Hotline: 18459226877

Case Guides

Home / Case Guides / Details
South Africa in the BRICS Series of Guides - Data
South Africa

1、 South African data protection legislation;

(1) Overview;

In order to regulate the collection, storage, and use of personal information of internal personnel by commercial entities, South Africa launched the legislation of the Personal Information Protection Act (POPIA) in 2005, which was promulgated in 2013 and implemented in a phased manner. Among them, the establishment of a personal information regulatory agency and the authorization to draft relevant detailed rules were implemented in 2014, and substantive provisions (including Articles 2 to 38, Articles 55 to 109, Article 111, and Articles 114 (1) to (3)) officially came into effect on July 1, 2020. This bill applies to any business entity that processes data in South Africa, but does not apply to data processing for personal or household purposes. The bill provides a 12-month grace period for commercial entities to achieve compliance, which means they will fully comply with the provisions of the Personal Information Protection Law by June 30, 2021.

This law is South Africa's first comprehensive data protection law, aimed at promoting public and private institutions to strengthen the protection of personal information processed. It clearly refines the penalties, and organizations that violate the regulations may face administrative fines of up to 10 million South African rand (approximately 3.8 million RMB), as well as civil lawsuits or criminal liability. This law is one of the few in the world that provides data asset protection for legal entities such as companies and trust companies. In addition, the implementation of this law is a significant progress in the field of privacy protection in South Africa. By regulating the information processing behavior of natural and legal persons, and setting more obligations for companies processing personal information in South Africa, South Africa has aligned with international data protection legislation.

On December 14, 2018, the information regulatory agency in South Africa issued the Personal Information Protection Regulations, which aims to develop measures in conjunction with the Personal Information Protection Act 2013 to ensure the protection of personal information and strengthen the protection of data subjects' rights by providing detailed implementation frameworks and guidelines.

& nbsp;

(2) Important content of POPIA;

1. Information processing activities that require prior approval;

(1) Process any unique identifier of the data subject that goes beyond the specific purpose of collecting information or is intended to be linked to information processed by other responsible parties;

(2) Handling information related to criminal or illegal activities or misconduct on behalf of third parties;

(3) Processing information for credit reporting purposes; Transfer special personal information or children's information to foreign third parties who cannot provide appropriate levels of protection.

If prior approval is required for handling activities, the responsible party must notify the regulatory agency. Failure to fulfill the notification obligation will be considered illegal and may result in punishment. The responsible party does not need to obtain prior approval every time they receive and process personal information, they only need to obtain it once, unless the processing activity deviates from the previous approval content.

2. Requirements for Cross border Data Transmission;

Responsible parties within South Africa are not allowed to transfer the personal data of data subjects across borders to third parties located abroad, unless:;

(1) The third party is subject to laws, binding company rules, or binding contracts that provide an adequate level of data protection;

(2) The data subject agrees to cross-border transfer;

(3) Transfer is necessary to fulfill contractual obligations between the data subject and the responsible party, or to fulfill pre contractual obligations at the request of the data subject;

(4) Transfer is a necessary condition for the responsible party to enter into and fulfill contracts related to the interests of the data subject with third parties;

(5) Transfer is carried out for the benefit of the data subject, and obtaining consent for data transfer is not reasonable and feasible. If obtaining such consent is reasonable and feasible, the data subject is likely to agree.

3. Requirements for enterprises to conduct direct marketing through electronic communication methods;

Enterprises are only allowed to process personal information for direct marketing purposes through electronic communication methods (including email, SMS, fax, and automated call machines) with the consent of the data subject or if the data subject is a customer.

Any communication information sent by a company for direct marketing purposes must include detailed information about the sender's identity, address, and other contact information that allows the recipient to opt out.

4. Rights enjoyed by data subjects;

(1) Right to know: the right to know when personal information is collected or accessed or obtained by unauthorized parties;

(2) Access rights: Confirm that the responsible party holds personal information and has access rights to their personal information;

(3) Correction and deletion right: the right to request correction, destruction, or deletion of personal information when necessary;

(4) The right to object to the processing of personal information: the right to object to the processing of personal information when there are reasonable reasons related to it;

(5) The right to complain: the right to file a complaint with regulatory authorities in the event of interference with the protection of personal information;

(6) The right to file a civil lawsuit: the right to file a civil lawsuit against behavior that interferes with the protection of personal information.

& nbsp;

2、 South African data protection regulatory agency;

The Information Regulator, a data protection regulatory agency related to POPIA. It is directly responsible to the National Assembly and its main functions are:;

1. Provide education;

2. Monitoring and enforcement;

3. Negotiate with stakeholders;

4. Handling complaints;

5. Organize research and report to Congress;

6. Publish, revise, revoke codes of conduct or develop guidelines, etc;

7. Promote cross-border cooperation;

8. To protect the public interest, the legitimate interests of groups or individuals, issue relevant investigation reports.

& nbsp;

3、 Enterprise compliance measures;

To ensure compliance with the eight conditions for lawful processing of personal information as stipulated in the Personal Information Protection Law, enterprises should implement the following measures to prove compliance:;

1. Appointment of Information Officer& mdash; & mdash; If no information officer is appointed, enterprise leaders such as the general manager or CEO will automatically become information officers;

2. Make relevant legal disclosures to data subjects, including those who share data subject information, such as publishing detailed privacy policies on corporate websites and incorporating them into daily contract documents by reference;

3. Develop, implement, monitor, and maintain a compliance framework for the Personal Information Protection Law;

4. Conduct a personal information impact assessment;

5. Develop, monitor, and maintain a manual in accordance with the 2002 Promotion of Access to Information Act, and ensure that the manual reflects the revisions made to the Promotion of Access to Information Act in the annex to the Personal Information Protection Act;

6. Develop internal measures and establish appropriate systems to handle information requests or access requests;

7. Offering internal promotion and training courses;

8. Incorporate relevant mandatory regulations into agreements signed with operators (i.e. independent contractors representing them in handling personal information).

Enterprises are not allowed to transfer the personal information of data subjects to foreign third parties. But the following situations are not subject to this restriction:;

1. The data subject agrees to the transfer;

2. Transfer is necessary for the formation or performance of a contract;

3. Transfer made to protect the interests of the data subject in the absence of consultation with the data subject and with the data subject's likely consent.

& nbsp;

& nbsp;

Reference:;

  1. Compliance | Compliance Operations in South Africa (Part 1);

https://mp.weixin.qq.com/s/tOC5GbJwbZNz0GLJ_r3FLQ< ;/a>

  1. Ten Questions and Ten Answers to the Personal Information Protection Act of South Africa;

More Cases