the protection of personal information act (“popi act ... · globally active october 20, 2017 the...

Globally active

October 20, 2017

The Protection of Personal Information Act (“POPI ACT“)

Austrian Business Chamber

© Rödl & Partner 2 October 20, 2017

Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms

04 What is Personal Information?

05 Eight conditions for the lawful

processing of Personal Information

07 Trans-border Information

08 Direct Marketing

13 Contact

12 Practical steps to POPI compliance

11 Offences and Penalties

06 Special Personal Information

09 Information Regulator

10 Enforcement


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


We are a one-of-a-kind success story from Germany

Founded in 1977 as a single practice in Nuremberg

4.500 colleagues in 108 wholly-owned offices worldwide in 2017

ONE firm, no network or franchise-system

Your one-stop shop: legal, tax, tax declaration and BPO,

management and IT-consulting, audit

Committed to German internationally active family businesses

Made in Germany


About Rödl & Partner in Africa

Partner network in Africa

Algeria Angola Botswana Cameroon DRC Djibouti Ivory Coast Ghana Libya Madagascar Mali Mauritius Morocco Mozambique Namibia North Sudan Republic of Congo Rwanda Senegal Tanzania Tunisia Uganda Zambia Zimbabwe

Offices in Africa

South Africa

Kenya

Ethiopia

Egypt

Nigeria


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


Overview of POPI

First universal act in South Africa concerning the protection of personal information

Purpose: to give effect to the constitutional right to privacy

All businesses that process personal information must be compliant

Only certain chapters of POPI are in currently in effect

Draft regulations (including certain forms) are currently out for public comment

Businesses have 1 (one) year from date of commencement to comply with POPI

POPI also applies to personal information collected before the commencement date


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


Key Terms

Term Meaning

Responsible Party a private or public body or any other person which, alone or in conjunction with

others, determines the purpose of and means for processing personal information

Information Officer Head of entity responsible for POPI compliance within Responsible Party

Operator Person who processes personal information for the Responsible Party

Data Subject Person to whom personal information belongs to

Processing Any activity regarding personal information, including the collection, receipt,

recording, collation, storage, dissemination, transmission or distribution of such

information

Consent Voluntary, specific and informed expression of will

Information Regulator Independent public body created by POPI


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact




09 Enforcement



What is Personal Information?

Information relating to

identifiable, living, natural persons in respect of

the race, gender, sex, marital status, ethnic or

social origin, sexual orientation, age, physical

or mental health, disability, religion, belief or culture of the person

the education, medical,

financial, criminal or employment history of the

person

identifiable, existing juristic persons in respect of

the email address, physical

address or telephone

number of the person

the blood type or other biometric

information of the person

the personal opinions, views

or preferences of person


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact




09 Enforcement



Eight conditions for the lawful processing of Personal Information

1. Accountability

2. Processing Limitations

3. Purpose Specification

4. Further Processing Limitation

5. Information Quality

6. Openness

7. Security Safeguards

8. Data Subject Participation


Eight conditions for the lawful processing of Personal Information Condition 1: Accountability

Responsible Parties must ensure that the information protection conditions are

complied with


Eight conditions for the lawful processing of Personal Information Condition 2: Processing Limitations

Lawfulness of

processing

Minimality

Consent,

justification &

objection

Collection

directly from

Data Subject

Processing must be conducted lawfully and in a reasonable manner that does not

infringe the privacy of the Data Subject

Personal information may only be processed if it is adequate, relevant and not

excessive

Responsible Party must not collect more personal information than needed

Processing only if: Data Subject consents, it is necessary for the performance of a

contract, obligation imposed by law, protects the legitimate interests of the Data

Subject or necessary for the pursuing of a Responsible Party’s legitimate interests

General Rule: Collect directly from the Data Subject

Exceptions: Information is of public record, necessity, Data Subject consented, not

prejudice legitimate interests of the Data Subject


Eight Conditions for the lawful processing of Personal Information Condition 3: Purpose Specifications

Records must be destroyed after the Responsible Party is no longer required or authorised to retain such records. Records may only be retained where:

it is required by law; or it is required by the

Responsible Party for lawful purposes; or

it is required for historical, statistical or research purposes

Records of personal information must not be kept any longer than necessary

Responsible Party must take steps to ensure that the Data Subject is aware of the purpose

Personal information must be collected for a specific, defined and lawful purpose


Eight conditions for the lawful processing of Personal Information Condition 4: Further Processing Limitation

Further

Must be compatible with the purpose for which the information was collected

Processing

A number of factors must be taken into account when assessing compatibility, i.e. the purpose of the intended further processing, the nature of the information and the way in which it was collected

Limitation .


Eight conditions for the lawful processing of Personal Information Condition 5: Information Quality

The Responsible Party must ensure that the personal information collected is

complete, accurate, not misleading and updated where necessary


Eight conditions for the lawful processing of Personal Information Condition 6: Openness

Before information is collected (or as

soon as practicable after collection) the Responsible Party

must inform the Data Subject of:

collected information

Responsible Party’s contact details

intention to transfer

information to another

country

any law requiring

the collection

purpose for which the

information is being collected

whether the supply of

information is voluntary or mandatory

consequences of failing to

provide information


Eight conditions for the lawful processing of Personal Information Condition 6: Openness

Notification is not required if:

Data Subject consents to not being notified

Non-compliance would not prejudice the legitimate interests of the Data Subject

Non-compliance is necessary for judicial proceedings

Notification would prejudice a lawful purpose of the collection of information

Notification is not reasonably practicable in the circumstances

The information will not be identifiable or will be used for historical, statistical or research purposes


Eight conditions for the lawful processing of Personal Information Condition 7: Security Safeguards

Security measures

on integrity and

confidentiality

Information

processed by

Operator

Contracts between

Operator and

Responsible Party

Notification of

security

compromises

Responsible Party must ensure that personal information is not lost, damaged or unlawfully

accessed and must:

identify all foreseeable risks to personal information under its control

establish and maintain appropriate safeguards against the identified risks

ensure that the safeguards are implemented and regularly updated in accordance with

new risks identified

An Operator processing information on behalf of a Responsible Party must process such

information only with the knowledge or authorisation of the Responsible Party and treat the

information confidential

A Responsible Party must, in terms of a written contract with the Operator, ensure that the

Operator establishes and maintains the required security measures

Where the integrity of the personal information has been compromised, the Responsible Party

must, as soon as is reasonably possible, notify the Regulator and the Data Subject of the

security compromise


Eight conditions for the lawful processing of Personal Information Condition 8: Data Subject Participation

A Data Subject may request a Responsible Party to:

• confirm as to whether the Responsible Party has personal information about the Data Subject and to request details in respect thereof

• correct, amend or delete personal information that is inaccurate, irrelevant, incomplete, out of date or obtained unlawfully

• destroy or delete personal information that the Responsible Party is no longer authorised to retain

The Responsible Party must advise the Data Subject of the above mentioned rights


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


Special Personal Information

Rule: No personal information may be processed about a child’s or a Data Subject’s religion,

philosophies, race, ethnicity, trade union membership, politics, health, sexual life or criminal

behaviour

Exceptions: Regulator has authorised the processing or the Data Subject has consented to such

processing


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


Trans-border Information

the recipient of the information is subject to a law, binding corporate rules or agreement which provide an adequate level of protection that upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information

the Data Subject consents thereto

the transfer of information is necessary for the performance of a contract between the Data Subject and the Responsible Party

the transfer of information is necessary for the performance of a contract that is in the interests of the Data Subject

the transfer of information is for the benefit of the Data Subject and it is not practicable to obtain the Data Subject’s consent, which consent the Data Subject would otherwise be prepared to give

Personal information may not be transferred out of South Africa to a country that does not have existing or

adequate privacy laws or codes of conduct, unless:


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


Direct Marketing

Definition: Approaching a person by any form of communication for the purpose of promoting

or offering to supply any goods or services to the person

Pre-POPI

• Direct marketing is permitted until the consumer opts out

• Consumer must be informed of the right to opt out

POPI

• New customers: prior consent is required (opt-in consent)

• Existing customers: opt-out consent sufficient


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


Information Regulator

Powers, Duties and Functions

to promote an understanding and acceptance of the conditions for the lawful processing of personal information

to monitor and enforce compliance by public and private bodies

to mediate between parties on any matter concerning the protection of personal information of Data Subjects

to investigate complaints about violations of the protection of personal information of Data Subjects and report to complainants in respect thereof

to issue and amend codes of conduct


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


Enforcement and Offences

• If reasonable grounds suggest that an offence has been committed, a warrant may be issued to search any premises

• Responsible Party can be required to stop processing personal information

• Any person may lodge a complaint with the Regulator

• The Regulator must investigate every complaint

• Data Subject has a civil claim for damages against the Responsible Party

Civil Remedies

Complaints

Warrants Enforcement

Notice


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


Offences and Penalties

• Unlawfully processing of account numbers

• Failure to comply with an enforcement notice

• Obstruction or interference with the Regulator

• Intentionally obstructing a person on the execution of a warrant

Offences

• Fine or imprisonment of up to 10 years or both Penalties

• If a Responsible Party is alleged to have committed an offence, the Regulator must deliver an infringement notice to the Responsible Party setting out, inter alia, the amount of the administrative fine payable which amount may not exceed R10 million

Administrative Fines


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


Practical steps to POPI compliance Step 1

Assessment of status quo for POPI compliance

Personal Information • Which Personal Information does the company have? Who has access

to it?

• Purpose of collection of Personal Information? Is all information

needed?

• Does the company collect Special Personal Information?

• Has consent by the Data Subject been given or received?

• How long does the Personal Information need to be kept for?

Safeguards • What safeguards does the company have in place?

Operator • Does the company use any Operator to process Personal Information?

Trans-border Information • Does the company transfer information out of South Africa?

• To which countries?

Direct marketing • Does the company engage in direct marketing?



Implementation of required changes in processing of personal information

Changes to processing

procedure

• Review of scope of collected Personal Information

• Review of storing procedure of Personal Information

• Review of security measures

Amendment or drafting of

legal documents

• Privacy Policy

build trust

inform Data Subject in accordance with Openness condition

• Consent clause or form

must be voluntary, specific and informed

• Contract with Operator

legal obligation to have written contract



training

control

review


Agenda

01 Rödl & Partner

02 Overview of POPI

03 Key Terms





08 Direct Marketing

13 Contact





10 Enforcement


Each and every person counts“ – to the Castellers and to us.

Human towers symbolise in a unique way the Rödl & Partner corporate culture. They personify our philosophy of solidarity, balance,

courage and team spirit. They stand for the growth that is based on own resources, the growth which has made Rödl & Partner the

company we are today. „Força, Equilibri, Valor i Seny“ (strength, equilibrium, valour and common sense) is the Catalan motto of all

Castellers, describing their fundamental values very accurately. It is to our liking and also reflects our mentality. Therefore Rödl & Partner

embarked on a collaborative journey with the representatives of this long-standing tradition of human towers – Castellers de Barcelona –

in May 2011. The association from Barcelona stands, among many other things, for this intangible cultural heritage.

Contact

Ingrid Richter Friend

Rödl & Partner

1 Eastgate Lane, Bedfordview, 2007

South Africa

Phone +27 (11) 479 3000

Fax +27 (11) 479 3033

Email [email protected]

Anna-Lena Becker

Rödl & Partner

8th Floor Metropolitan Building

7 Walter Sisulu Avenue

Cape Town, 8001, South Africa

Telefon +27 (21) 418 2350

Email [email protected]

Bild Bild

the protection of personal information act (“popi act ... · globally active october 20, 2017 the...

Documents