Data protection in South Africa: overview

A Q&A guide to data protection in South Africa.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data Protection Country Q&A tool.

This Q&A is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

The Constitution of the Republic of South Africa (Constitution) enshrines the right to privacy in the Bill of Rights. Everyone has the right to privacy, which includes the right not to have:

  • Their person or home searched.

  • Their property searched.

  • Their possessions seized.

  • The privacy of their communications infringed (Chapter 2, section 14, Constitution).

The Protection of Personal Information Act 2013 (Act) was signed by the President in November 2013 and certain sections of the Act came into force in April 2014. These sections enable the establishment of the information regulator (Regulator) as well as the power for regulations to be made under the Act. A commencement date for the obligations under the Act has not yet been announced and the regulator is yet to be appointed, although recommendations for the appointment have been made to parliament. Organisations will have 12 months from the commencement date to become compliant.

The answers in this article are made as though the Act is in force.

Sectoral laws

The Regulation of Interception of Communications and provision of communication-related information Act (RICA) covers the interception of communications and prohibits mobile network operators from sharing customer information except in limited circumstances. There are no other sectoral personal data protection laws, although the Act provides for the approval of sectoral codes of conduct by the Regulator.

Scope of legislation

2. To whom do the laws apply?

The Act applies to all processors of personal information (responsible parties), including:

  • Public and private parties.

  • Non-profit organisations.

  • Foreign parties processing personal information in South Africa (except where the information is merely sent through South Africa, and not to South Africa).

  • Parties domiciled in South Africa but not necessarily processing personal information in South Africa.

 
3. What data is regulated?

"Personal information" is regulated. It means information relating to an identifiable, living, natural person and, where applicable, to an identifiable, existing legal person, including:

  • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.

  • Information relating to the education or the medical, financial, criminal or employment history of the person.

  • Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment of the person.

  • The biometric information of the person.

  • The personal opinions, views or preferences of the person.

  • Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence.

  • The views or opinions of another individual about the person.

  • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Note that personal information of legal persons, where applicable, is protected under the Act.

 
4. What acts are regulated?

The Act regulates the processing of personal information.

"Processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:

  • Collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use.

  • Dissemination by means of transmission, distribution or making available in any other form.

  • Merging, linking, as well as restriction, degradation, erasure or destruction of information.

Where processing is done by non-automated means, it must form, or be intended to form, part of a filing system.

 
5. What is the jurisdictional scope of the rules?

Data protection rules apply nationally in South Africa.

 
6. What are the main exemptions (if any)?

The Act does not apply to personal information that:

  • Has been de-identified to the extent that it cannot be re-identified again.

  • Is processed purely for domestic or household purposes or for journalistic, literary and artistic purposes.

  • Is processed by or on behalf of certain public bodies in the performance of their legislated duties.

Notification

7. Is notification or registration required before processing data?

Notification or registration is not required before processing personal information, but the information officer must be registered with the Regulator before he can commence his duties under the Act.

Prior authorisation from the Regulator is required in certain instances before processing can occur, for example in the case of:

  • Processing information for the purpose of credit reporting.

  • Transferring special personal information (that is, sensitive data) or the personal information of children (that is, under the age of 18 years) to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.

The sections regarding prior authorisation will not apply to a sector or industry for which a code of conduct is in force.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

There are eight conditions for lawful processing of personal information:

  • Accountability. The responsible party is accountable for complying with the Act.

  • Processing limitation. Processing must be lawful and reasonable and must not infringe the privacy of the data subject.

  • Purpose specification. Processing must have a specific, explicitly defined lawful purpose.

  • Further processing limitation. Further processing must be in accordance and compatible with the purpose for which it was collected.

  • Information quality. The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and up to date.

  • Openness. The responsible party must take reasonably practicable steps to ensure that the data subject is aware of the processing.

  • Security safeguards. The responsible party must secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures.

  • Data subject participation. Data subjects can request access, correction and deletion of personal information.

 
9. Is the consent of data subjects required before processing personal data?

Consent of a data subject is required to process personal information, unless processing can be justified on another ground (see Question 10).

Consent must be a voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. Consent can be given electronically or online (for example, a tick box). There is no requirement that consent be written, although this is recommended for evidentiary purposes.

For children, the consent of any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning the child, for example, a parent or legal guardian, is required.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

Processing can be justified without consent if:

  • It is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.

  • It complies with an obligation imposed by law on the responsible party.

  • It protects a legitimate interest of the data subject.

  • It is necessary for the proper performance of a public law duty by a public body.

  • It is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom information is supplied.

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Processing of special personal information (that is, sensitive data) is prohibited unless a specific or general exception applies or general authorisation is received from the information regulator.

"Special personal information" is personal information concerning the data subject's:

  • Religious or philosophical beliefs.

  • Race or ethnic origin.

  • Trade union membership.

  • Political persuasion.

  • Health.

  • Sex life.

  • Biometric information.

  • Criminal behaviour.

Processing of personal information of children is prohibited unless an exception applies (such as where the processing is necessary to establish, exercise or defend a legal right or obligation) or the consent of a competent person is obtained (see Question 9).

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

The responsible party must take reasonably practicable steps to ensure that the data subject is aware of:

  • The information being collected and, where it is not collected from the data subject, the source from which it is collected.

  • The name and address of the responsible party.

  • The purpose for which the information is being collected.

  • Whether or not the supply of the information by that data subject is voluntary or mandatory.

  • The consequences of failure to provide the information.

  • Any particular law authorising or requiring the collection of the information.

  • The fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation.

  • Any further information necessary having regard to the specific circumstances to enable the processing to be reasonable, such as:

    • the recipient or category of recipients of the information;

    • the nature or category of the information;

    • the right of access to and the right to rectify the information collected;

    • the right to object to the processing of personal information in certain circumstances; and

    • the right to lodge a complaint to the information regulator and the contact details of the information regulator.

 
13. What other specific rights are granted to data subjects?

A data subject has a right to:

  • Request the responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject.

  • Request from the responsible party the record or description of the personal information held about the data subject, including third parties that have access to the information (the responsible party can charge a fee, which is yet to be prescribed).

  • Object, at any time, to the processing of personal information:

    • where the responsible party is processing to protect a legitimate interest of the data subject;

    • where the processing is necessary for the proper performance of a public law duty by a public body;

    • where processing is necessary for pursuing legitimate interests of the responsible party or of a third party to whom the information is supplied; or

    • for the purposes of direct marketing.

 
14. Do data subjects have a right to request the deletion of their data?

A data subject can request the responsible party to:

  • Correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

  • Destroy or delete a record of personal information that the responsible party is no longer authorised to retain.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

The responsible party must secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent:

  • The loss, damage or unauthorised destruction of personal information.

  • The unlawful access to or processing of personal information.

The responsible party must take reasonable measures to:

  • Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control.

  • Establish and maintain appropriate safeguards against the risks identified.

  • Regularly verify that the safeguards are effectively implemented.

  • Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The responsible party must have due regard to generally accepted information security practices and procedures that may apply to it generally or are required within specific industry or professional rules and regulations.

 
16. Is there a requirement to notify data subjects or any regulator of personal data?

The responsible party must notify the Regulator and the affected data subjects (where the data subjects can be identified) where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

The responsible party must, in terms of a written contract, ensure that the operator (that is, a third party processing data on behalf of the responsible party) establishes and maintains the required security measures (see Question 15).

The operator must:

  • Process personal information only with the responsible party's knowledge or authorisation and must not disclose it unless required by law or in the proper performance of their duties.

  • Immediately notify the responsible party where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

There are no cookie specific laws. If cookies or other tracking data amount to personal information, there would need to be a ground for justification to process this information (see Questions 9 and 10). The notification requirements also apply (see Question 12).

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

The processing of personal information for the purpose of direct marketing by means of any form of electronic communication (including automatic calling machine, facsimile machine, SMS or e-mail) is prohibited unless the data subject either:

  • Has consented to the processing.

  • Is a customer of the responsible party (subject to certain conditions, for example, contact details must have been obtained in the context of a sale of a product or service).

A data subject can only be approached once for consent to receive electronic direct marketing communications.

Any electronic direct marketing communication must contain the identity of the sender and the address to which the recipient can send a request that such communications cease.

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

A responsible party cannot transfer personal information to a third party (including other companies in their group) who is in a foreign country unless one of the following applies:

  • The third party is subject to a law, binding corporate rules (see Question 22) or binding agreement that provides for an adequate level of protection.

  • The data subject consents to the transfer.

  • The transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request.

  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party.

  • The transfer is for the benefit of the data subject (and it is not reasonably practicable to obtain the consent of data subject and if it were reasonably practicable, the data subject would be likely to give it).

Prior authorisation from the Regulator is required to transfer special personal information or personal information relating to children to a third party in a foreign country that does not provide an adequate level of protection.

 
21. Is there a requirement to store any type of personal data inside the jurisdiction?

There is no requirement to store any specific types of personal information in South Africa, but the cross-border transfer requirements must be met if the information is stored elsewhere (see Question 20).

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Binding agreements (similar to the EU model processor clauses) are contemplated. No standard forms or precedents have been approved by the Regulator (who has not yet been appointed).

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

Binding corporate rules, or a binding agreement providing an adequate level of protection, are sufficient. "Adequate level of protection" means that the rules or agreement:

  • Effectively uphold principles for reasonable processing of the information that are substantially similar to the conditions for lawful processing of personal information in the Act.

  • Include provisions that are substantially similar to the section on cross border transfers in the Act, relating to the further transfer of personal information from the recipient to third parties in a foreign country.

Binding corporate rules means personal information processing policies, in a group of undertakings (that is, a controlling undertaking and its controlled undertakings), which are adhered to by a responsible party or operator in that group of undertakings when transferring personal information to a responsible party or operator in that same group of undertakings in a foreign country.

 
24. Does the relevant national regulator need to approve the data transfer agreement?

The relevant national regulator does not need to approve the data transfer agreement.

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

The Regulator can receive and handle complaints, conduct investigations and assessments, and issue:

  • Information notices requiring the responsible party to provide information about their processing practices.

  • Enforcement notices requiring the responsible party to do or refrain from doing anything in relation to the processing of personal information.

  • Infringement notices imposing an administrative fine on the responsible party for non-compliance with the Act.

The Regulator can impose administrative fines for offences under the Act of up to ZAR10 million. The Regulator can also institute a civil action on behalf of data subjects.

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

Criminal offences committed under the Act are tried in the magistrates' court and can result in imprisonment from 12 months up to ten years (depending on the severity of the offence) and a fine (the maximum for this is not specified) on conviction. A responsible party can choose to be tried in the magistrates' court instead of paying an administrative fine issued by the Regulator.

Data subjects can bring a civil action for damages. The Regulator can also bring the action on behalf of the data subjects.

Active enforcement of the Act is not yet possible.

 

Online resources

W www.justice.gov.za/legislation/acts/acts_full.html

 

Contributor profiles

Rohan Isaacs, Director

Norton Rose Fulbright South Africa Inc

T +27 11 685 8871
F +27 11 301 3262
E rohan.isaacs@nortonrosefulbright.com
W www.nortonrosefulbright.com

Professional qualifications. South Africa, Attorney, 1994

Areas of practice. Information and communication technology; e-commerce; broadcasting; privacy.

Recent transactions (privacy-related)

  • Creating online virtual privacy law advisor, POPI Counsel.

  • Advising the National Treasury on legislation and policy regarding the interface between technology, telecommunications and the banking sector.

  • Advising the Driver's Licence Card Account (a trading entity of the Department of Transport) on their obligations in terms of the Act as a large-scale processor of personal information.

  • Creating a comprehensive guide on practical compliance with the Act for distribution to the South African Property Owners Association's members.

  • Advising the South African Insurance Crime Bureau in relation to the sharing of personal information with member organisations for insurance crime detection and prevention purposes.

  • Advising Hyphen Technology Proprietary Limited on the privacy implications of an advance payment debit scheme through payroll management.

  • Ongoing advice to Louis Vuitton Malletier in respect of its customer knowledge database in South Africa.

  • Advising VISA Inc (South Africa) on the privacy implications of its credit scoring system used in the context of fraud prevention.

Languages. English, Afrikaans

Professional associations/memberships. Law Society of the Northern Provinces.

Publications

  • Rohan Isaacs, Nerushka Deosaran, Kerri Crawford, Norton Rose Fulbright hosts seminar on Big Data and the Internet of Things, Cover, 2015.

  • Rohan Isaacs and Tatum Govender, New structures to fight cybercrime, Financial Institutions Legal Snapshot, 2015.

  • Rohan Isaacs Challenges to banking and tech: data and cybercrime, Financial Institutions Legal Snapshot, 2015.

  • Rohan Isaacs and Nerushka Deosaran, Retailers must institute protection against cybercrime, Bizcommunity/com, 2014.

  • Rohan Isaacs and Nerushka Deosaran, Insurance marketers beware, Moneyweb.co.za, 2014.

Nerushka Bowan, Senior Associate

Norton Rose Fulbright South Africa Inc

T +27 11 685 8691
F +27 11 301 3232
E nerushka.bowan@nortonrosefulbright.com
W www.nortonrosefulbright.com

Professional qualifications. South Africa, Attorney, 2012

Areas of practice. Privacy; information and communication technology; e-commerce; broadcasting.

Recent transactions (privacy-related)

See above, Rohan Isaacs, Recent transactions. In addition, UK (2014):

  • Helping roll out blacklisting/employee data protection training to a large construction company.

  • Assisting with advising another law firm on handling a difficult data subject access request made against them for its client's data.

  • Developing and delivering training to insurers and assisting with the co-ordination work for the AIG CyberEdge product across Europe.

  • Advising on cross border disclosure mitigation steps to Japan and the US, among other multi-jurisdictional group initiatives run from the London office.

Australia (2014):

  • Drafting numerous privacy policies and privacy collections statements for various corporates and not-profit organisations.

  • Drafting a data sharing agreement and a sublicence agreement for customer relationship management software containing personal information for a group of companies.

Languages. English, Afrikaans

Professional associations/memberships. Law Society of the Northern Provinces.

Publications

  • Nerushka Bowan, Cybercrimes and Cybersecurity draft Bill released for public comment, Insurance Gateway, 2015.

  • Nerushka Bowan, Navigating social media policy, Directorship, 2015.

  • Nerushka Bowan 175 000 South African "Have An Affair" Details Posted On Dark Net, Go Legal, Insurance Gateway, Polity, The Legal Times 2015.

  • Nerushka Bowan, POPI Information Regulator to be appointed, Insurance Gateway, 2015.

  • Nerushka Bowan, Technology will be vital in future, Business Day Business Law & Tax Review, 2015.

Kerri Crawford, Senior Associate

Norton Rose Fulbright South Africa Inc

T +27 11 685 8929
F +27 11 301 3200
E kerri.crawford@nortonrosefulbright.com
W www.nortonrosefulbright.com

Professional qualifications. South Africa, Attorney, 2014

Areas of practice. Information and communication technology; privacy; e-commerce; broadcasting.

Recent transactions (privacy-related)

  • Creating online virtual privacy law advisor, POPI Counsel.

  • Advising the Driver's Licence Card Account (a trading entity of the Department of Transport) on their obligations in terms of the Act as a large-scale processor of personal information.

  • Advising the National Treasury on legislation and policy regarding the interface between technology, telecommunications and the banking sector.

  • Creating a comprehensive guide on practical compliance with the Act for distribution to the South African Property Owners Association's members.

  • Advising the South African Insurance Crime Bureau in relation to the sharing of personal information with member organisations for insurance crime detection and prevention purposes.

  • Ongoing advice to Louis Vuitton Malletier in respect of its customer knowledge database in South Africa.

Languages. English, Afrikaans

Professional associations/memberships. Law Society of the Northern Provinces.

Publications

  • Kerri Crawford, Can you be sued over Bitcoin? Insurance Gateway, 2016.

  • Kerri Crawford, Can you be traced through your internet activity, Insurance Gateway, 2015.

  • Kerri Crawford Mobile payments vs Cryptocurrencies, Business Brief, IT Web Brainstorm, 2015.

  • Kerri Crawford, Can Bitcoin be insured? Insurance Gateway, 2015.

  • Kerri Crawford, POPI benefits SA companies, IT Online, Bizcommunity, 2014.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247390777715", "objName" : "Data protection in South Africa overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/5-503-0787?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-3b01f5d1:15b0b2dd987:-44a1", "analyticsSessionCookie" : "2-3b01f5d1:15b0b2dd987:-44a0", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }