Section 6 Exclusions

  1. (1) This Act does not apply to the processing of personal information—
    1. in the course of a purely personal or household activity;
    2. that has been de-identified to the extent that it cannot be re-identified again;
    3. by or on behalf of a public body—
      1. which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public safety; or
      2. the purpose of which is the prevention, detection, including assistance in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in legislation for the protection of such personal information;
    4. by the Cabinet and its committees or the Executive Council of a province; or
    5. relating to the judicial functions of a court referred to in section 166 of the Constitution.
  2. ‘‘Terrorist and related activities’’, for purposes of subsection (1)(c), means those activities referred to in section 4 of the Protection of Constitutional Democracy against Terrorist and Related Activities Act, 2004 (Act No. 33 of 2004).

Section 26 Prohibition on processing of special personal information

  1. A responsible party may, subject to section 27, not process personal information concerning—
    1. the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
    2. the criminal behaviour of a data subject to the extent that such information relates to—
      1. the alleged commission by a data subject of any offence; or
      2. any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

Section 57 Processing subject to prior authorisation

  1. The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to—
    1. process any unique identifiers of data subjects—
      1. for a purpose other than the one for which the identifier was specifically intended at collection; and
      2. with the aim of linking the information together with information processed by other responsible parties;
    2. process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
    3. process information for the purposes of credit reporting; or
    4. transfer special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.
  2. The provisions of subsection (1) may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.
  3. This section and section 58 are not applicable if a code of conduct has been issued and has come into force in terms of Chapter 7 in a specific sector or sectors of society.
  4. A responsible party must obtain prior authorisation as referred to in subsection (1) only once and not each time that personal information is received or processed, except where the processing departs from that which has been authorised in accordance with the provisions of subsection (1).