.

Conclusion

We cannot emphasise the importance of an agreement between a responsible party and operator enough as such an agreement sets out the important details of the relationship between the operator and responsible party and aims to protect not only the responsible party, but also the operator by detailing the extent of the processing and other responsibilities that the operator undertakes.

Make sure that you know when you act as a responsible party and when you are acting as an operator as your responsibilities will differ along with your liability.

Conversations and agreements – when are they binding?

Conversations and agreements – when are they binding?

Introduction

A major cause of disputes occurs over the content of agreements. Sometimes these disputes are a result of poorly drafted contracts; content and deliverables not being adequately described; or as a result of variations to the original contract. Another source of dispute is verbal contracts and conversations where the parties dispute the content of what was agreed upon.

Both verbal and written contracts are, in general, legally binding. However, sometimes writing is unavoidable and is a formality for the contract to be valid, for example: the sale of immovable property, antenuptial contracts, wills and executory donations. Along with the preceding list, all documents that have to be submitted to and registered with the Deeds Office must also be set out in writing.

Written contracts have various advantages, among others, they:

  • ensure that both parties are fully aware of the contents of their agreement;
  • create transparency between the parties;
  • create and maintain trust between parties;
  • can stipulate formalities that must be met for validity; and
  • serve to avoid unnecessary disputes.

Electronic communication

The Electronic Communications and Transactions Act 25 of 2002 (“ECTA“) recognises electronic messages (or “data messages“) as the functional equivalent of writing, meaning that data messages have the same legal validity as content written on paper. This results in any formality requiring writing to be met when the information is in the form of a data message. ECTA, however, imposes a requirement of accessibility to accompany data messages by requiring data messages to be easily accessible to the parties thereto.

The validity of electronic messages was confirmed by the Supreme Court of Appeal (“SCA“) in November 2014 in the case of Spring Forest Trading v Wilberry (Pty) Ltd. The court held that variations to an agreement between the parties made via email were binding – the arguments put forth were that the variation to the agreement was required to be made in writing and signed by both parties in order for it to be valid and that this requirement had not been met because the variations were only discussed and agreed to via email. The court stated that the email signatures at the bottom of the emails amount to signatures and that the email messages constituted writing in terms of ECTA.

Conclusion

Written contracts are always recommended. The rationale being that oral agreements offer no objective or clear record of the details of the agreement and the specific terms are often difficult to establish when a dispute arises. Well drafted agreements should include useful information and guidance to the parties to ensure a fair and smooth resolution of disputes or disagreements. The guidance information should address when parties may cancel the agreement, what constitutes breach and how the breach should be remedied.

Written agreements should also set out that any changes to the agreement are not valid if they are not in writing (and signed by both parties) – which prevents disputes over any amended terms of the agreement. This also prevents quarrels of a “he said, she said” nature as everything has been recorded. As set out above, this can be done via email or other electronic messages, including Whatsapp, for example, however, the name of the sender must be signed at the end of the message for it to be valid.

It is important to understand that following the abovementioned judgment, parties to a contract should specifically refer to an “advanced electronic signature” – which is a special signature provided for in ECTA – being required to amend the agreement if the intention is for the usual email type correspondence not to effect an amendment to the agreement.

Remember, you could be bound to a contract where you have willingly signed it even if you have not yet read it.

Important take-aways

  • electronic communication is legally binding and is the equivalent of writing;
  • some agreements can only be altered if the variation is in writing and signed by both parties;
  • some agreements must be in writing and signed (and sometimes commissioned or notarised) in order to be valid and binding; and
  • oral agreements are binding (but not advised!).
Website terms – purpose, importance and consequences

Website terms – purpose, importance and consequences

Nowadays, websites almost always contain policies and terms that govern your use of the site. Sometimes these policies will appear as banners on the site (which you have to “agree” to in order to make them disappear), links in the page footer (like we have on our website) or as a statement along with a tick box saying that you have “read and agree with” the terms (usually when transacting online).

The questions on peoples’ minds are firstly, why do I need all these different sets of terms and, secondly, are these policies binding.

Why do we need all of these terms?

The website terms which we feel are important are browser terms, privacy policies and commercial/transactional terms. Each one of these deals with specific aspects of the website’s use, including, for example, the collection of personal information, social media integration, payment methods and your rights as a user of the website. Below we discuss each policy and its importance. These policies also protect your rights and interests in your website and can allow for you to have a claim in law against people who infringe your rights.

Browser terms

Although browser terms are not a legal requirement, they are useful to ensure that the “web surfer” understands and agrees to certain key points. Browser terms should be used to inform the surfer that:

  1. you, as the website owner, owe them no responsibilities;
  2. they get no rights to any services or IP merely by browsing;
  3. they are required to respect your website and the content thereof; and
  4. you comply with all necessary legal disclosure requirements.

Browser terms are “agreed” to through the surfer continuing to browse the website. These types of agreements are called “web-wrap” agreements. More on this below.

Privacy policies

Privacy policies are essential whenever the website collects or makes use of personal information. Personal information is often collected through cookies as well as when browsers become users of a website by creating an account or by integrating their social media accounts with the website.

The Protection of Personal Information Act 4 of 2013 (“POPI”) sets conditions for the lawful processing of personal information. Included in POPI’s ambit will be the mere storage of personal information when it is collected by cookies. POPI also requires that companies make certain information available to users when they collect their personal information. This can be achieved through a privacy policy. Privacy policies therefore also assist the website owner to comply with legal requirements

Privacy policies usually include the following important aspects:

  1. the use of cookies to collect certain information;
  2. the purposes for the processing of the personal information;
  3. the sharing of personal information by the website owner with certain select third parties;
  4. the storage of personal information, including the security measures taken and whether cross-border storage will occur; and
  5. the user’s rights in relation to his/her personal information and the recourse that he/she has.

Privacy policies are, like browser terms, usually agreed to by browsing, however, a recent trend has been to display the fact that cookies are used as a banner on a website requiring a “click-wrap” agreement to be entered into in order to remove the banner.

Commercial/transactional terms

As the name suggests, the commercial terms become applicable where the website enables users to transact with the website owner through the website. These terms serve as the terms of the contract which you conclude with the user when the user becomes a customer. The important aspects that this policy should govern includes:

  1. a general explanation of the service or product being offered by the website;
  2. the fees that are payable, which may be a once off purchase price or a subscription fee, as well as the fees relating to delivery costs, insurance and VAT;
  3. the terms applicable to returns;
  4. limitation of liability, which will be subject to the Consumer Protection Act 68 of 2008 (if it applies);
  5. the applicability of promotional codes and vouchers; and
  6. acceptable use policies, however, this is more applicable where the website offers a service and not a product.

The Electronic Communications and Transactions Act 25 of 2002 (“ECTA“) requires certain disclosures in terms of section 43 by the website owner when goods or services are offered for sale or hire through an electronic transaction. Some of the disclosures required include:

  1. company name, registration number and contact number;
  2. addresses, including physical, website and e-mail;
  3. a description of the main characteristics of the goods/services offered (which fulfils the requirement of informed consent;
  4. the full price of the goods, including transport costs, taxes and any other and all costs;
  5. the manners of payment accepted, such as EFT, cash on delivery or credit card, as well as alternative manners of payment such as loyalty points;
  6. the time within which delivery will take place;
  7. any terms of agreement, including guarantees, that will apply to the transaction and how those terms may be accessed, stored and reproduced electronically by consumers;
  8. all security procedures and privacy policy in respect of payment, payment information and personal information; and
  9. the rights of the consumer in terms of section 44 of ECTA.

ECTA also requires that the customer must have an opportunity to review the transaction, correct any mistakes and withdraw from the transaction without penalty before finally concluding the transaction. ECTA non-compliance gives the consumer the opportunity to cancel the order and demand a full refund.

Additional requirements are placed on suppliers transacting online regarding payment systems. The payment system used must be sufficiently secure in terms of current accepted technological standards. Failure to comply with these security standards can render the website owner liable for any damages suffered due to the payment system not being adequately secure.

Are these policies binding?

Essentially, yes, website terms will be binding based on the principles of contract law. Website users must be made aware of the terms that apply to their use of the website and you should always ensure that you include wording to the effect that by anyone continuing to use the website they agree to the terms.

To this effect, web-wrap and click-wrap agreements come into play.

Web-wrap agreements

Web-wrap agreements (also referred to as browse-wrap agreements) are used to acknowledge the terms of use of a website by continuing to use the website. The user indicates acceptance of the terms by using the website and does not expressly indicate acceptance of the terms. Such agreements are usually used in browser terms and privacy policies.

Click-wrap agreements

Click-wrap agreements require the user of a website to indicate their agreement with the terms through positive action – usually by clicking “I accept” before proceeding with their activity on the website. These agreements are usually used for more important agreements, such as when installing new software on your computer or when entering into online transactions.

Conclusion

Even though all of these policies may seem excessive, they are worth having. Yes, copying and pasting clauses from other policies will get the job done, but you may leave yourself vulnerable to certain consequences that you haven’t thought about. These consequences may be even worse when it comes to commercial terms. Contact us for a free quote and ensure that your online business is fully protected!