Skip to content
- (1) This Act does not apply to the processing of personal information—
- in the course of a purely personal or household activity;
- that has been de-identified to the extent that it cannot be re-identified again;
- by or on behalf of a public body—
- which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public safety; or
- the purpose of which is the prevention, detection, including assistance in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in legislation for the protection of such personal information;
- by the Cabinet and its committees or the Executive Council of a province; or
- relating to the judicial functions of a court referred to in section 166 of the Constitution.
- ‘‘Terrorist and related activities’’, for purposes of subsection (1)(c), means those activities referred to in section 4 of the Protection of Constitutional Democracy against Terrorist and Related Activities Act, 2004 (Act No. 33 of 2004).
- Personal information may only be processed if—
- the data subject or a competent person where the data subject is a child consents to the processing;
- processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- processing complies with an obligation imposed by law on the responsible party;
- processing protects a legitimate interest of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
-
- The responsible party bears the burden of proof for the data subject’s or competent person’s consent as referred to in subsection (1)(a).
- The data subject or competent person may withdraw his, her or its consent, as referred to in subsection (1)(a), at any time: Provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information in terms of subsection (1)(b) to (f) will not be affected.
- A data subject may object, at any time, to the processing of personal information—
- in terms of subsection (1)(d) to (f), in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
- for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications as referred to in section 69.
- If a data subject has objected to the processing of personal information in terms of subsection (3), the responsible party may no longer process the personal information.
- Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
- Steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.
- The prohibition on processing personal information concerning a data subject’s health or sex life, as referred to in section 26, does not apply to the processing by—
- medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned;
- insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for—
- assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing;
- the performance of an insurance or medical scheme agreement; or
- the enforcement of any contractual rights and obligations;
- schools, if such processing is necessary to provide special support for pupils or making special arrangements in connection with their health or sex life;
- any public or private body managing the care of a child if such processing is necessary for the performance of their lawful duties;
- any public body, if such processing is necessary in connection with the implementation of prison sentences or detention measures; or
- administrative bodies, pension funds, employers or institutions working for them, if such processing is necessary for—
- the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject; or
- the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.
- In the cases referred to under subsection (1), the information may only be processed by responsible parties subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between the responsible party and the data subject.
- A responsible party that is permitted to process information concerning a data subject’s health or sex life in terms of this section and is not subject to an obligation of confidentiality by virtue of office, profession or legal provision, must treat the information as confidential, unless the responsible party is required by law or in connection with their duties to communicate the information to other parties who are authorised to process such information in accordance with subsection (1).
- The prohibition on processing any of the categories of personal information referred to in section 26, does not apply if it is necessary to supplement the processing of personal information concerning a data subject’s health, as referred to under subsection (1)(a), with a view to the proper treatment or care of the data subject.
- Personal information concerning inherited characteristics may not be processed in respect of a data subject from whom the information concerned has been obtained, unless—
- a serious medical interest prevails; or
- the processing is necessary for historical, statistical or research activity.
- More detailed rules may be prescribed concerning the application of subsection (1)(b) and (f).
- The Regulator may, by notice in the Gazette, grant an exemption to a responsible party to process personal information, even if that processing is in breach of a condition for the processing of such information, or any measure that gives effect to such condition, if the Regulator is satisfied that, in the circumstances of the case—
- the public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from such processing; or
- the processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.
- The public interest referred to in subsection (1) includes—
- the interests of national security;
- the prevention, detection and prosecution of offences;
- important economic and financial interests of a public body;
- fostering compliance with legal provisions established in the interests referred to under paragraphs (b) and (c);
- historical, statistical or research activity; or
- the special importance of the interest in freedom of expression.
- The Regulator may impose reasonable conditions in respect of any exemption granted under subsection (1).
- Personal information processed for the purpose of discharging a relevant function is exempt from sections 11(3) and (4), 12, 15 and 18 in any case to the extent to which the application of those provisions to the personal information would be likely to prejudice the proper discharge of that function.
- ‘‘Relevant function’’ for purposes of subsection (1), means any function—
- of a public body; or
- conferred on any person in terms of the law,
- which is performed with the view to protecting members of the public against
- financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate; or
- dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity.
- The Regulator may from time to time issue codes of conduct.
- A code of conduct must—
- incorporate all the conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those conditions; and
- prescribe how the conditions for the lawful processing of personal information are to be applied, or are to be complied with, given the particular features of the sector or sectors of society in which the relevant responsible parties are operating.
- A code of conduct may apply in relation to any one or more of the following:
- Any specified information or class of information;
- any specified body or class of bodies;
- any specified activity or class of activities; or
- any specified industry, profession, or vocation or class of industries, professions, or vocations.
- A code of conduct must also—
- specify appropriate measures—
- for information matching programmes if such programmes are used within a specific sector; or
- for protecting the legitimate interests of data subjects insofar as automated decision making, as referred to in section 71, is concerned;
- provide for the review of the code by the Regulator; and
- provide for the expiry of the code.