Frequently Asked Questions and their answers
Data is now so valuable that it is considered the ‘new oil’. POPIA protects yours!
What is the difference between POPIA and POPI?
What is POPIA?
The main goal of the POPIA is to protect people and companies (also known as data subjects) from security breaches, theft, and discrimination.
It will include conditions for the lawful processing of personal data of South Africans (both South African citizens and those living in South Africa). The Act includes eight general conditions and three less descriptive conditions
What is GDPR?
Why should South Africans care about the GDPR?
A company may transfer personal information to recipients in locations outside South Africa if the recipient country has data protection laws similar to POPIA. If there are not adequate protection laws, personal information may only be transferred to such countries if the data subject consents or if the recipient is subject to binding corporate rules or a binding agreement which provides an adequate level of protection effectively upholding the principles in POPIA, including the provisions relating to the further transfer of personal information.
What other legislation in South Africa regulates privacy?
• Electronic Communications and Transactions Act (ECTA);
• Promotion of Access to Information Act (PAIA);
• National Credit Act and the Consumer Protection Act.
This website assists with compliance across most privacy legislation, not just POPIA! We walk the extra mile with you.
Who will be affected by POPIA?
ALL companies need to have systems in place to deal with personal information. Plus, POPIA also has guidelines about direct marketing — so any brand sending messages or emails to consumers without them opting in, beware!
What is Personal Information?
Personal Information may include:
• ID number;
• Email address;
• Telephone numbers;
• Physical address;
• Physical and mental health information;
• Disability information;
• Marital status
• Pregnancy status
• Religion/Beliefs/Culture;
• Educational/Medical/Financial/Criminal or Employment History;
• Race/Sex/Nationality/Ethnics/Social Origin;
• So much more!
What are information processing conditions?
When does POPIA come into effect?
Do I need to get permission to contact consumers already on my direct mailing list?
If you got permission, your golden. If you told me when you collected my information that you are going to use it to send me specials, then gave me the opportunity to unsubscribe every time I got the email — there is that unsubscribe at the bottom — then your fine.
If you’ve been emailing me for 10 years and I haven’t said anything, then there is this soft opt-in concept. So, to answer your question, yes and no. The marketers that behaved in an ethical way will be able to continue to market to their lists.
What happens if I ignore POPIA?
Don’t underestimate POPIA and don’t just see it as a burden, instead, try to view it as an opportunity to create your own data strategy that will guard your company/practice and your clients/customers.
However, failure to comply to this act can lead to a variety of implications – these include:
• A complaint lodged with the Information Regulator and a fine;
• Receiving a civil claim for payment of any damages;
• Criminal prosecution – if convicted there could be a fine of up to R10 million or a prison sentence of up to ten years, or even both.
Who is an "Operator"?
Examples of these service providers include:
- Advertising agencies;
- Auditors;
- PR agencies;
- Recruitment and employment agencies;
- Credit Bureaux;
- Verification agencies;
- Attorneys;
- Sales Agents;
- Service Agents.
What is the difference between a Responsible Party and an Operator?
The Responsible Party remains ultimately accountable for ensuring that POPIA is complied with by both itself and all Operators providing services to the Responsible Party. The outsourcing or sub-contracting of any processing activities to Operators does not absolve the Responsible Party from liability. If the Operator contravenes POPIA, the Responsible Party will still be held liable by the Information Regulator.
Why do you need an Operator Agreement?
Furthermore, in terms of section 21 of POPIA, the Responsible Party must have a written agreement between itself and the Operator to ensure that the Operator establishes and maintains adequate safeguards and security measures in respect of the information which it is processing on behalf of the Responsible Party.
The Responsible Party will ultimately be held liable by the Information Regulator for a breach of POPIA by the Operator where the breach occurred within the scope of the mandate agreement between the Responsible Party and the Operator.
However, in the instance where the Operator have exceeded its mandate and breached POPIA, the Operator is seen to be acting as a Responsible Party in regard to the Personal Information as the Operator is determining the purposes and means of processing.
A written agreement between the Responsible Party and the Operator is therefore extremely important for the Responsible Party. By including a liability clause, the Responsible Party can hold the Operator liable for any claims which the Information Regulator and/or data subjects may have against the Responsible Party as a result of a breach of POPIA by the Operator.
Definition of "responsible party"
Definition of "operator"
Definition of "processing"
the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
dissemination by means of transmission, distribution or making available in any other form; or
merging, linking, as well as restriction, degradation, erasure or destruction of information.
What is personal information and what does it include?
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
How do I get my website POPIA compliant?