- A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right—
- to be notified that—
- to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;
- to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
- to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
- to object to the processing of his, her or its personal information—
- not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
- not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;
- to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
- to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.
Category: Risks of non-compliance
Section 59 Failure to notify processing subject to prior authorisation
Section 68 Effect of failure to comply with code of conduct
If a code issued under section 60 is in force, failure to comply with the code is deemed to be a breach of the conditions for the lawful processing of personal information referred to in Chapter 3 and is dealt with in terms of Chapter 10.
Section 73 Interference with protection of personal information of data subject
- For the purposes of this Chapter, interference with the protection of the personal information of a data subject consists, in relation to that data subject, of—
Section 95 Enforcement notice
- If the Regulator, after having considered the recommendation of the Enforcement Committee in terms of section 93, is satisfied that a responsible party has interfered or is interfering with the protection of the personal information of a data subject as referred to in section 73, the Regulator may serve the responsible party with an enforcement notice requiring the responsible party to do either or both of the following:
- to take specified steps within a period specified in the notice, or to refrain from taking such steps; or
- to stop processing personal information specified in the notice, or to stop processing personal information for a purpose or in a manner specified in the notice within a period specified in the notice.
- An enforcement notice must contain—
- a statement indicating the nature of the interference with the protection of the personal information of the data subject and the reasons for reaching that conclusion; and
- particulars of the rights of appeal conferred by section 97.
- Subject to subsection (4), an enforcement notice may not require any of the provisions of the notice to be complied with before the end of the period within which an appeal may be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.
- If the Regulator considers that an enforcement notice should be complied with as a matter of urgency it may include in the notice a statement to that effect and a statement of its reasons for reaching that conclusion, and in that event subsection (3) does not apply.
- A notice in terms of subsection (4) may not require any of the provisions of the notice to be complied with before the end of a period of three days beginning with the day on which the notice is served.
Section 99 Civil remedies
- A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act as referred to in section 73, whether or not there is intent or negligence on the part of the responsible party.
- In the event of a breach the responsible party may raise any of the following defences against an action for damages:
- vis major;
- consent of the plaintiff;
- fault on the part of the plaintiff;
- compliance was not reasonably practicable in the circumstances of the particular case; or
- the Regulator has granted an exemption in terms of section 37.
- A court hearing proceedings in terms of subsection (1) may award an amount that is just and equitable, including—
- payment of damages as compensation for patrimonial and non-patrimonial loss suffered by a data subject as a result of breach of the provisions of this Act;
- aggravated damages, in a sum determined in the discretion of the Court;
- interest; and
- costs of suit on such scale as may be determined by the Court.
- Any amount awarded to the Regulator in terms of subsection (3) must be dealt with in the following manner:
- the full amount must be deposited into a specifically designated trust account established by the Regulator with an appropriate financial institution;
- as a first charge against the amount, the Regulator may recover all reasonable expenses incurred in bringing proceedings at the request of a data subject in terms of subsection (1) and in administering the distributions made to the data subject in terms of subsection (5); and
- the balance, if any (in this section referred to as the ‘‘distributable balance’’), must be distributed by the Regulator to the data subject at whose request the proceedings were brought.
- Any amount not distributed within three years from the date of the first distribution of payments in terms of subsection (4), accrue to the Regulator in the Regulator’s official capacity.
- The distributable balance must be distributed on a pro rata basis to the data subject referred to in subsection (1).
- A Court issuing any order under this section must order it to be published in the Gazette and by such other appropriate public media announcement as the Court considers appropriate.
- Any civil action instituted under this section may be withdrawn, abandoned or compromised, but any agreement or compromise must be made an order of Court.
- If a civil action has not been instituted, any agreement or settlement, if any, may, on application to the Court by the Regulator after due notice to the other party, be made an order of Court and must be published in the Gazette and by such other public media announcement as the Court considers appropriate.
Section 105 Unlawful acts by responsible party in connection with account number
- A responsible party who contravenes the provisions of section 8 insofar as those provisions relate to the processing of an account number of a data subject is, subject to subsections (2) and (3), guilty of an offence.
- The contravention referred to in subsection (1) must—
- be of a serious or persistent nature; and
- likely cause substantial damage or distress to the data subject.
- The responsible party must—
- have known or ought to have known that—
- there was a risk that the contravention would occur; or
- such contravention would likely cause substantial damage or distress to the data subject; and
- have failed to take reasonable steps to prevent the contravention.
- have known or ought to have known that—
- Whenever a responsible party is charged with an offence under subsection (1), it is a valid defence to such a charge to contend that he or she has taken all reasonable steps to comply with the provisions of section 8.
- ‘Account number’’, for purposes of this section and section 106, means any unique identifier that has been assigned—
- to one data subject only; or
- jointly to more than one data subject,
- by a financial or other institution which enables the data subject, referred to in paragraph (a), to access his, her or its own funds or to access credit facilities or which enables a data subject, referred to in paragraph (b), to access joint funds or to access joint credit facilities.
Section 106 Unlawful acts by third parties in connection with account number
- A person who knowingly or recklessly, without the consent of the responsible party—
- obtains or discloses an account number of a data subject; or
- procures the disclosure of an account number of a data subject to another person,
- is, subject to subsection (2), guilty of an offence.
- Whenever a person is charged with an offence under subsection (1), it is a valid defence to such a charge to contend that—
- the obtaining, disclosure or procuring of the account number was—
- necessary for the purpose of the prevention, detection, investigation or proof of an offence; or
- required or authorised in terms of the law or in terms of a court order;
- he or she acted in the reasonable belief that he or she was legally entitled to obtain or disclose the account number or, as the case may be, to procure the disclosure of the account number to the other person;
- he or she acted in the reasonable belief that he or she would have had the consent of the responsible party if the responsible party had known of the obtaining, disclosing or procuring and the circumstances of it; or
- in the particular circumstances the obtaining, disclosing or procuring was in the public interest.
- the obtaining, disclosure or procuring of the account number was—
- A person who sells an account number which he or she has obtained in contravention of subsection (1), is guilty of an offence.
- A person who offers to sell the account number of a data subject which that person—
- has obtained; or
- subsequently obtained,
- in contravention of subsection (1), is guilty of an offence.
- For the purposes of subsection (4), an advertisement indicating that an account number of a data subject is or may be for sale is an offer to sell the information.
Section 107 Penalties
- Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of—
- section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment; or
- section 59, 101, 102, 103(2) or 104(1), to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.
Section 108 Magistrate’s Court jurisdiction to impose penalties
Despite anything to the contrary contained in any other law, a Magistrate’s Court has jurisdiction to impose any penalty provided for in section 107.