Vehicle finance “Extra fee”: strip it or bill it?

Vehicle finance “Extra fee”: strip it or bill it?

The National Consumer Tribunal (“NCT“) recently came out guns blazing and caused a stir in the motor vehicle industry. The application by Volkswagen Financial Services SA (“VWFS“) for the review and setting aside of a compliance notice previously issued against them by the National Credit Regulator (“NCR“), was dismissed by the NCT during the month of April 2019.

First, some background: the NCR issued compliance notices against VWFS and BMW Financial Services in 2017. In terms of these compliance notices, the NCR held that the “on the road” fees (colloquially termed as “Service & Delivery Charge” or the like) by the respective vehicle financiers constitute prohibited charges in terms of the National Credit Act, 34 of 2005 (“NCA“) and ordered each of these financiers to refund consumers who paid such fees. VWFS subsequently applied to the NCT to review and set aside the compliance notice issued by the NCR against them. The NCT however rejected their application and confirmed the decision taken by the NCR in their compliance notice (in a somewhat amended form, but in principle the same). The NCT ruled that VWFS were to: (i) refund all affected consumers; and (ii) cease adding any such or similar fees on their (vehicle finance) credit agreements as from 10 April 2019.

VWFS have since indicated that they will appeal the decision of the NCT, the effect of which then suspends enforcement of the ruling until the appeal has been finalised by the relevant court. Simply put, VWFS need not to comply with the compliance notice until the matter has been settled by the relevant High Court.

Please follow the link below to access a copy of the relevant NCT ruling:

What’s the current legal position regarding loans between family members and sale of shares on credit terms?

What’s the current legal position regarding loans between family members and sale of shares on credit terms?

Published: 10 December 2018

In August 2016, we published an article Do all credit providers need to register. In that article, we discussed various matters relating to the application of the National Credit Act (which will we refer to as the NCA) to various transactions, in particular when a credit provider would be required to register with the National Credit Regulator as a credit provider.

Following some judgments recently handed down by our courts, we want to discuss some of the matters from our previous article in more detail – namely whether the NCA requires one to register as a credit provider in cases where (i) a family member grants a loan to another family member and (ii) a shareholder or a company sells/issue shares on credit.


Let’s quickly recap the discussion in our previous article: the NCA will most likely apply to a transaction:

  • that qualifies as a credit agreement in terms of the NCA, if none of the exceptions provided in the NCA applies; and
  • the agreement was concluded by parties dealing at arm’s length.

Accepting that a proposed transaction is a credit agreement and none of the exceptions apply, the point of departure in determining whether you would be required to register as a credit provider if you were to grant a loan to one of your family members, is to consider whether your proposed transaction is conducted at arm’s length.

The NCA does not define the term dealing at arm’s length but sets out an open list of arrangements which would generally not be considered as been made at arm’s length. A credit agreement between two natural persons who are in a family relationship who are co-dependent on each other or where one is dependent on the other, is not at arms’ length. The NCA does not provide any guidance as to when family members will be regarded as independent of each other. The Court considered this question in the case of Beets v Swanepoel [2010] JOL 26422 (NC) (“Beets judgment“). Based on this judgment it is our view that it is likely that a transaction is at arms’ length in instances where the parties independently strive to gain the utmost possible advantage from the agreement. Based on the courts’ interpretation of the phrase, parties would generally be considered as striving to gain the utmost possible advantage from the agreement if the (proposed) loan bears interest, charges or fee(s). This would usually be the case regardless of the familial relationship between the parties involved.

In the Beets case, the mother granted a loan to her daughter at a favourable interest rate. The daughter failed to honour her part of the agreement and the mother approached the court to claim the outstanding balance of the loan. The daughter argued that her mother (lender) ought to have been registered as a credit provider as required in terms of the NCA. She further argued that her failure to do so renders the loan agreement invalid. The court ruled in her (daughter’s) favour and held that the credit agreement was at arm’s length despite the mother-daughter relationship between the parties considering the fact that the parties were independent of each other. For that reason, the loan agreement between the parties was found to be invalid.


Turning to the next question relating to a sale of share agreement on credit terms. It’s undoubtedly a common practice that companies and/or shareholders occasionally enter into credit share sale agreements to issue/sell shares to prospective buyer(s) who may otherwise not have been able to pay the purchase price upfront. In such cases, the parties would make arrangements in terms of which the buyer would pay for the shares in instalments over a specific period. This practice was discussed in the recent SCA judgment of Du Bruyn NO and Others v Karsten (929/2017) [2018] ZASCA 143.

In this case, two close corporation members entered into an agreement in terms of which one of the parties sold his interests (the equivalent of shares in the company) which he held in three separate entities (i.e. CC’s) for an aggregate purchase price of R2 000 000, 00.  The purchaser however could not afford to pay the purchase price upfront and the parties agreed that the purchaser would pay the deposit of R500 000 and the balance to be paid in monthly instalments of R30 000 over a period of five years. The price payable over the five-year period was therefore more than the purchase price and the difference would indicate the credit costs.

The purchaser failed to make the payments as per the agreement and the seller instituted proceedings to claim the outstanding balance. Since the seller was not registered as a credit provider at the time of entering into the credit agreements, the buyer raised a defence that the agreements were null and void due to non-compliance with the NCA. The court declared all three credit agreements unlawful for failure to register as a credit provider- as required in terms of section 40 of the NCA.


The main takeaway point from the judgments discussed above is that one needs to carefully consider the relevant provisions of the law regulating the credit industry before granting credit to anyone, including a loan to a family member(s). There is however not always a clear-cut answer to these matters, and the facts of each scenario would need to be considered on a case-by-case-basis. As such, we would advise that you consider seeking legal advice before granting a loan to avoid any disappointment.

New system to curb debit order abuse: Debicheck

New system to curb debit order abuse: Debicheck


Have any of your customers ever disputed a debit order that was legitimately processed against their bank account in favour of you in terms of a debit order mandate? Has your personal bank account ever been debited without your permission? If not, you’ve probably heard of someone who has experienced these rather unfortunate incidents. Well, these disputes will soon be a thing of the past. in this post we’ve set out how the Payments Association of South Africa (“PASA“) has planned to put a stop to debit order abuse.


Many of us are familiar with the current workings of debit order authorisation. In brief, a service provider who collects its revenue by means of debit orders is required to enter into a written or oral agreement, commonly known as a “debit order mandate”, with customers. A valid debit order mandate serves as proof of consensus between a customer and the service provider for the repeated deduction of an agreed amount from the customer’s bank account. A service provider would request payment from the customer’s bank, based on the authority from the customer.

PASA (the Payments Association of South Africa, a body created by law to organise, manage and regulate the participation of its members in the South African payment system) has been receiving a significant number of complaints relating to debit order abuse by both customers and service providers. While most complaints related to debit orders processed to customer’s bank accounts without valid debit order mandates, some complaints related to debit orders which had been legitimately processed (where the customer disputes a legitimate debit order and has the payment reversed).  PASA –mandated by the South African Reserve Bank (“SARB“) – has found a solution to this ever-growing problem. PASA has introduced Debicheck, a new debit order system which will hopefully bring peace of mind to service providers and customers alike.


In terms of Directive No. 1 of 2017 issued by SARB, the participant (i.e. bank) who is responsible for carrying out the payment instruction from a service provider (i.e. the bank customer’s creditor) must notify its customer (i.e. debtor / the service provider’s customer) of the proposed debit orders before making any deductions against the customer’s account. Customers will be required to approve or reject the proposed debit order and confirm any material information relating to such debit order, such as the service provider’s details, amount to be deducted and the date of debit order. Customers will also be required to re-approve any debit orders when the mandate changes.

According to the Directive, all debit order mandates concluded after the cut-off date (currently 31 January 2019) must comply with these requirements. In other words, these requirements do not apply to debit orders which are already in existence before the cut-off date.


Through the Debicheck system, banks will have a record of all confirmed and rejected debit orders – meaning that no debit orders will be loaded by a bank without a customer’s positive authorisation of the debit order. As a result of the consents and rejections being recorded, it is unlikely that there would be debit order abuse on Debicheck debit orders.

When does comparative advertising constitute trade mark infringement?

When does comparative advertising constitute trade mark infringement?

It is unlikely that an organisation can consistently keep its “head above water” without marketing or advertising its products or services. As the ways through which organisations do business evolved, so did the art of advertising. Many businesses make use of a variety of advertising strategies to draw the attention of a larger audience compared to their respective competitors. One good example of these strategies which has proven sometimes to be more effective than others, is “comparative advertising”.


As the name suggests, comparative advertising is when an advert compares the advertiser’s product/service with that of another party (usually, a competitor). In most cases, this advertising ploy focuses on the comparison of prices, quality and/or durability of the product compared. The rationale behind the use of this strategy is usually to:

create the impression that the advertiser’s products or services are of the same or superior quality to those of the compared products or services, but are being offered a lower price – therefore better value for money; or

disparage the quality of the compared product or services.

Whether a comparative advert seeks to put the advertiser’s product on the same footing as that of the compared product/service or to degrade the competitor or its product/service, the overall purpose is to increase the advertiser’s visibility in the market. If the advertiser not only refers to “competitors” in general but refers to them by name or product (specific to the competitor), the question is whether the adverts may infringe the trade mark of the other party whose product is being compared.


A trade mark is essentially a registered brand name, slogan or logo with which a person may identify and distinguish his/her products or services from those of others. Provided it is well-known and/or registered with the relevant regulatory body, being the Companies and Intellectual Property Commission in South Africa, the proprietor’s (i.e. trade mark owner) exclusive right to the goodwill of the mark is protected in terms of the Trade Marks Act 194 of 1993 (“the Act“).

Section 34 of the Act is the most relevant section in relation to comparative advertising. In terms of this section, any unauthorised use of a registered trade mark is prohibited. The section also sets out the circumstances under which trade mark infringement may arise.  From the provisions of section 34, infringement of this nature can be summarised or classified into three different forms, namely (i) primary infringement, (ii) extended infringement and (iii) infringement by dilution. Discussion of these categories however, falls outside the purview of this article.


In the past, South African courts have been faced with various legal questions around the practice of trade mark infringement as a result of comparative advertising and have developed precedence on the matter. Based on that precedence, the current position is that not all comparative adverts have the potential of infringing a trade mark.

The legal developments in relation to trade mark infringement have shown that the question whether an advert constitutes trade mark infringement depends predominantly on the degree of reference intensity used, which means, some adverts may not necessarily amount to infringement.  One good example of an advert with low reference intensity would be claims like: ” XYZ, the best burgers in town“. This type of advertisement is generally known as “puffery statements” and, strictly speaking, not relevant to trade mark law provided it does not contain any marks (trade mark related) which could potentially identify the other party.

Problems normally arise when an advert employs a higher degree of reference intensity. This type of referencing is a typical determining factor on whether an advertisement is lawful/permissible or not. It usually happens in cases where the advertiser employs some form of advertising technique and makes subtle reference to a competing brand rather than explicitly naming or showing the competitor’s product/service. Given the subtle approach and disguise followed, many may get confused as to whether such advertisements do in fact cause infringement. In the decision of De Beers Abrasive Products v International General Electric Co of New York, the court laid down what is regarded as the borderline between a lawful and unlawful comparative advert. In this case, it was held that the deciding factor in relation to the issue of trade mark infringement hinges on whether a reasonable consumer would identify the competitor against whom a comparative statement has been made and take such statement(s) as being a “serious claim” in comparison. If so, such advertisement may constitute trade mark infringement. When one follows this approach, there are less chances of the advertiser finding him/herself on the wrong side of the law.

The highest level of reference intensity relates to those cases where an advertiser blatantly names and/or shows the competitor’s products/services or trade mark. With regards to this type of referencing, we do not anticipate any difficulties in determining whether infringement does arise – the advertiser is highly likely to be at risk.


In as much as adverts with a higher level of reference intensity would draw more attention, it may cause more harm than good on both parties, in most instances. The better approach from a risk point of view would be to keep your comparison of other parties’ products to a minimum. Alternatively, to use the so called own-price referencing/comparison.

Product liability: Is the supplier liable for harm suffered by a consumer?

Product liability: Is the supplier liable for harm suffered by a consumer?

In a previous article entitled “The responsibility of a supplier to conduct a consumer product safety recall“, we dealt with various matters around product safety recalls. As a follow-on to that, this article deals with the “product liability” concept which goes hand-in-hand with “product safety recall“.


From as far back as the early days of the Romans, a plethora of claims for damage suffered or loss incurred as a result of defective or unsafe goods or products have been a part of the ever-evolving legal fraternity. These claims ranged from a claim against a horse-drawn coach manufacturer, to a claim against a man who sold a diseased horse which later dies in the possession of the buyer, or anything in between. To date, product liability claims is still a practice in most legal systems around the world – including South Africa.


In essence, the concept “product liability” refers to a supplier’s liability towards the consumer or third-party for damage suffered or for loss incurred as a result of the supplier’s defective or unsafe goods/products supplied.

Product liability is regulated by the Consumer Protection Act 68 of 2008 (the “CPA“). As the name suggests, the main objective of the CPA is to regulate relations between the supplier and the consumer. In line with that objective, the provisions of the CPA relating to product liability focus on regulation of the relationship between the supplier (i.e. manufacturer, designer, distributor or retailer) and the consumer, rather than between suppliers themselves.


Until the inception of the CPA, claims arising from damage suffered or loss incurred by a consumer or third party as a result of defective product were regulated by our common (i.e. uncodified) law. As such, liability for such damage or loss could only be determined in terms of the common law of delict. Given the burden an aggrieved party is required to discharge in order to succeed with a delictual claim, it was often difficult for many consumers to successfully prove their claims in this regard.

To plug this gap, the Legislature introduced a different approach with regards to the consumer’s burden of proof through the CPA. In terms of section 61 of the CPA, a supplier may be held liable to a consumer for any damage or loss arising from (i) the supply of a defective/unsafe product or (ii) where damage or loss arises from the supplier’s failure to provide adequate information relating to the risks associated with the use of a product. The main benefit to the consumer lies in the fact that the supplier may be held liable regardless of whether it (the supplier) was negligent or not.

Consideration of whether there is any probability of success in a claim in terms of section 61 hinges on the following three questions:

  • whether goods and/ or services as defined in CPA are involved;
  • if so, whether the person (against whom the claim has been instituted) is in fact the “supplier” as defined in the CPA; and
  • whether the claimant suffered harm as a result of defective goods supplied by the such supplier?


The purpose of this article is to provide an insight into the supplier’s liability towards the consumer for damage or loss arising from supply of defective goods/product and should not be considered as advice.

In our last article of this series, we will discuss some aspects around whether the role-players in the supply chain can decide, among each other, who will be liable to the consumer.

The responsibility of a supplier to conduct a consumer product safety recall

The responsibility of a supplier to conduct a consumer product safety recall


The Consumer Protection Act 68 of 2008 (“CPA” or “the Act“) establishes certain rights applicable to all consumers when purchasing goods (and services) for their personal use. The Act sets out, amongst others, that consumers have the right to fair value, good quality and safety as well as an implied warranty of quality.

The implied warranty of quality warrants that the goods comply with the requirements of being of good quality, durable, and safe for the use as advertised or designed. Where goods are of inferior quality, unsafe or defective, the consumer may return the product and the supplier is obliged to repair, refund or replace the failed, defective or unsafe product.

Consumers have a further right to have goods monitored for safety and recalled when such goods or components of such goods are hazardous, unsafe or defective. The Consumer Product Safety Recall Guidelines (“Recall Guidelines“) have been drafted in terms of the CPA to provide further detail for such instances and set out the procedure to be followed where products are to be recalled.

Hazardous products

Whilst suppliers would take necessary steps to ensure that their product is manufactured or produced in line with the required design and/or material specification, the reality is that there may be some unforeseen occurrences where manufacturing/production lines may deviate from such design or material specifications. In such cases, a product may be identified as unsafe where it presents health or safety hazards to the public. However, in some instances, a consumer product may also be identified as unsafe to consumers irrespective of whether there was a manufacturing or production error. The deciding factor is whether the product poses health or safety hazards to the public.

The CPA doesn’t clearly unpack the term “hazard”, but generally, a supplier’s product may be identified as presenting health or safety hazard where such product has the potential to cause the following:

  • injury;
  • illness;
  • death;
  • loss of, or physical damage to, any property; or
  • any economic loss as a result of any of the above.

Product safety recalls

In terms of the CPA and the Recall Guidelines, a supplier is required to, among other things, conduct a consumer product safety recall where a product poses a health or safety hazard. In essence, a consumer product safety recall is a process whereby a supplier is required to remove all affected product(s) from production, supply chain and any point of sale.  In terms of section 5(5) of the CPA, these Recall Guidelines apply to all goods supplied in South Africa, regardless of whether the transaction for the supply of such goods is subject to the CPA or not.

In 2012, the National Consumer Commission (“NCC“) published the Recall Guidelines detailing, among other things, procedural steps required to be followed by suppliers when conducting a product recall. In terms of the Recall Guidelines, a supplier may voluntarily initiate a safety recall. Where a supplier fails to voluntarily conduct a safety recall, the NCC may issue a written notice to the relevant supplier ordering it to conduct such safety recall.

Irrespective of whether a supplier voluntarily conducts the safety recall or is ordered to do so, a supplier is required to ensure that the procedural steps, as briefly set out below, are followed:

  • assess the risk;
  • cease distribution of the product;
  • notify the NCC;
  • notify consumers;
  • facilitate returns; and
  • facilitate returns.

In order to comply with the above mentioned procedural steps and to avoid any penal sanctions, a supplier may be required to prepare and put in place some form of a policy document(s) in anticipation of a product recall becoming necessary in the future.


Like with non-compliance with the provisions of the CPA in general, non-compliance with sections 60 and 61 of the CPA and the Recall Guidelines may have dire consequences. Suppliers may be declared to have engaged in prohibited conduct and an administrative fine of up to R1 million or 10% of its annual turn-over for the preceding financial year may be imposed.

Closely linked to the topic of safety recall, our next article on the CPA will be dealing with a discussion around the concept of “product liability”. For any further details on this topic, please do not hesitate to contact us.

The Edcon Ruling: What to take away from it

The Edcon Ruling: What to take away from it


Credit providers assist customers who cannot afford to make all payments in cash. In turn for the risk they take, they are allowed to charge certain costs and fees.  When credit agreements are within the ambit of the National Credit Act 34 of 2005 (“NCA” or “the Act“), the Act imposes maximum limits on these fees. Irrespective of the type of credit agreement, section 101 of the NCA provides for a closed list of the fees that a credit provider may charge the consumer in relation to a credit agreement. These fees include, amongst others, initiation fees, service fees, interest, credit insurance and/or default administration charges


It has become common practice for retailers to make membership clubs available to consumers in exchange for a monthly “membership/club fee”. Typically, when a consumer becomes a club member he or she would earn points or similar consideration for different reasons – such as a percentage of the purchase price being earned in points. Depending on the type of club joined and/or amount of points earned by that club member, he or she would be entitled to convert his or her points into some form of benefit or product (for example, entertainment, travel, spa, gym etc.). For credit providers who want to offer similar “clubs” there is a challenge in that the NCA does not provide for this kind of “club fee”.


More recently, the National Credit Regulator (“NCR“) started to investigate this business practice and focused on a well-known credit provider retailer: Edcon Holdings Limited (“Edcon“). Following the investigation, they initiated action against Edcon by referring the matter to the National Consumer Tribunal (“NCT“) seeking an order declaring that Edcon has, among other things, repeatedly contravened the provisions of the NCA relating to prohibited charges – by charging a fee not allowed for in the NCA.

The NCT considered the matter from a broader legal perspective, namely whether the NCA allows a credit agreement to contain any fee or charge other than those permitted by the NCA. Edcon argued that the club membership was a stand-alone product, not intended to be part of the credit agreement.

As a starting point, the NCT concluded that the NCA unambiguously prohibits credit providers from charging any fee or charge other than those listed in and provided for in the Act.  The NCT found that Edcon was not allowed to charge its credit customers any fee or charge other than that permitted by the NCA and could therefore not charge the club membership fees. In conclusion, it was held that, by doing so, Edcon had engaged in repeated prohibited conduct in terms of the NCA.

The NCT emphasised that the business practice of charging “membership/club fees” is explicitly prohibited by the NCA and any credit provider who does business in this way may face dire consequences. From perusal of the ruling, the likely consequences that Edcon faces may include being directed to refund consumers charged club and membership fees from 2007 to date and/or an administrative fine on Edcon. According to media reports, Edcon has indicated that they will appeal the ruling.


The above ruling raises a red flag to many credit providers or credit retailers who may be involved in similar business practices. Retailers should take the following away from this ruling:

  • irrespective of whether customers voluntarily choose to purchase this type of (club) product, a membership/club fee may be seen as a cost of credit if it is inseparably linked to a credit agreement; and
  • review your credit agreements to ensure you do not include any provisions or charges not allowed in terms of the NCA.

Please note that not all club memberships will fall within the ambit of this ruling and club structures will need to be considered on a case to case basis. Please do not hesitate to contact us should you have any queries.

POPI series – Condition 8 – data subject participation

We are coming to the end of our POPI series. The first seven POPI Conditions for Lawful Processing have been discussed in detail in our previous articles and this month it is time for a discussion of the eighth and final condition: Data Subject Participation. This condition is comprised of three elements, namely (i) access to personal information, (ii) correction of personal information and (iii) the manner in which the personal information is accessed.

Applicable popi sections and commentary

The relevant sections of POPI applicable to “data subject participation” have been reproduced below with our commentary:

Access to Personal Information

Section 23 “Access to personal information.—

(1) A data subject, having provided adequate proof of identity, has the right to—

(a) request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and

(b) request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—

(i) within a reasonable time;

(ii) at a prescribed fee, if any;

(iii) in a reasonable manner and format; and

(iv) in a form that is generally understandable.

(2) If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.

(3) If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1) (b) to enable the responsible party to respond to a request, the responsible party—

(a) must give the applicant a written estimate of the fee before providing the services; and

(b) may require the applicant to pay a deposit for all or part of the fee.

(4) (a) A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.

(b) The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.

(5) If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4) (a), every other part must be disclosed.”

Commentary to Section 23 above:

  1. Data subjects have a right to access their personal information records and receive copies of these records. This right is not, however, unlimited. A responsible party will have some discretion as to the process to be followed in allowing data subjects to request access to their information, as well as the means through which the data subject will be obliged to identify him/herself before being given access to their personal information. One method of regulating these requests may be through a responsible party’s PAIA manual or a similar ‘personal information request document’.
  2. If it appears that a responsible party is indeed in possession of certain information about a data subject, the data subject may request that responsible party to provide it with a record of this information.
  3. Within that record provided to the data subject, the responsible party will have to bring to the attention of the data subject that it has the right in terms of section 24 to request a correction to such information.
  4. Depending on the costs that a responsible party may have incurred or anticipates incurring in the process of providing the above information to the data subject, the responsible party may request the data subject for reimbursement therefor.
  5. Where the provisions of the Promotion of Access to Information Act 4 of 2000 (“PAIA”) so permit, a responsible party may refuse to disclose particular information to the data subject. If, however, such right to refuse relates only to certain information, the remaining information (in respect of which PAIA permits disclosure) must be disclosed to the data subject.

Correction of Personal Information

Section 24: “Correction of personal information.—

(1) A data subject may, in the prescribed manner, request a responsible party to—

(a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

(b) destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.

(2) On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable—

(a) correct the information;

(b) destroy or delete the information;

(c) provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or

(d) where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.

(3) If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.

(4) The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.”

Commentary to Section 24 above:

  1. After receiving a record of personal information from a responsible party in terms of section 23, a data subject may request the deletion or correction of such personal information.
  2. Any request made by a data subject should be made on the basis of the personal information in question being inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
  3. If the data subject has requested the deletion or correction of its personal information in accordance with section 23 and 24, the responsible party may do so, alternatively, it may provide the data subject with credible evidence in support of the personal information, or where agreement cannot be reached and the responsible party believes it is entitled to maintain the personal information, there may be circumstances in which a kind of disclaimer is attached to the information, informing users that a correction to this information has been requested but not made.
  4. If a responsible party has changed information in relation to a data subject, and this change has an impact on decisions that have been or will be taken in respect of that data subject, the responsible party must (if reasonably practicable) inform each person to whom that personal information has been disclosed of such change.

Manner of Access

Section 25: “Manner of access.—

The provisions of sections 18 and 53 of the Promotion of Access to Information Act apply to requests made in terms of section 23 of this Act.”

Commentary to Section 25 above:

  1. This section provides that the data subject may make use of the relevant provisions in PAIA to make a request for personal information in terms of section 23 of POPI.
  2. In each PAIA request for personal information, there will need to be a procedure through which the responsible party appropriately identifies the data subject as the person to whom the relevant personal information relates.


Essentially, POPI’s Condition 8 aims to ensure a practical and accessible transparency for data subjects in the processing of personal information. This transparency demands that a responsible party allows a data subject to have a say in the processing of the personal information in the possession or under the control of such responsible party. Ultimately, this all boils down to a responsible party’s responsibility to maintain up-to-date information registers and implement suitable controls, so that it is able to easily (i) identify what personal information is in its possession or under its control; (ii) identify to whom does that personal information relate; and (iii) update such personal information.



POPI series – condition 7 – information security


The purpose of the Protection of Personal Information Act 4 2013 (“POPI”) is not to prohibit processing of Personal Information (“PI”) per se. One of the purposes of POPI is rather to regulate the processing of the PI, by also prescribing that organisations must implement appropriate safeguards to ensure that PI processed will be protected and secured.

This month our focus is on Condition 7 which pertains to Security Safeguards. In essence, this condition requires from organisations to secure the integrity and confidentiality of all PI in its possession or under its control. This will be achieved through implementing appropriate and reasonable security measures.


We will discuss the practical implications in the next paragraph below but also note our high level comments to the POPI sections in square brackets.

Section 19

“Security measures on integrity and confidentiality of personal information.—

(1) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—

(a) loss of, damage to or unauthorised destruction of personal information; and

(b) unlawful access to or processing of personal information. [This is the general obligation on the responsible party to take steps to secure personal information.]

(2) In order to give effect to subsection (1), the responsible party must take reasonable measures to—

(a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

(b) establish and maintain appropriate safeguards against the risks identified;

(c) regularly verify that the safeguards are effectively implemented; and

(d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. [This is a continual obligation to identify security risks on an ongoing basis and implement measures to reduce risks so identified.]

(3)The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.” [POPI does not provide a “tick list” of security requirements to meet. Responsible parties must consider applicable industry security practices and then implement security appropriate security measures for the business.]

Section 20:

“Information processed by operator or person acting under authority.—

An operator or anyone processing personal information on behalf of a responsible party or an operator, must—

(a) process such information only with the knowledge or authorisation of the responsible party; and

(b) treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.” [This is the limitation on operators – they may not use personal information received from the responsible party for their own purposes outside of the scope of the contract with the responsible party.]

Section 21: Security measures regarding information processed by operator.—

(1) A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19. [There is a duty on the responsible party to regulate the relationship with the operator by written contract.]

(2) The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. [Operators to note this duty to report unauthorised access.]


Different requirements will need to be considered, depending whether you are acting as a responsible party of operator.

As responsible party you will have an on-going obligation to safeguard the PI in your possession from being destroyed unlawfully, accessed unlawfully, lost or damaged. This obligation entails, your organisation to have reasonable technical and organisational measures in place to protect PI under your control or in your possession. Organisational and technical measures include for example measures in terms whereof organisations restrict unauthorised individuals from entering their premises and implementing controls through which organisation restrict access rights and the usage of their networks, devices, etc.

There is also an ongoing obligation on organisations to identify new risks. These should be prioritized according to the threat posed.

Practical controls or processes in response to risks identified, could include the following:

  • Review of access rights on an ongoing basis;
  • Ownership for PI;
  • Physical access controls;
  • Computer/ device passwords;
  • Firewalls;
  • Encryption;
  • Remote destruction;
  • Anti-virus programs;
  • Exit process.

Most organisations had been implementing some of these measures to secure PI long before POPI was even enacted. Condition 7 of POPI will require from organisations to review the current processes and implement additional processes where so identified.

If your organisation outsources any functions involving the processing of personal information to a third party operator, you will still remain responsible for the processing of the PI. You also have the obligation in terms of POPI to regulate your relationship with the operator by way of written contract to ensure that the operator provides the service in accordance with POPI requirements.

In terms of POPI there is a duty on responsible parties to regularly consider whether there are any new risks and then implement processes to address the risks identified.

As an operator, it is very important to understand that you cannot do with the personal information received from the responsible party as and how you want to. The responsible party as the custodian of the information will authorise you to only use the information for the purposes of the service that you are rendering to the responsible party. You cannot use the information for any of your own purposes.


In terms of POPI you cannot keep quiet and hope that no one will ever find out. The law puts an obligation on you to report the breach.

In terms of section 22: Notification of security compromises.—

(1) Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—

(a) the Regulator; and

(b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.

The law also determines that the notification to the data subject must be in writing and communicated in one of the following ways:

  • mailed to the data subject’s last known physical or postal address;
  • sent by e-mail to the data subject’s last known e-mail address;
  • placed in a prominent position on the website of the responsible party;
  • published in the news media; or
  • as may be directed by the Regulator.

The following information needs to be disclosed in the notification:

  • a description of the possible consequences of the security compromise;
  • a description of the measures that the responsible party intends to take or has taken to address the security compromise;
  • a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
  • if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.


In preparation for POPI you should consider your current processes, access rights and security measures. It is likely that some of these may need to be reviewed and new processes implemented to ensure compliance. Remember that POPI does not provide for a defined list of measures to implement. But consider applicable industry standards and make sure that you can comply with this important condition 7.

POPI series – condition 6 – openness


We have now passed the half way mark of our POPI Series and the next exciting topic in the series is that of “Openness” or “Notification”. In our view, Notification is one of the most challenging provisions of POPI. This condition will most definitely require from responsible parties to change current processes and possibly develop new processes to ensure compliance.

In this article, we are going to try and focus on the practical implementation of this condition.

This condition is premised on two primary elements, namely:

  • Documentation; and
  • Notification to the Data Subject.

This condition must not be confused with the “prior notification” sections (section 57 and 58) in terms whereof a responsible party needs to notify the Information Regulator of certain processing actions before it can process the personal information. This will be discussed in a separate article in future.

Relevant sections and practical implications.

Let’s first look at the requirements of section 17:


A responsible party must maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act.”

In terms of this section, a responsible party must consider the provisions of sections 14 or 51 of the Promotion of Access to Information Act 2000 (“PAIA”). Note that for private bodies, section 51 will apply. In terms of section 51 of PAIA certain private bodies need to disclose specified information through a manual – generally referred to as a PAIA Manual. Note that POPI will be amending the PAIA to provide for additional information that must be included in a company’s PAIA manual.

It is not difficult to comply with section 17 and responsible parties must remember to amend their PAIA manuals to include the required information.

Now we turn to the provisions of section 18, which will be more challenging to comply with.

“Notification to data subject when collecting personal information.—

(1) If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—

(a) the information being collected and where the information is not collected from the data subject, the source from which it is collected;

(b) the name and address of the responsible party;

(c) the purpose for which the information is being collected;

(d) whether or not the supply of the information by that data subject is voluntary or mandatory;

(e) the consequences of failure to provide the information;

( f ) any particular law authorising or requiring the collection of the information;

(g) the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;

(h) any further information such as the—

(i) recipient or category of recipients of the information;

(ii) nature or category of the information;

(iii) existence of the right of access to and the right to rectify the information collected;

(iv) the existence of the right to object to the processing of personal information as referred to in section 11 (3); and

(v) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

(2) The steps referred to in subsection (1) must be taken—

(a) if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or

(b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

(3) A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.

(4) It is not necessary for a responsible party to comply with subsection (1) if—

(a) the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;

(b)non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;

(c) non-compliance is necessary—

(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

(iii) for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or

(iv) in the interests of national security;

(d) compliance would prejudice a lawful purpose of the collection;

(e) compliance is not reasonably practicable in the circumstances of the particular case; or

( f ) the information will—

  • not be used in a form in which the data subject may be identified; or

(ii) be used for historical, statistical or research purposes”

From the above it follows that in terms of this condition, a responsible party has an obligation to notify a data subject of certain specified information each time that information about the data subject is being collected from which ever source – unless the responsible party can rely on one of the exceptions to the general rule – in terms whereof the responsible party can justify why notification is not necessary.

Why did the legislator include this section? Compliance with this section will clearly be very onerous on business and could also be a costly exercise.

We believe that some of the main reasons for including this section are the following:

  • Currently information flows between companies without data subjects ever realising what is happening with their information.
  • Data subjects provide their personal information to companies for specific reasons, but companies often take the information and do with it whatever they want to –including to use it for reasons that would never have been intended by the data subject.
  • Data subjects do not know which companies hold their personal information.

In terms of this section 18, companies will therefore need to inform data subjects of the reasons for which they would use the data subject’s information. They also need to inform them of the type of companies with whom the personal information will be shared, including where information will be shared with third party service providers who will have access to the information or receive the information for processing on behalf of the responsible party.

When do you need to notify data subjects? According to POPI this must happen even before you collect the information – if you collect it directly from the data subject, or if not directly from the data subject, before you collect or as soon as reasonably possible after you have collected it.

How do you need to notify the data subject? POPI does not provide exact details on how this notification needs to take place. Once the Regulator has been set up, we may get a better idea of the expectations around ways to notify. Currently it seems that the most popular way would be to include the information in privacy policies. This is not a no go, but without the data subject knowing about the privacy policy and the notification information provided through the policy, it may have little effect. The proposed solution is to include some specific reference to the policy in your customer terms, application forms, or other applicable documentation and then include the majority of the required information in the actual policy.

By far the biggest challenge will come in where information is not collected directly from the data subject. This happens on a daily basis and a few examples include:

  • Collecting information about a relative / friend of your customer
  • Collecting information from the credit bureau
  • Collecting information from third party data suppliers
  • Collecting information from fraud data bases
  • Collecting information from other companies within your group of companies
  • Collecting information from business partners

As you would have seen from section (4) quoted above, in some instances you do not need to comply with the notification requirements. We however urge business to consider the exceptions very careful and not flippantly rely on something like “it is not reasonably practicable” to notify – without properly determining whether it would really be possible to rely on the exception. To merely take a view that it would be “very costly” to comply, is unlikely to be “good enough” to justify non-compliance.


It’s evident that POPI conditions or requirements are closely connected to another. Notification for example links in with purpose specification. In terms of Condition 3, you need to specify the purposes for which you intend to use the personal information. In terms of Condition 6, you need to tell the data subject what these purposes are that you identified in terms of Condition 3.

Remember to update your PAIA manual to include the required information in terms of POPI.

Consider all situations where you collect personal information and consider how you will notify. You may be able in some instances to rely on an exception and decide not to notify. Document those decisions and explain your justification for record purposes.

For any assistance with this challenging condition, please contact Jana van Zyl at