Section 57 Processing subject to prior authorisation

  1. The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to—
    1. process any unique identifiers of data subjects —
      1. for a purpose other than the one for which the identifier was specifically intended at collection; and
      2. with the aim of linking the information together with information processed by other responsible parties;
    2. process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
    3. process information for the purposes of credit reporting; or
    4. transfer special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.
  2. The provisions of subsection (1) may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.
  3. This section and section 58 are not applicable if a code of conduct has been issued and has come into force in terms of Chapter 7 in a specific sector or sectors of society.
  4. A responsible party must obtain prior authorisation as referred to in subsection (1) only once and not each time that personal information is received or processed, except where the processing departs from that which has been authorised in accordance with the provisions of subsection (1).

Section 105 Unlawful acts by responsible party in connection with account number

  1. A responsible party who contravenes the provisions of section 8 insofar as those provisions relate to the processing of an account number of a data subject is, subject to subsections (2) and (3), guilty of an offence.
  2. The contravention referred to in subsection (1) must—
    1. be of a serious or persistent nature; and
    2. likely cause substantial damage or distress to the data subject.
  3. The responsible party must—
    1. have known or ought to have known that—
      1. there was a risk that the contravention would occur; or
      2. such contravention would likely cause substantial damage or distress to the data subject; and
    2. have failed to take reasonable steps to prevent the contravention.
  4. Whenever a responsible party is charged with an offence under subsection (1), it is a valid defence to such a charge to contend that he or she has taken all reasonable steps to comply with the provisions of section 8.
  5. Account number’’, for purposes of this section and section 106, means any unique identifier that has been assigned—
    1. to one data subject only; or
    2. jointly to more than one data subject,
    3. by a financial or other institution which enables the data subject, referred to in paragraph (a), to access his, her or its own funds or to access credit facilities or which enables a data subject, referred to in paragraph (b), to access joint funds or to access joint credit facilities.

Section 107 Penalties

  1. Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of—
    1. section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment; or
    2. section 59, 101, 102, 103(2) or 104(1), to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.