Section 56 Designation and delegation of deputy information officers

Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of—

  1. such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of this Act; and
  2. any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.

Section 57 Processing subject to prior authorisation

  1. The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to—
    1. process any unique identifiers of data subjects —
      1. for a purpose other than the one for which the identifier was specifically intended at collection; and
      2. with the aim of linking the information together with information processed by other responsible parties;
    2. process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
    3. process information for the purposes of credit reporting; or
    4. transfer special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.
  2. The provisions of subsection (1) may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.
  3. This section and section 58 are not applicable if a code of conduct has been issued and has come into force in terms of Chapter 7 in a specific sector or sectors of society.
  4. A responsible party must obtain prior authorisation as referred to in subsection (1) only once and not each time that personal information is received or processed, except where the processing departs from that which has been authorised in accordance with the provisions of subsection (1).

Section 58 Responsible party to notify Regulator if processing is subject to prior authorisation

  1. Information processing as contemplated in section 57(1) must be notified as such by the responsible party to the Regulator.
  2. Responsible parties may not carry out information processing that has been notified to the Regulator in terms of subsection (1) until the Regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conducted.
  3. In the case of the notification of information processing to which section 57(1) is applicable, the Regulator must inform the responsible party in writing within four weeks of the notification as to whether or not it will conduct a more detailed investigation.
  4. In the event that the Regulator decides to conduct a more detailed investigation, it must indicate the period within which it plans to conduct this investigation, which period must not exceed 13 weeks.
  5. On conclusion of the more detailed investigation referred to in subsection (4) the Regulator must issue a statement concerning the lawfulness of the information processing.
  6. A statement by the Regulator in terms of subsection (5), to the extent that the information processing is not lawful, is deemed to be an enforcement notice served in terms of section 95 of this Act.
  7. A responsible party that has suspended its processing as required by subsection (2), and which has not received the Regulator’s decision within the time limits specified in subsections (3) and (4), may presume a decision in its favour and continue with its processing.

Section 69 Direct marketing by means of unsolicited electronic communications

  1. The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject—
    1. has given his, her or its consent to the processing; or
    2. is, subject to subsection (3), a customer of the responsible party.
    1. A responsible party may approach a data subject—
      1. whose consent is required in terms of subsection (1)(a); and
      2. who has not previously withheld such consent,
      3. only once in order to request the consent of that data subject.
    2. The data subject’s consent must be requested in the prescribed manner and form.
  2. A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)—
    1. if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
    2. for the purpose of direct marketing of the responsible party’s own similar products or services; and
    3. if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details—
      1. at the time when the information was collected; and
      2. on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
  3. Any communication for the purpose of direct marketing must contain—
    1. details of the identity of the sender or the person on whose behalf the communication has been sent; and
    2. an address or other contact details to which the recipient may send a request that such communications cease.
  4. ‘‘Automatic calling machine’’, for purposes of subsection (1), means a machine that is able to do automated calls without human intervention.

Section 71 Automated decision making

  1. Subject to subsection (2), a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.
  2. The provisions of subsection (1) do not apply if the decision—
    1. has been taken in connection with the conclusion or execution of a contract, and—
      1. the request of the data subject in terms of the contract has been met; or
      2. appropriate measures have been taken to protect the data subject’s legitimate interests; or
    2. is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.
  3. The appropriate measures, referred to in subsection (2)(a)(ii), must—
    1. provide an opportunity for a data subject to make representations about a decision referred to in subsection (1); and
    2. require a responsible party to provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make representations in terms of paragraph (a).