South Africa’s Information Regulator (the “Regulator”) issued, on June 22, 2021, a Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information (“Guidance Note”), arising under sections 37 and 38 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”). The purpose of the Guidance Note is to provide guidance to “responsible parties” who: (i) intend to apply for an exemption from one or more of the eight conditions for the lawful processing of personal information, as prescribed by POPIA (section 37 of POPIA), or (ii) may automatically be exempt from some of these conditions where the processing occurs in the performance of a “relevant function” (section 38 of POPIA). In a media statement, also issued on June 22, 2021, the Regulator confirmed that the June 20, 2021 deadline for responsible parties to register their Information Officers (“IOs”) and Deputy Information Officers (“DIOs”) was postponed indefinitely.
- Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information
The Guidance Note notes that POPIA prescribes eight conditions for the lawful processing of personal information by or for a “responsible party” (akin to a data controller under GDPR), and clarifies that these conditions may not be applicable to the extent that such processing is exempted in the following two instances:
Exemption on application
In order for a responsible party to qualify, they will be required to establish to the satisfaction of the Regulator that its processing (i) is in the public interest and is serves interests so significant (e.g., freedom of expression and/or national security) that it outweighs the data subject’s competing data protection rights; or (ii) involves a clear benefit to the data subject or a third party and the relevant benefit, outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.
Responsible parties that wish to apply for an exemption under section 37 of POPIA have been invited to submit applications to the Regulator (which can be found here). The Regulator may, if it grants the application,, exempt a party from complying with a specific data protection condition when processing personal information. Note that an exemption does not mean that an organization will be exempt from all eight conditions for lawful processing. Nor will this exemption entitle the organization to use personal information freely and without complying with the remainder of POPIA.
Exemption in respect of certain functions
If a responsible party processes personal information for the purpose of performing certain relevant functions (meaning a function performed by a public body or conferred upon it by law), it may be exempt from complying with certain processing conditions. The scope of this exemption, however, is limited to the following POPIA provisions:
- the data subject’s right of objection (sections 11(3) and 11(4) of POPIA);
- the obligation to ensure that personal information is collected directly from the data subject (section 12 of POPIA);
- the obligation that further processing must be compatible with the initial purpose of collection (section 15 of POPIA); and
- the requirement to notify the data subject when collecting their personal information (section 18 of POPIA).
In order for a responsible party to qualify, the nature of the functions performed by the party must be intended to protect the public against:
- financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate; or
- malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorized to carry on any other activity.
- Registration of Information Officers
The Regulator announced that there will no longer be a deadline for responsible persons to register Information Officers, and that responsible parties will not be held liable for failing to register their IOs and DIOs by the previously announced deadline of June, 30, 2021. According to the Regulator’s media statement, this decision follows technical glitches with the Regulator’s registration portal and numerous concerns raised by responsible parties regarding the registration process.
It is worth noting that this development poses a challenge in the sense that POPIA automatically assigns the role of IO to the head of an organization (i.e., the CEO). However, POPIA also provides that an IO’s duties only commence once he /she has been registered with the Regulator
In addition, the Regulator has in this media statement confirmed that a CEO of a multinational organization can be the IO for multiple entities. This statement addresses questions being raised by South African subsidiaries of multinationals wishing to appoint one IO for all the members of a larger corporate group. Until now, the registration portal would not allow the same person’s details to be used more than once, resulting in each company having to appoint a different IO. The Regulator is investigating other “alternative registration processes”, which will be announced in due course.
If you are unsure whether your organization qualifies for an exemption under the Guidance Note or if you require assistance with any aspect of compliance with POPIA, please contact Deon Govender at firstname.lastname@example.org, Dan Cooper at email@example.com, Witney Schneidman at firstname.lastname@example.org, Mosa Mkhize at email@example.com or Shivani Naidoo at firstname.lastname@example.org.