Section 57 Processing subject to prior authorisation

  1. The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to—
    1. process any unique identifiers of data subjects —
      1. for a purpose other than the one for which the identifier was specifically intended at collection; and
      2. with the aim of linking the information together with information processed by other responsible parties;
    2. process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
    3. process information for the purposes of credit reporting; or
    4. transfer special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.
  2. The provisions of subsection (1) may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.
  3. This section and section 58 are not applicable if a code of conduct has been issued and has come into force in terms of Chapter 7 in a specific sector or sectors of society.
  4. A responsible party must obtain prior authorisation as referred to in subsection (1) only once and not each time that personal information is received or processed, except where the processing departs from that which has been authorised in accordance with the provisions of subsection (1).

Section 60 Issuing of codes of conduct

  1. The Regulator may from time to time issue codes of conduct.
  2. A code of conduct must—
    1. incorporate all the conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those conditions; and
    2. prescribe how the conditions for the lawful processing of personal information are to be applied, or are to be complied with, given the particular features of the sector or sectors of society in which the relevant responsible parties are operating.
  3. A code of conduct may apply in relation to any one or more of the following:
    1. Any specified information or class of information;
    2. any specified body or class of bodies;
    3. any specified activity or class of activities; or
    4. any specified industry, profession, or vocation or class of industries, professions, or vocations.
  4. A code of conduct must also—
    1. specify appropriate measures—
      1. for information matching programmes if such programmes are used within a specific sector; or
      2. for protecting the legitimate interests of data subjects insofar as automated decision making, as referred to in section 71, is concerned;
    2. provide for the review of the code by the Regulator; and
    3. provide for the expiry of the code.

Section 71 Automated decision making

  1. Subject to subsection (2), a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.
  2. The provisions of subsection (1) do not apply if the decision—
    1. has been taken in connection with the conclusion or execution of a contract, and—
      1. the request of the data subject in terms of the contract has been met; or
      2. appropriate measures have been taken to protect the data subject’s legitimate interests; or
    2. is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.
  3. The appropriate measures, referred to in subsection (2)(a)(ii), must—
    1. provide an opportunity for a data subject to make representations about a decision referred to in subsection (1); and
    2. require a responsible party to provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make representations in terms of paragraph (a).

Section 73 Interference with protection of personal information of data subject

  1. For the purposes of this Chapter, interference with the protection of the personal information of a data subject consists, in relation to that data subject, of—
    1. any breach of the conditions for the lawful processing of personal information as referred to in Chapter 3;
    2. non-compliance with section 22, 54, 69, 70, 71 or 72; or
    3. a breach of the provisions of a code of conduct issued in terms of section 60.

Section 99 Civil remedies

  1. A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act as referred to in section 73, whether or not there is intent or negligence on the part of the responsible party.
  2. In the event of a breach the responsible party may raise any of the following defences against an action for damages:
    1. vis major;
    2. consent of the plaintiff;
    3. fault on the part of the plaintiff;
    4. compliance was not reasonably practicable in the circumstances of the particular case; or
    5. the Regulator has granted an exemption in terms of section 37.
  3. A court hearing proceedings in terms of subsection (1) may award an amount that is just and equitable, including—
    1. payment of damages as compensation for patrimonial and non-patrimonial loss suffered by a data subject as a result of breach of the provisions of this Act;
    2. aggravated damages, in a sum determined in the discretion of the Court;
    3. interest; and
    4. costs of suit on such scale as may be determined by the Court.
  4. Any amount awarded to the Regulator in terms of subsection (3) must be dealt with in the following manner:
    1. the full amount must be deposited into a specifically designated trust account established by the Regulator with an appropriate financial institution;
    2. as a first charge against the amount, the Regulator may recover all reasonable expenses incurred in bringing proceedings at the request of a data subject in terms of subsection (1) and in administering the distributions made to the data subject in terms of subsection (5); and
    3. the balance, if any (in this section referred to as the ‘‘distributable balance’’), must be distributed by the Regulator to the data subject at whose request the proceedings were brought.
  5. Any amount not distributed within three years from the date of the first distribution of payments in terms of subsection (4), accrue to the Regulator in the Regulator’s official capacity.
  6. The distributable balance must be distributed on a pro rata basis to the data subject referred to in subsection (1).
  7. A Court issuing any order under this section must order it to be published in the Gazette and by such other appropriate public media announcement as the Court considers appropriate.
  8. Any civil action instituted under this section may be withdrawn, abandoned or compromised, but any agreement or compromise must be made an order of Court.
  9. If a civil action has not been instituted, any agreement or settlement, if any, may, on application to the Court by the Regulator after due notice to the other party, be made an order of Court and must be published in the Gazette and by such other public media announcement as the Court considers appropriate.