Unique to South Africa Archives - Page 2 of 2

Section 106 Unlawful acts by third parties in connection with account number

A person who knowingly or recklessly, without the consent of the responsible party—
1. obtains or discloses an account number of a data subject; or
2. procures the disclosure of an account number of a data subject to another person,
3. is, subject to subsection (2), guilty of an offence.
Whenever a person is charged with an offence under subsection (1), it is a valid defence to such a charge to contend that—
1. the obtaining, disclosure or procuring of the account number was—
  1. necessary for the purpose of the prevention, detection, investigation or proof of an offence; or
  2. required or authorised in terms of the law or in terms of a court order;
2. he or she acted in the reasonable belief that he or she was legally entitled to obtain or disclose the account number or, as the case may be, to procure the disclosure of the account number to the other person;
3. he or she acted in the reasonable belief that he or she would have had the consent of the responsible party if the responsible party had known of the obtaining, disclosing or procuring and the circumstances of it; or
4. in the particular circumstances the obtaining, disclosing or procuring was in the public interest.
A person who sells an account number which he or she has obtained in contravention of subsection (1), is guilty of an offence.
A person who offers to sell the account number of a data subject which that person—
1. has obtained; or
2. subsequently obtained,
3. in contravention of subsection (1), is guilty of an offence.
For the purposes of subsection (4), an advertisement indicating that an account number of a data subject is or may be for sale is an offer to sell the information.

Section 107 Penalties

Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of—
1. section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment; or
2. section 59, 101, 102, 103(2) or 104(1), to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.

Section 109 Administrative fines

If a responsible party is alleged to have committed an offence in terms of this Act, the Regulator may cause to be delivered by hand to that person (hereinafter referred to as the infringer) an infringement notice which must contain the particulars contemplated in subsection (2).
A notice referred to in subsection (1) must—
1. specify the name and address of the infringer;
2. specify the particulars of the alleged offence;
3. specify the amount of the administrative fine payable, which amount may, subject to subsection (10), not exceed R10 million;
4. inform the infringer that, not later than 30 days after the date of service of the infringement notice, the infringer may—
  1. pay the administrative fine;
  2. make arrangements with the Regulator to pay the administrative fine in instalments; or
  3. elect to be tried in court on a charge of having committed the alleged offence referred to in terms of this Act; and
5. state that a failure to comply with the requirements of the notice within the time permitted, will result in the administrative fine becoming recoverable as contemplated in subsection (5).
When determining an appropriate fine, the Regulator must consider the following factors:
1. the nature of the personal information involved;
2. the duration and extent of the contravention;
3. the number of data subjects affected or potentially affected by the contravention;
4. whether or not the contravention raises an issue of public importance;
5. the likelihood of substantial damage or distress, including injury to feelings or anxiety suffered by data subjects;
6. whether the responsible party or a third party could have prevented the contravention from occurring;
7. any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information; and
8. whether the responsible party has previously committed an offence in terms of this Act.
If an infringer elects to be tried in court on a charge of having committed the alleged offence in terms of this Act, the Regulator must hand the matter over to the South African Police Service and inform the infringer accordingly.
If an infringer fails to comply with the requirements of a notice, the Regulator may file with the clerk or registrar of any competent court a statement certified by it as correct, setting forth the amount of the administrative fine payable by the infringer, and such statement thereupon has all the effects of a civil judgment lawfully given in that court in favour of the Regulator for a liquid debt in the amount specified in the statement.
The Regulator may not impose an administrative fine contemplated in this section if the responsible party concerned has been charged with an offence in terms of this Act in respect of the same set of facts.
No prosecution may be instituted against a responsible party if the responsible party concerned has paid an administrative fine in terms of this section in respect of the same set of facts.
An administrative fine imposed in terms of this section does not constitute a previous conviction as contemplated in Chapter 27 of the Criminal Procedure Act, 1977 (Act No. 51 of 1977).
A fine payable in terms of this section must be paid into the National Revenue Fund referred to in section 213 of the Constitution.
The Minister may, from time to time and after consultation with the Regulator, by notice in the Gazette, adjust the amount referred to in subsection (2)(c) in accordance with the average of the consumer price index, as published from time to time in the Gazette, for the immediately preceding period of 12 months multiplied by the number of years that the amount referred to in subsection (2)(c) has remained the same.