Wonder no more – POPI commencement announced for 1 July 2020

Wonder no more – POPI commencement announced for 1 July 2020

The long wait is over. The Protection of Personal Information Act (“POPI”), promulgated in 2013 and of which certain sections became effective in 2014 has now, just north of 6 years later, been given the go-ahead for the commencement of the majority of sections. As POPI was published in its entirety all those years ago, businesses had ample time to start testing out their information protection frameworks and getting them streamlined for the day on which POPI would finally commence.

The commencement date has been speculated on for quite some time, however official communication from the President’s office, and its publication in the Government Gazette, on the 22nd of June 2020 has now dispensed with the need for further speculations:

Sections 2 – 38; sections 55 – 109, section 111; and section 114(1)-(3) will commence on the 1st of July 2020.

If you have waited with your compliance project; or if your business has been complying with POPI requirements for quite some time now, but would need to tweak a few processes, you need to act fast. These sections commence from the 1st of July 2020 but note that section 114(1) effectively provides for a one-year compliance streamlining period.

Accordingly, although the commencement date is less than a month away, a 12 month “implementation period” to get ready for compliance will apply.

Finally, section 110 and section 114(4)’s commencement date has been announced as 30 June 2021. This allows time for processes to be put in place for the Information Regulator to hit the ground running once compliance with POPI is expected from entities.

If you need any assistance in getting your business’ POPI obligations in line with the legislative requirements, feel free to let us know – our team is ready to assist you.

Will marketing be able to stand the test of time?

Will marketing be able to stand the test of time?

In a previous life, suppliers could pretty much market as and how they wanted to. They could choose to whom, how, and what they wanted to market. Marketing messages were innovative, interesting and exciting (albeit not always true….).

This changed when a global emphasis on consumer and privacy rights started to emerge. In South Africa the position has not been any different and suddenly suppliers need to start considering complicated legal concepts like a “legitimate interest” when all they want to do is market their goods or services.

Data protection laws, like South Africa’s Protection of Personal Information Act, 4 of 2013 (“POPIA“), the EU’s General Data Protection Regulation, 2016/679 (“GDPR“) and Mauritius’ Data Protection Act, 2017 (“DPA“), all require that a lawful basis exists to use personal information – also for direct marketing.


These lawful bases are generally very similar across the different pieces of legislation in the different countries, and include various grounds, for example:

  • Consent – it seems obvious that if a person agrees to it, then the information may be used.
  • A requirement in law – again obvious that if there is a law that requires you to use information in a certain way, then you must do it – whether the person consents (and likes it) or not.

The most interesting one though, is the so called “legitimate interest” of the supplier or the person whose information it is. In terms of this lawful basis of use, it is lawful for a supplier to use personal information for direct marketing purposes, if the marketing is in the legitimate interests of the supplier. This begs the question: what would constitute a legitimate interest, especially considering that it is not defined by the law?


A three stage ‘test’ has been derived from the GDPR:

  1. Purpose – is there a legitimate reason or purpose for the processing? (Potentially yes – the supplier wants to increase sales through marketing).
  2. Necessity – is processing the information necessary for that purpose? (Potentially yes – how else will he increase sales?).
  3. Balance – is the legitimate interest overridden by the interests, rights and freedoms of the data subject? (This is the more difficult one as a balancing act between the supplier and person needs to be considered).

This is unfortunately a rather technical legal approach to the question and will require that the specific facts of each matter be considered before determining whether the legitimate interest justification ground can be relied on.


It is important to take note that in addition to the general justification grounds, specific legislation or provisions may require consent in certain circumstances. If this is the case, it will not be possible for a supplier to rely on the legitimate interest justification ground in all circumstances. An example is section 69 of POPIA which requires consent for electronic direct marketing in certain specified circumstances, for example, if you want to electronically market to someone who is not your customer yet. This means that if the intended marketing falls within the ambit of the section 69 consent requirements, the supplier will not be able to rely on the legitimate interest justification ground and will indeed need to obtain consent before being able to lawfully do the electronic marketing.


Sometimes you will need consent to do direct marketing. And sometimes you will be able to rely on your legitimate interests to do direct marketing. Make sure you understand your rights and obligations.

Please get in touch with us if you’d like advice on the specifics covered in this blog post or data protection laws in general. Although we are South African lawyers, we have experience in various data protection laws, including the GDPR, and the data protection acts of Mauritius and Botswana, amongst others.

The dos and don’ts of recording conversations

The dos and don’ts of recording conversations

There are several reasons why a business may want to record its interactions / conversations with customers: improving customer service; ensuring that employees always treat customers in the best possible way; ensuring easy customer follow-up and resolution of disputes; demonstrating accountability to customers; and aiding reliable note-taking.

Several businesses may not, however, realise these benefits as they are unsure of the legality and legal parameters of recording conversations. To clear up grey areas and enable you to grow and improve your business using all tools available, we have set out the basics of recording conversations in South Africa.

Am I (or is my business) allowed to record conversations with customers?

While, in terms of the Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (“RICA“), the general rule is that no person may record a conversation without consent, the Act does set out certain exceptions to this rule. The exceptions include (and you can therefore record a conversation) where:

  • you are a party to the conversation (“single-party consent”);
  • you have the prior written consent of at least one of the parties to the conversation; or
  • the conversation relates to, or occurs in the course of, the carrying on of your business (“the business exception”).

It is important to note that the business exception is subject to further requirements in terms of RICA.

As a side note, certain businesses (specifically those in the financial services and intermediary industry) are legally required to record certain conversations with customers and to maintain such recordings for a statutory minimum period. This is however beyond the scope of this article.

Consent to record

As stated above, consent of at least one party to the communication is required when recording a conversation. This rule does not apply where the recorder is also a party to the conversation.

However, where a third party is recording the conversation, the third party must obtain informed consent from one of the parties to the conversation in order to legally record the conversation.

Guidelines for recording conversations

  • When recording conversations under the business exception, it is required that you make all reasonable efforts, in advance, to inform all parties that you will be recording conversations. It is good business practice to ensure and be certain that all customers are aware when conversations are recorded.
  • Use reliable technology to record and store recordings of conversations – you want to make sure that your customers’ (and your business’s) information is protected! In this regard, ensure that any recordings and storage thereof comply with all relevant laws (including, for example, the Protection of Personal Information Act 4 of 2013)
  • Maintain an effective storage system so that you can make the most use of your recorded conversations in developing your business

The article is serves only as a basic introduction to the topic of recording conversations and legal advice should be sought in relation to specific circumstances.

2017 Budget Speech implications for the externalisation of intellectual property (IP)

2017 Budget Speech implications for the externalisation of intellectual property (IP)

Relaxing the South African (SA) Exchange Control Regulations, in relation to IP in particular, is crucial for many of our start up clients (especially those operating in the software development and technology space). Up to now, SA resident companies could not export their IP to a non-resident, unless the approval of the Financial Surveillance Department (FSD) of the South African Reserve Bank (SARB) was obtained. This proved to be an insurmountable hurdle for many companies trying to externalise their businesses by moving them “offshore” for any reason, including that of attracting foreign capital investments.

The Exchange Control Regulations provide that when a SA resident (natural or juristic person) enters any transaction in terms of which capital, or any right to capital, is directly or indirectly exported (i.e. transferred by way of cession, assignment, sale transfer or any other means) from South Africa to a non-resident (natural or juristic person) such transaction falls in the ambit of the Exchange Control Regulations.

The export of “capital” specifically includes any IP right (whether registered or unregistered), which means the Exchange Control Regulations must be considered when dealing with an externalisation of IP.

The reasoning behind this regulation is that the offshoring of assets / capital belonging to SA residents amounts to an exportation of assets / capital and therefore erodes the asset base of the SA resident by way of a transfer of ownership from a SA resident to a non-resident. While this reasoning may have seemed sound, the application of the Exchange Control Regulations to the export of IP has led to many negative and unintended consequences for SA companies, and start ups in particular.

In the 2017 National Budget review the Government proposed that SA residents would no longer need the SARB’s approval for “standard IP transactions”. It was also proposed that the “loop structure” restriction for all IP transactions be lifted, provided they are at arms-length and at a fair market price. “Loop structure” restrictions prevent SA residents from holding any SA asset indirectly through a non-resident entity.

The SARB has started the process of relaxing the Exchange Control Regulations by issuing two circulars relating to IP. These latest amendments to the Currency and Exchanges Manual for Authorised Dealers mean that, under certain circumstances, approval for the exportation of IP can now be sought from Authorised Dealers (banks appointed by the Minister of Finance for exchange control purposes), as opposed to the FSD. This is good news for clients looking to restructure and offshore their IP, as the approval process should now be less administratively intense, less expensive and with faster turnaround times.

Approval can now be sought through an Authorised Dealer for:

  • a sale, transfer and assignment of IP;
  • by a SA resident;
  • to unrelated non-resident parties;
  • at an arm’s length and fair and market related price.

The Authorised Dealer will need to be presented with: (i) the sale / transfer / assignment agreement; and (ii) an auditor’s letter or intellectual property valuation certificate confirming the basis for calculating the sale price ((iii) together with any additional internal requirements).

For the approval of the licensing of IP by a SA resident to non-resident parties at an arm’s length and fair and market related price, the Authorised Dealer will need to be presented with: (i) the licensing agreement in question; and (ii) an auditor’s letter confirming the basis for calculating the royalty or licence fee ((iii) together with any additional internal requirements).

The second set of amendments provide that private (unlisted) technology (among others) companies in South Africa may now establish companies offshore without the requirement to primary list offshore in order to raise foreign funding for their operations. This effectively means that “loop structures” can now be created to raise loans and capital offshore, and these companies may hold investments in South Africa. Note that there are still certain requirements that must be met, for example, registration with the FSD.

Our commercial team has experience in making the necessary applications for exchange control approval. Feel free to get in touch if this is something on the horizon for your business.

POPI: First meeting for the Information Regulator

POPI: First meeting for the Information Regulator

In our blog post on 7 November 2016 we referred you to the appointment of the members of the Information Regulator – which is an independent juristic person in terms of the Protection of Personal Information Act – commonly referred to as “POPI”. The Information Regulator will be responsible for monitoring and enforcing compliance with both POPI and the Promotion of Access to Information Act 2000 (PAIA).

The 5 members of the Information Regulator (Chairperson, 2 full-time and 2 part-time) have been appointed for a 5 year period that commenced the beginning of the month and according to a media statement issued by Adv. Tlakula (the Chairperson) on 2 December 2016, the Information Regulator held a meeting on 1 December 2016 to commence their function and duties. It has been confirmed that the full time member responsible for PAIA is Adv. Stroom-Nzama and the full time member responsible for POPI is Adv. Weapond.

The POPI commencement date has not been confirmed yet, but the general view in the industry is that 24 May 2017 is the likely day – as this will mean that compliance with POPI will be required as from the 25th of May 2018, which is also the date for compliance with the European Union’s General Data Protection Regulation.

In practice we are starting to see more clients focussing on POPI requirements and starting to create POPI awareness through training sessions and implementation of amended policies and practices. It would probably be unrealistic to think that POPI will mean a “quick fix” for all data concerns, but POPI will certainly play a big role to regulate the way in which companies manage data in future.

POPI News: Appointment of the Information Regulator

POPI News: Appointment of the Information Regulator

“Are you ready for POPI??” This question has been asked so many times in marketing material over the last couple of years. Answering this question has lately become very relevant, since the POPI Information Regulator has (at last) been appointed!!  Advocate Pansy Tlakula, former chairperson of the South African Independent Electoral Commission, has been appointed as the chairperson of the office of the Information Regulator.  The remainder of the office is made up of four others, two full-time members and two part-time members. Advocate Cordelia Stroom and Johannes Weapond will fulfil the full-time positions with Professor Tana Pistorius and Sizwe Snail as the part-time members.  The office of the Information Regulator will be effective from 1 December 2016 and members will hold office for five years. They will be eligible for reappointment after the first five-year period.

The office of the Information Regulator has been granted widespread powers, amongst others, to investigate alleged breaches of POPI as the office provides a platform for data subjects to approach with any complaints.

With the appointment of the Information Regulator we are likely to receive a date for the commencement of POPI relatively soon.  This will result in the remainder of the Act commencing and will grant responsible parties a “grace period” of one year from the effective date to become compliant with the Act.  The sections of POPI which have already commenced are:

  • Section 1, the definitions clause;
  • Part A of Chapter 5, which deals with the establishment, staffing, powers and meetings of the Information Regulator;
  • Section 112 which authorises the Minister and Information Regulator to make regulations; and
  • Section 113, the procedure for making regulations.

The Information Regulator has been granted a budget by the Minister of Finance. This budget is to be used for the establishment and capacitation of the office. R10 million has been set aside for the 2016/2017 financial year, R26 million for the 2017/2018 financial year and R27 million for the following financial year.

What we can expect to happen next:

  1. Regulations will be promulgated;
  2. And the commencement date will be announced.

Contact us for more information on all POPI questions.

POPI series – Condition 8 – data subject participation

We are coming to the end of our POPI series. The first seven POPI Conditions for Lawful Processing have been discussed in detail in our previous articles and this month it is time for a discussion of the eighth and final condition: Data Subject Participation. This condition is comprised of three elements, namely (i) access to personal information, (ii) correction of personal information and (iii) the manner in which the personal information is accessed.

Applicable popi sections and commentary

The relevant sections of POPI applicable to “data subject participation” have been reproduced below with our commentary:

Access to Personal Information

Section 23 “Access to personal information.—

(1) A data subject, having provided adequate proof of identity, has the right to—

(a) request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and

(b) request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—

(i) within a reasonable time;

(ii) at a prescribed fee, if any;

(iii) in a reasonable manner and format; and

(iv) in a form that is generally understandable.

(2) If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.

(3) If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1) (b) to enable the responsible party to respond to a request, the responsible party—

(a) must give the applicant a written estimate of the fee before providing the services; and

(b) may require the applicant to pay a deposit for all or part of the fee.

(4) (a) A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.

(b) The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.

(5) If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4) (a), every other part must be disclosed.”

Commentary to Section 23 above:

  1. Data subjects have a right to access their personal information records and receive copies of these records. This right is not, however, unlimited. A responsible party will have some discretion as to the process to be followed in allowing data subjects to request access to their information, as well as the means through which the data subject will be obliged to identify him/herself before being given access to their personal information. One method of regulating these requests may be through a responsible party’s PAIA manual or a similar ‘personal information request document’.
  2. If it appears that a responsible party is indeed in possession of certain information about a data subject, the data subject may request that responsible party to provide it with a record of this information.
  3. Within that record provided to the data subject, the responsible party will have to bring to the attention of the data subject that it has the right in terms of section 24 to request a correction to such information.
  4. Depending on the costs that a responsible party may have incurred or anticipates incurring in the process of providing the above information to the data subject, the responsible party may request the data subject for reimbursement therefor.
  5. Where the provisions of the Promotion of Access to Information Act 4 of 2000 (“PAIA”) so permit, a responsible party may refuse to disclose particular information to the data subject. If, however, such right to refuse relates only to certain information, the remaining information (in respect of which PAIA permits disclosure) must be disclosed to the data subject.

Correction of Personal Information

Section 24: “Correction of personal information.—

(1) A data subject may, in the prescribed manner, request a responsible party to—

(a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

(b) destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.

(2) On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable—

(a) correct the information;

(b) destroy or delete the information;

(c) provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or

(d) where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.

(3) If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.

(4) The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.”

Commentary to Section 24 above:

  1. After receiving a record of personal information from a responsible party in terms of section 23, a data subject may request the deletion or correction of such personal information.
  2. Any request made by a data subject should be made on the basis of the personal information in question being inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
  3. If the data subject has requested the deletion or correction of its personal information in accordance with section 23 and 24, the responsible party may do so, alternatively, it may provide the data subject with credible evidence in support of the personal information, or where agreement cannot be reached and the responsible party believes it is entitled to maintain the personal information, there may be circumstances in which a kind of disclaimer is attached to the information, informing users that a correction to this information has been requested but not made.
  4. If a responsible party has changed information in relation to a data subject, and this change has an impact on decisions that have been or will be taken in respect of that data subject, the responsible party must (if reasonably practicable) inform each person to whom that personal information has been disclosed of such change.

Manner of Access

Section 25: “Manner of access.—

The provisions of sections 18 and 53 of the Promotion of Access to Information Act apply to requests made in terms of section 23 of this Act.”

Commentary to Section 25 above:

  1. This section provides that the data subject may make use of the relevant provisions in PAIA to make a request for personal information in terms of section 23 of POPI.
  2. In each PAIA request for personal information, there will need to be a procedure through which the responsible party appropriately identifies the data subject as the person to whom the relevant personal information relates.


Essentially, POPI’s Condition 8 aims to ensure a practical and accessible transparency for data subjects in the processing of personal information. This transparency demands that a responsible party allows a data subject to have a say in the processing of the personal information in the possession or under the control of such responsible party. Ultimately, this all boils down to a responsible party’s responsibility to maintain up-to-date information registers and implement suitable controls, so that it is able to easily (i) identify what personal information is in its possession or under its control; (ii) identify to whom does that personal information relate; and (iii) update such personal information.



POPI series – condition 7 – information security


The purpose of the Protection of Personal Information Act 4 2013 (“POPI”) is not to prohibit processing of Personal Information (“PI”) per se. One of the purposes of POPI is rather to regulate the processing of the PI, by also prescribing that organisations must implement appropriate safeguards to ensure that PI processed will be protected and secured.

This month our focus is on Condition 7 which pertains to Security Safeguards. In essence, this condition requires from organisations to secure the integrity and confidentiality of all PI in its possession or under its control. This will be achieved through implementing appropriate and reasonable security measures.


We will discuss the practical implications in the next paragraph below but also note our high level comments to the POPI sections in square brackets.

Section 19

“Security measures on integrity and confidentiality of personal information.—

(1) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—

(a) loss of, damage to or unauthorised destruction of personal information; and

(b) unlawful access to or processing of personal information. [This is the general obligation on the responsible party to take steps to secure personal information.]

(2) In order to give effect to subsection (1), the responsible party must take reasonable measures to—

(a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

(b) establish and maintain appropriate safeguards against the risks identified;

(c) regularly verify that the safeguards are effectively implemented; and

(d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. [This is a continual obligation to identify security risks on an ongoing basis and implement measures to reduce risks so identified.]

(3)The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.” [POPI does not provide a “tick list” of security requirements to meet. Responsible parties must consider applicable industry security practices and then implement security appropriate security measures for the business.]

Section 20:

“Information processed by operator or person acting under authority.—

An operator or anyone processing personal information on behalf of a responsible party or an operator, must—

(a) process such information only with the knowledge or authorisation of the responsible party; and

(b) treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.” [This is the limitation on operators – they may not use personal information received from the responsible party for their own purposes outside of the scope of the contract with the responsible party.]

Section 21: Security measures regarding information processed by operator.—

(1) A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19. [There is a duty on the responsible party to regulate the relationship with the operator by written contract.]

(2) The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. [Operators to note this duty to report unauthorised access.]


Different requirements will need to be considered, depending whether you are acting as a responsible party of operator.

As responsible party you will have an on-going obligation to safeguard the PI in your possession from being destroyed unlawfully, accessed unlawfully, lost or damaged. This obligation entails, your organisation to have reasonable technical and organisational measures in place to protect PI under your control or in your possession. Organisational and technical measures include for example measures in terms whereof organisations restrict unauthorised individuals from entering their premises and implementing controls through which organisation restrict access rights and the usage of their networks, devices, etc.

There is also an ongoing obligation on organisations to identify new risks. These should be prioritized according to the threat posed.

Practical controls or processes in response to risks identified, could include the following:

  • Review of access rights on an ongoing basis;
  • Ownership for PI;
  • Physical access controls;
  • Computer/ device passwords;
  • Firewalls;
  • Encryption;
  • Remote destruction;
  • Anti-virus programs;
  • Exit process.

Most organisations had been implementing some of these measures to secure PI long before POPI was even enacted. Condition 7 of POPI will require from organisations to review the current processes and implement additional processes where so identified.

If your organisation outsources any functions involving the processing of personal information to a third party operator, you will still remain responsible for the processing of the PI. You also have the obligation in terms of POPI to regulate your relationship with the operator by way of written contract to ensure that the operator provides the service in accordance with POPI requirements.

In terms of POPI there is a duty on responsible parties to regularly consider whether there are any new risks and then implement processes to address the risks identified.

As an operator, it is very important to understand that you cannot do with the personal information received from the responsible party as and how you want to. The responsible party as the custodian of the information will authorise you to only use the information for the purposes of the service that you are rendering to the responsible party. You cannot use the information for any of your own purposes.


In terms of POPI you cannot keep quiet and hope that no one will ever find out. The law puts an obligation on you to report the breach.

In terms of section 22: Notification of security compromises.—

(1) Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—

(a) the Regulator; and

(b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.

The law also determines that the notification to the data subject must be in writing and communicated in one of the following ways:

  • mailed to the data subject’s last known physical or postal address;
  • sent by e-mail to the data subject’s last known e-mail address;
  • placed in a prominent position on the website of the responsible party;
  • published in the news media; or
  • as may be directed by the Regulator.

The following information needs to be disclosed in the notification:

  • a description of the possible consequences of the security compromise;
  • a description of the measures that the responsible party intends to take or has taken to address the security compromise;
  • a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
  • if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.


In preparation for POPI you should consider your current processes, access rights and security measures. It is likely that some of these may need to be reviewed and new processes implemented to ensure compliance. Remember that POPI does not provide for a defined list of measures to implement. But consider applicable industry standards and make sure that you can comply with this important condition 7.

POPI series – condition 6 – openness


We have now passed the half way mark of our POPI Series and the next exciting topic in the series is that of “Openness” or “Notification”. In our view, Notification is one of the most challenging provisions of POPI. This condition will most definitely require from responsible parties to change current processes and possibly develop new processes to ensure compliance.

In this article, we are going to try and focus on the practical implementation of this condition.

This condition is premised on two primary elements, namely:

  • Documentation; and
  • Notification to the Data Subject.

This condition must not be confused with the “prior notification” sections (section 57 and 58) in terms whereof a responsible party needs to notify the Information Regulator of certain processing actions before it can process the personal information. This will be discussed in a separate article in future.

Relevant sections and practical implications.

Let’s first look at the requirements of section 17:


A responsible party must maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act.”

In terms of this section, a responsible party must consider the provisions of sections 14 or 51 of the Promotion of Access to Information Act 2000 (“PAIA”). Note that for private bodies, section 51 will apply. In terms of section 51 of PAIA certain private bodies need to disclose specified information through a manual – generally referred to as a PAIA Manual. Note that POPI will be amending the PAIA to provide for additional information that must be included in a company’s PAIA manual.

It is not difficult to comply with section 17 and responsible parties must remember to amend their PAIA manuals to include the required information.

Now we turn to the provisions of section 18, which will be more challenging to comply with.

“Notification to data subject when collecting personal information.—

(1) If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—

(a) the information being collected and where the information is not collected from the data subject, the source from which it is collected;

(b) the name and address of the responsible party;

(c) the purpose for which the information is being collected;

(d) whether or not the supply of the information by that data subject is voluntary or mandatory;

(e) the consequences of failure to provide the information;

( f ) any particular law authorising or requiring the collection of the information;

(g) the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;

(h) any further information such as the—

(i) recipient or category of recipients of the information;

(ii) nature or category of the information;

(iii) existence of the right of access to and the right to rectify the information collected;

(iv) the existence of the right to object to the processing of personal information as referred to in section 11 (3); and

(v) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.

(2) The steps referred to in subsection (1) must be taken—

(a) if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or

(b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

(3) A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.

(4) It is not necessary for a responsible party to comply with subsection (1) if—

(a) the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;

(b)non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;

(c) non-compliance is necessary—

(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);

(iii) for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or

(iv) in the interests of national security;

(d) compliance would prejudice a lawful purpose of the collection;

(e) compliance is not reasonably practicable in the circumstances of the particular case; or

( f ) the information will—

  • not be used in a form in which the data subject may be identified; or

(ii) be used for historical, statistical or research purposes”

From the above it follows that in terms of this condition, a responsible party has an obligation to notify a data subject of certain specified information each time that information about the data subject is being collected from which ever source – unless the responsible party can rely on one of the exceptions to the general rule – in terms whereof the responsible party can justify why notification is not necessary.

Why did the legislator include this section? Compliance with this section will clearly be very onerous on business and could also be a costly exercise.

We believe that some of the main reasons for including this section are the following:

  • Currently information flows between companies without data subjects ever realising what is happening with their information.
  • Data subjects provide their personal information to companies for specific reasons, but companies often take the information and do with it whatever they want to –including to use it for reasons that would never have been intended by the data subject.
  • Data subjects do not know which companies hold their personal information.

In terms of this section 18, companies will therefore need to inform data subjects of the reasons for which they would use the data subject’s information. They also need to inform them of the type of companies with whom the personal information will be shared, including where information will be shared with third party service providers who will have access to the information or receive the information for processing on behalf of the responsible party.

When do you need to notify data subjects? According to POPI this must happen even before you collect the information – if you collect it directly from the data subject, or if not directly from the data subject, before you collect or as soon as reasonably possible after you have collected it.

How do you need to notify the data subject? POPI does not provide exact details on how this notification needs to take place. Once the Regulator has been set up, we may get a better idea of the expectations around ways to notify. Currently it seems that the most popular way would be to include the information in privacy policies. This is not a no go, but without the data subject knowing about the privacy policy and the notification information provided through the policy, it may have little effect. The proposed solution is to include some specific reference to the policy in your customer terms, application forms, or other applicable documentation and then include the majority of the required information in the actual policy.

By far the biggest challenge will come in where information is not collected directly from the data subject. This happens on a daily basis and a few examples include:

  • Collecting information about a relative / friend of your customer
  • Collecting information from the credit bureau
  • Collecting information from third party data suppliers
  • Collecting information from fraud data bases
  • Collecting information from other companies within your group of companies
  • Collecting information from business partners

As you would have seen from section (4) quoted above, in some instances you do not need to comply with the notification requirements. We however urge business to consider the exceptions very careful and not flippantly rely on something like “it is not reasonably practicable” to notify – without properly determining whether it would really be possible to rely on the exception. To merely take a view that it would be “very costly” to comply, is unlikely to be “good enough” to justify non-compliance.


It’s evident that POPI conditions or requirements are closely connected to another. Notification for example links in with purpose specification. In terms of Condition 3, you need to specify the purposes for which you intend to use the personal information. In terms of Condition 6, you need to tell the data subject what these purposes are that you identified in terms of Condition 3.

Remember to update your PAIA manual to include the required information in terms of POPI.

Consider all situations where you collect personal information and consider how you will notify. You may be able in some instances to rely on an exception and decide not to notify. Document those decisions and explain your justification for record purposes.

For any assistance with this challenging condition, please contact Jana van Zyl at jana@dommisseattorneys.co.za

Popi series condition 5 – information quality


Let’s recap: we have previously discussed Conditions 1-4 of the Protection of Personal Information Act 4 of 2013 (“POPI”), dealing with Accountability, Lawful Processing, Purpose Specification and Further Processing Limitations. In this month’s POPI series, we are going to discuss Condition 5 which deals with the Information Quality.


In terms of section 16:

“Quality of information—

  1. A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
  2. In taking the steps referred to in subsection (1), the responsible party must have regard to the purpose for which personal information is collected or further processed.”

In terms of this Condition 5, a responsible party is required to take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. This requirement is applicable to personal information collected both manually and electronically. POPI does not provide further details on what reasonably practicable steps would mean and therefore each business will need to consider its operations and decide which steps and processes it would implement to reasonably keep personal information updated.

In terms of subsection (2), the purpose of collection and processing must be considered when deciding on the steps to be taken to update information. This is an example of how the POPI Conditions work together – purpose specification is an obligation in terms of Condition 3 but should also be considered for compliance with Condition 5. In essence the decision of the responsible party in relation to the quality of the personal information as well as the reasonably practicable steps to be taken is directly linked to the purpose for which the personal information was collected.

Data subjects should also be responsible and could be requested to advise responsible parties of a change in details where applicable. This could for example be regulated with the data subject (if it is a customer) in the customer contract or in general user term and conditions.

Other examples of possible processes to update information could include through call centre interaction – each time you speak to the customer, ask whether details have changed; or through providing online access to customer accounts (if your business allows for this) in terms whereof the customer through logging in, can update its details.


In order for organisations to comply with the requirements of Condition 5, they would firstly need to identify the purpose for which they intend to use the information, and then implement reasonable processes to make sure that data subjects have access to processes in terms whereof current information can be updated where required.