Section 2 Purpose of Act

The purpose of this Act is to —

  1. give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—
    1. balancing the right to privacy against other rights, particularly the right of access to information; and
    2. protecting important interests, including the free flow of information within the Republic and across international borders;
  2. regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
  3. provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and
  4. establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.

Section 4 Lawful processing of personal information

  1. The conditions for the lawful processing of personal information by or for a responsible party are the following:
    1. ‘‘Accountability’’, as referred to in section 8;
    2. ‘‘Processing limitation’’, as referred to in sections 9 to 12;
    3. ‘‘Purpose specification’’, as referred to in sections 13 and 14;
    4. ‘‘Further processing limitation’’, as referred to in section 15;
    5. ‘‘Information quality’’, as referred to in section 16;
    6. ‘‘Openness’’, as referred to in sections 17 and 18;
    7. ‘‘Security safeguards’’, as referred to in sections 19 to 22; and
    8. ‘‘Data subject participation’’, as referred to in sections 23 to 25.
  2. The conditions, as referred to in subsection (1), are not applicable to the processing of personal information to the extent that such processing is—
    1. excluded, in terms of section 6 or 7, from the operation of this Act; or
    2. exempted in terms of section 37 or 38, from one or more of the conditions concerned in relation to such processing.
  3. The processing of the special personal information of a data subject is prohibited in terms of section 26, unless the—
    1. provisions of sections 27 to 33 are applicable; or
    2. Regulator has granted an authorisation in terms of section 27(2), in which case, subject to section 37 or 38, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.
  4. The processing of the personal information of a child is prohibited in terms of section 34, unless the—
    1. provisions of section 35(1) are applicable; or
    2. Regulator has granted an authorisation in terms of section 35(2), in which case, subject to section 37, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.
  5. The processing of the special personal information of a child is prohibited in terms of sections 26 and 34 unless the provisions of sections 27 and 35 are applicable in which case, subject to section 37, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.
  6. The conditions for the lawful processing of personal information by or for a responsible party for the purpose of direct marketing by any means are reflected in Chapter 3, read with section 69 insofar as that section relates to direct marketing by means of unsolicited electronic communications.
  7. Sections 60 to 68 provide for the development, in appropriate circumstances, of codes of conduct for purposes of clarifying how the conditions referred to in subsection (1), subject to any exemptions which may have been granted in terms of section 37, are to be applied, or are to be complied with within a particular sector.

Section 11 Consent, justification and objection

  1. Personal information may only be processed if—
    1. the data subject or a competent person where the data subject is a child consents to the processing;
    2. processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
    3. processing complies with an obligation imposed by law on the responsible party;
    4. processing protects a legitimate interest of the data subject;
    5. processing is necessary for the proper performance of a public law duty by a public body; or
    6. processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
    1. The responsible party bears the burden of proof for the data subject’s or competent person’s consent as referred to in subsection (1)(a).
    2. The data subject or competent person may withdraw his, her or its consent, as referred to in subsection (1)(a), at any time: Provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information in terms of subsection (1)(b) to (f) will not be affected.
  2. A data subject may object, at any time, to the processing of personal information—
    1. in terms of subsection (1)(d) to (f), in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
    2. for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications as referred to in section 69.
  3. If a data subject has objected to the processing of personal information in terms of subsection (3), the responsible party may no longer process the personal information.

Section 18 Notification to data subject when collecting personal information

  1. If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—
    1. the information being collected and where the information is not collected from the data subject, the source from which it is collected;
    2. the name and address of the responsible party;
    3. the purpose for which the information is being collected;
    4. whether or not the supply of the information by that data subject is voluntary or mandatory;
    5. the consequences of failure to provide the information;
    6. any particular law authorising or requiring the collection of the information;
    7. the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
    8. any further information such as the—
      1. recipient or category of recipients of the information;
      2. nature or category of the information;
      3. existence of the right of access to and the right to rectify the information collected;
      4. existence of the right to object to the processing of personal information as referred to in section 11(3); and
      5. right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
  2. The steps referred to in subsection (1) must be taken—
    1. if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or
    2. in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
  3. A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.
  4. It is not necessary for a responsible party to comply with subsection (1) if—
    1. the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
    2. non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
    3. non-compliance is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
      4. in the interests of national security;
    4. compliance would prejudice a lawful purpose of the collection;
    5. compliance is not reasonably practicable in the circumstances of the particular case; or
    6. the information will—
      1. not be used in a form in which the data subject may be identified; or
      2. be used for historical, statistical or research purposes.