ACT

To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.

PREAMBLE

RECOGNISING THAT—

  • section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;
  • the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;
  • the State must respect, protect, promote and fulfil the rights in the Bill of Rights;

AND BEARING IN MIND THAT—

  • consonant with the constitutional values of democracy and openness, the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information;

AND IN ORDER TO—

  • regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests,

PARLIAMENT of the Republic of South Africa therefore enacts, as follows:—

Section 5 Rights of data subjects

  1. A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right—
    1. to be notified that—
      1. personal information about him, her or it is being collected as provided for in terms of section 18; or
      2. his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
    2. to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;
    3. to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
    4. to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
    5. to object to the processing of his, her or its personal information—
      1. at any time for purposes of direct marketing in terms of section 11(3)(b); or
      2. in terms of section 69(3)(c);
    6. not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
    7. not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;
    8. to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
    9. to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.

Section 11 Consent, justification and objection

  1. Personal information may only be processed if—
    1. the data subject or a competent person where the data subject is a child consents to the processing;
    2. processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
    3. processing complies with an obligation imposed by law on the responsible party;
    4. processing protects a legitimate interest of the data subject;
    5. processing is necessary for the proper performance of a public law duty by a public body; or
    6. processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
    1. The responsible party bears the burden of proof for the data subject’s or competent person’s consent as referred to in subsection (1)(a).
    2. The data subject or competent person may withdraw his, her or its consent, as referred to in subsection (1)(a), at any time: Provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information in terms of subsection (1)(b) to (f) will not be affected.
  2. A data subject may object, at any time, to the processing of personal information—
    1. in terms of subsection (1)(d) to (f), in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
    2. for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications as referred to in section 69.
  3. If a data subject has objected to the processing of personal information in terms of subsection (3), the responsible party may no longer process the personal information.

Section 12 Collection directly from data subject

  1. Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2).
  2. It is not necessary to comply with subsection (1) if—
    1. the information is contained in or derived from a public record or has deliberately been made public by the data subject;
    2. the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
    3. collection of the information from another source would not prejudice a legitimate interest of the data subject;
    4. collection of the information from another source is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
      4. in the interests of national security; or
      5. to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
    5. compliance would prejudice a lawful purpose of the collection; or
    6. compliance is not reasonably practicable in the circumstances of the particular case.

Section 27 General authorisation concerning special personal information

  1. The prohibition on processing personal information, as referred to in section 26, does not apply if the—
    1. processing is carried out with the consent of a data subject referred to in section 26;
    2. processing is necessary for the establishment, exercise or defence of a right or obligation in law;
    3. processing is necessary to comply with an obligation of international public law;
    4. processing is for historical, statistical or research purposes to the extent that—
      1. the purpose serves a public interest and the processing is necessary for the purpose concerned; or
      2. it appears to be impossible or would involve a disproportionate effort to ask for consent,
      3. and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;
    5. information has deliberately been made public by the data subject; or
    6. provisions of sections 28 to 33 are, as the case may be, complied with.
  2. The Regulator may, subject to subsection (3), upon application by a responsible party and by notice in the Gazette, authorise a responsible party to process special personal information if such processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the data subject.
  3. The Regulator may impose reasonable conditions in respect of any authorisation granted under subsection (2).

Section 30 Authorisation concerning data subject’s trade union membership

  1. The prohibition on processing personal information concerning a data subject’s trade union membership, as referred to in section 26, does not apply to the processing by the trade union to which the data subject belongs or the trade union federation to which that trade union belongs, if such processing is necessary to achieve the aims of the trade union or trade union federation.
  2. In the cases referred to under subsection (1), no personal information may be supplied to third parties without the consent of the data subject.

Section 69 Direct marketing by means of unsolicited electronic communications

  1. The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject—
    1. has given his, her or its consent to the processing; or
    2. is, subject to subsection (3), a customer of the responsible party.
    1. A responsible party may approach a data subject—
      1. whose consent is required in terms of subsection (1)(a); and
      2. who has not previously withheld such consent,
      3. only once in order to request the consent of that data subject.
    2. The data subject’s consent must be requested in the prescribed manner and form.
  2. A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)—
    1. if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
    2. for the purpose of direct marketing of the responsible party’s own similar products or services; and
    3. if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details—
      1. at the time when the information was collected; and
      2. on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
  3. Any communication for the purpose of direct marketing must contain—
    1. details of the identity of the sender or the person on whose behalf the communication has been sent; and
    2. an address or other contact details to which the recipient may send a request that such communications cease.
  4. ‘‘Automatic calling machine’’, for purposes of subsection (1), means a machine that is able to do automated calls without human intervention.
1Address

Section 72 Transfers of personal information outside Republic

  1. A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless—
    1. the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that—
      1. effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and
      2. includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
    2. the data subject consents to the transfer;
    3. the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
    4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
    5. the transfer is for the benefit of the data subject, and—
      1. it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
      2. if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
  2. For the purpose of this section—
    1. ‘‘binding corporate rules’’ means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and
    2. ‘‘group of undertakings’’ means a controlling undertaking and its controlled undertakings.

Section 99 Civil remedies

  1. A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act as referred to in section 73, whether or not there is intent or negligence on the part of the responsible party.
  2. In the event of a breach the responsible party may raise any of the following defences against an action for damages:
    1. vis major;
    2. consent of the plaintiff;
    3. fault on the part of the plaintiff;
    4. compliance was not reasonably practicable in the circumstances of the particular case; or
    5. the Regulator has granted an exemption in terms of section 37.
  3. A court hearing proceedings in terms of subsection (1) may award an amount that is just and equitable, including—
    1. payment of damages as compensation for patrimonial and non-patrimonial loss suffered by a data subject as a result of breach of the provisions of this Act;
    2. aggravated damages, in a sum determined in the discretion of the Court;
    3. interest; and
    4. costs of suit on such scale as may be determined by the Court.
  4. Any amount awarded to the Regulator in terms of subsection (3) must be dealt with in the following manner:
    1. the full amount must be deposited into a specifically designated trust account established by the Regulator with an appropriate financial institution;
    2. as a first charge against the amount, the Regulator may recover all reasonable expenses incurred in bringing proceedings at the request of a data subject in terms of subsection (1) and in administering the distributions made to the data subject in terms of subsection (5); and
    3. the balance, if any (in this section referred to as the ‘‘distributable balance’’), must be distributed by the Regulator to the data subject at whose request the proceedings were brought.
  5. Any amount not distributed within three years from the date of the first distribution of payments in terms of subsection (4), accrue to the Regulator in the Regulator’s official capacity.
  6. The distributable balance must be distributed on a pro rata basis to the data subject referred to in subsection (1).
  7. A Court issuing any order under this section must order it to be published in the Gazette and by such other appropriate public media announcement as the Court considers appropriate.
  8. Any civil action instituted under this section may be withdrawn, abandoned or compromised, but any agreement or compromise must be made an order of Court.
  9. If a civil action has not been instituted, any agreement or settlement, if any, may, on application to the Court by the Regulator after due notice to the other party, be made an order of Court and must be published in the Gazette and by such other public media announcement as the Court considers appropriate.