Globally active
October 20, 2017
The Protection of Personal Information Act (“POPI ACT“)
Austrian Business Chamber
© Rödl & Partner 2 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 3 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 4 October 20, 2017
We are a one-of-a-kind success story from Germany
Founded in 1977 as a single practice in Nuremberg
4.500 colleagues in 108 wholly-owned offices worldwide in 2017
ONE firm, no network or franchise-system
Your one-stop shop: legal, tax, tax declaration and BPO,
management and IT-consulting, audit
Committed to German internationally active family businesses
Made in Germany
© Rödl & Partner 5 October 20, 2017
About Rödl & Partner in Africa
Partner network in Africa
Algeria Angola Botswana Cameroon DRC Djibouti Ivory Coast Ghana Libya Madagascar Mali Mauritius Morocco Mozambique Namibia North Sudan Republic of Congo Rwanda Senegal Tanzania Tunisia Uganda Zambia Zimbabwe
Offices in Africa
South Africa
Kenya
Ethiopia
Egypt
Nigeria
© Rödl & Partner 6 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 7 October 20, 2017
Overview of POPI
First universal act in South Africa concerning the protection of personal information
Purpose: to give effect to the constitutional right to privacy
All businesses that process personal information must be compliant
Only certain chapters of POPI are in currently in effect
Draft regulations (including certain forms) are currently out for public comment
Businesses have 1 (one) year from date of commencement to comply with POPI
POPI also applies to personal information collected before the commencement date
© Rödl & Partner 8 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 9 October 20, 2017
Key Terms
Term Meaning
Responsible Party a private or public body or any other person which, alone or in conjunction with
others, determines the purpose of and means for processing personal information
Information Officer Head of entity responsible for POPI compliance within Responsible Party
Operator Person who processes personal information for the Responsible Party
Data Subject Person to whom personal information belongs to
Processing Any activity regarding personal information, including the collection, receipt,
recording, collation, storage, dissemination, transmission or distribution of such
information
Consent Voluntary, specific and informed expression of will
Information Regulator Independent public body created by POPI
© Rödl & Partner 10 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Information Regulator
06 Special Personal Information
09 Enforcement
10 Offences and Penalties
© Rödl & Partner 11 October 20, 2017
What is Personal Information?
Information relating to
identifiable, living, natural persons in respect of
the race, gender, sex, marital status, ethnic or
social origin, sexual orientation, age, physical
or mental health, disability, religion, belief or culture of the person
the education, medical,
financial, criminal or employment history of the
person
identifiable, existing juristic persons in respect of
the email address, physical
address or telephone
number of the person
the blood type or other biometric
information of the person
the personal opinions, views
or preferences of person
© Rödl & Partner 12 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Information Regulator
06 Special Personal Information
09 Enforcement
10 Offences and Penalties
© Rödl & Partner 13 October 20, 2017
Eight conditions for the lawful processing of Personal Information
1. Accountability
2. Processing Limitations
3. Purpose Specification
4. Further Processing Limitation
5. Information Quality
6. Openness
7. Security Safeguards
8. Data Subject Participation
© Rödl & Partner 14 October 20, 2017
Eight conditions for the lawful processing of Personal Information Condition 1: Accountability
Responsible Parties must ensure that the information protection conditions are
complied with
© Rödl & Partner 15 October 20, 2017
Eight conditions for the lawful processing of Personal Information Condition 2: Processing Limitations
Lawfulness of
processing
Minimality
Consent,
justification &
objection
Collection
directly from
Data Subject
Processing must be conducted lawfully and in a reasonable manner that does not
infringe the privacy of the Data Subject
Personal information may only be processed if it is adequate, relevant and not
excessive
Responsible Party must not collect more personal information than needed
Processing only if: Data Subject consents, it is necessary for the performance of a
contract, obligation imposed by law, protects the legitimate interests of the Data
Subject or necessary for the pursuing of a Responsible Party’s legitimate interests
General Rule: Collect directly from the Data Subject
Exceptions: Information is of public record, necessity, Data Subject consented, not
prejudice legitimate interests of the Data Subject
© Rödl & Partner 16 October 20, 2017
Eight Conditions for the lawful processing of Personal Information Condition 3: Purpose Specifications
Records must be destroyed after the Responsible Party is no longer required or authorised to retain such records. Records may only be retained where:
it is required by law; or it is required by the
Responsible Party for lawful purposes; or
it is required for historical, statistical or research purposes
Records of personal information must not be kept any longer than necessary
Responsible Party must take steps to ensure that the Data Subject is aware of the purpose
Personal information must be collected for a specific, defined and lawful purpose
© Rödl & Partner 17 October 20, 2017
Eight conditions for the lawful processing of Personal Information Condition 4: Further Processing Limitation
Further
Must be compatible with the purpose for which the information was collected
Processing
A number of factors must be taken into account when assessing compatibility, i.e. the purpose of the intended further processing, the nature of the information and the way in which it was collected
Limitation .
© Rödl & Partner 18 October 20, 2017
Eight conditions for the lawful processing of Personal Information Condition 5: Information Quality
The Responsible Party must ensure that the personal information collected is
complete, accurate, not misleading and updated where necessary
© Rödl & Partner 19 October 20, 2017
Eight conditions for the lawful processing of Personal Information Condition 6: Openness
Before information is collected (or as
soon as practicable after collection) the Responsible Party
must inform the Data Subject of:
collected information
Responsible Party’s contact details
intention to transfer
information to another
country
any law requiring
the collection
purpose for which the
information is being collected
whether the supply of
information is voluntary or mandatory
consequences of failing to
provide information
© Rödl & Partner 20 October 20, 2017
Eight conditions for the lawful processing of Personal Information Condition 6: Openness
Notification is not required if:
Data Subject consents to not being notified
Non-compliance would not prejudice the legitimate interests of the Data Subject
Non-compliance is necessary for judicial proceedings
Notification would prejudice a lawful purpose of the collection of information
Notification is not reasonably practicable in the circumstances
The information will not be identifiable or will be used for historical, statistical or research purposes
© Rödl & Partner 21 October 20, 2017
Eight conditions for the lawful processing of Personal Information Condition 7: Security Safeguards
Security measures
on integrity and
confidentiality
Information
processed by
Operator
Contracts between
Operator and
Responsible Party
Notification of
security
compromises
Responsible Party must ensure that personal information is not lost, damaged or unlawfully
accessed and must:
identify all foreseeable risks to personal information under its control
establish and maintain appropriate safeguards against the identified risks
ensure that the safeguards are implemented and regularly updated in accordance with
new risks identified
An Operator processing information on behalf of a Responsible Party must process such
information only with the knowledge or authorisation of the Responsible Party and treat the
information confidential
A Responsible Party must, in terms of a written contract with the Operator, ensure that the
Operator establishes and maintains the required security measures
Where the integrity of the personal information has been compromised, the Responsible Party
must, as soon as is reasonably possible, notify the Regulator and the Data Subject of the
security compromise
© Rödl & Partner 22 October 20, 2017
Eight conditions for the lawful processing of Personal Information Condition 8: Data Subject Participation
A Data Subject may request a Responsible Party to:
• confirm as to whether the Responsible Party has personal information about the Data Subject and to request details in respect thereof
• correct, amend or delete personal information that is inaccurate, irrelevant, incomplete, out of date or obtained unlawfully
• destroy or delete personal information that the Responsible Party is no longer authorised to retain
The Responsible Party must advise the Data Subject of the above mentioned rights
© Rödl & Partner 23 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 24 October 20, 2017
Special Personal Information
Rule: No personal information may be processed about a child’s or a Data Subject’s religion,
philosophies, race, ethnicity, trade union membership, politics, health, sexual life or criminal
behaviour
Exceptions: Regulator has authorised the processing or the Data Subject has consented to such
processing
© Rödl & Partner 25 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 26 October 20, 2017
Trans-border Information
the recipient of the information is subject to a law, binding corporate rules or agreement which provide an adequate level of protection that upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information
the Data Subject consents thereto
the transfer of information is necessary for the performance of a contract between the Data Subject and the Responsible Party
the transfer of information is necessary for the performance of a contract that is in the interests of the Data Subject
the transfer of information is for the benefit of the Data Subject and it is not practicable to obtain the Data Subject’s consent, which consent the Data Subject would otherwise be prepared to give
Personal information may not be transferred out of South Africa to a country that does not have existing or
adequate privacy laws or codes of conduct, unless:
© Rödl & Partner 27 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 28 October 20, 2017
Direct Marketing
Definition: Approaching a person by any form of communication for the purpose of promoting
or offering to supply any goods or services to the person
Pre-POPI
• Direct marketing is permitted until the consumer opts out
• Consumer must be informed of the right to opt out
POPI
• New customers: prior consent is required (opt-in consent)
• Existing customers: opt-out consent sufficient
© Rödl & Partner 29 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 30 October 20, 2017
Information Regulator
Powers, Duties and Functions
to promote an understanding and acceptance of the conditions for the lawful processing of personal information
to monitor and enforce compliance by public and private bodies
to mediate between parties on any matter concerning the protection of personal information of Data Subjects
to investigate complaints about violations of the protection of personal information of Data Subjects and report to complainants in respect thereof
to issue and amend codes of conduct
© Rödl & Partner 31 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 32 October 20, 2017
Enforcement and Offences
• If reasonable grounds suggest that an offence has been committed, a warrant may be issued to search any premises
• Responsible Party can be required to stop processing personal information
• Any person may lodge a complaint with the Regulator
• The Regulator must investigate every complaint
• Data Subject has a civil claim for damages against the Responsible Party
Civil Remedies
Complaints
Warrants Enforcement
Notice
© Rödl & Partner 33 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 34 October 20, 2017
Offences and Penalties
• Unlawfully processing of account numbers
• Failure to comply with an enforcement notice
• Obstruction or interference with the Regulator
• Intentionally obstructing a person on the execution of a warrant
Offences
• Fine or imprisonment of up to 10 years or both Penalties
• If a Responsible Party is alleged to have committed an offence, the Regulator must deliver an infringement notice to the Responsible Party setting out, inter alia, the amount of the administrative fine payable which amount may not exceed R10 million
Administrative Fines
© Rödl & Partner 35 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 36 October 20, 2017
Practical steps to POPI compliance Step 1
Assessment of status quo for POPI compliance
Personal Information • Which Personal Information does the company have? Who has access
to it?
• Purpose of collection of Personal Information? Is all information
needed?
• Does the company collect Special Personal Information?
• Has consent by the Data Subject been given or received?
• How long does the Personal Information need to be kept for?
Safeguards • What safeguards does the company have in place?
Operator • Does the company use any Operator to process Personal Information?
Trans-border Information • Does the company transfer information out of South Africa?
• To which countries?
Direct marketing • Does the company engage in direct marketing?
© Rödl & Partner 37 October 20, 2017
Practical steps to POPI compliance Step 2
Implementation of required changes in processing of personal information
Changes to processing
procedure
• Review of scope of collected Personal Information
• Review of storing procedure of Personal Information
• Review of security measures
Amendment or drafting of
legal documents
• Privacy Policy
build trust
inform Data Subject in accordance with Openness condition
• Consent clause or form
must be voluntary, specific and informed
• Contract with Operator
legal obligation to have written contract
© Rödl & Partner 38 October 20, 2017
Practical steps to POPI compliance Step 3
training
control
review
© Rödl & Partner 39 October 20, 2017
Agenda
01 Rödl & Partner
02 Overview of POPI
03 Key Terms
04 What is Personal Information?
05 Eight conditions for the lawful
processing of Personal Information
07 Trans-border Information
08 Direct Marketing
13 Contact
12 Practical steps to POPI compliance
11 Offences and Penalties
06 Special Personal Information
09 Information Regulator
10 Enforcement
© Rödl & Partner 40 October 20, 2017
Each and every person counts“ – to the Castellers and to us.
Human towers symbolise in a unique way the Rödl & Partner corporate culture. They personify our philosophy of solidarity, balance,
courage and team spirit. They stand for the growth that is based on own resources, the growth which has made Rödl & Partner the
company we are today. „Força, Equilibri, Valor i Seny“ (strength, equilibrium, valour and common sense) is the Catalan motto of all
Castellers, describing their fundamental values very accurately. It is to our liking and also reflects our mentality. Therefore Rödl & Partner
embarked on a collaborative journey with the representatives of this long-standing tradition of human towers – Castellers de Barcelona –
in May 2011. The association from Barcelona stands, among many other things, for this intangible cultural heritage.
Contact
Ingrid Richter Friend
Rödl & Partner
1 Eastgate Lane, Bedfordview, 2007
South Africa
Phone +27 (11) 479 3000
Fax +27 (11) 479 3033
Email [email protected]
Anna-Lena Becker
Rödl & Partner
8th Floor Metropolitan Building
7 Walter Sisulu Avenue
Cape Town, 8001, South Africa
Telefon +27 (21) 418 2350
Email [email protected]
Bild Bild