Conditions for Lawful Processing

POPIA Logo

POPIA > CHAPTER 3 > Conditions for Lawful Processing (Sections 8 – 35)

POPIA > CHAPTER 3 > SECTION 8 > Responsible Party

The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

POPIA > CHAPTER 3 > SECTION 9 > Lawfulness of Processing
  1. Personal information must be processed—
    1. lawfully; and
    2. in a reasonable manner that does not infringe the privacy of the data subject
POPIA > CHAPTER 3 > SECTION 10 > Minimality

Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

POPIA > CHAPTER 3 > SECTION 11 > Consent, Justification and Objection
  1. Personal information may only be processed if—
    1. the data subject or a competent person where the data subject is a child consents to the processing;
    2. processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
    3. processing complies with an obligation imposed by law on the responsible party;
    4. processing protects a legitimate interest of the data subject;
    5. processing is necessary for the proper performance of a public law duty by a public body; or
    6. processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
    1. The responsible party bears the burden of proof for the data subject’s or competent person’s consent as referred to in subsection (1)(a).
    2. The data subject or competent person may withdraw his, her or its consent, as referred to in subsection (1)(a), at any time: Provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information in terms of subsection (1)(b) to (f) will not be affected.
  2. A data subject may object, at any time, to the processing of personal information—
    1. in terms of subsection (1)(d) to (f), in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
    2. for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications as referred to in section 69.
  3. If a data subject has objected to the processing of personal information in terms of subsection (3), the responsible party may no longer process the personal information.
POPIA > CHAPTER 3 > SECTION 12 > Collection directly from data subject
  1. Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2).
  2. It is not necessary to comply with subsection (1) if—
    1. the information is contained in or derived from a public record or has deliberately been made public by the data subject;
    2. the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
    3. collection of the information from another source would not prejudice a legitimate interest of the data subject;
    4. collection of the information from another source is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
      4. in the interests of national security; or
      5. to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
    5. compliance would prejudice a lawful purpose of the collection; or
    6. compliance is not reasonably practicable in the circumstances of the particular case.
POPIA > CHAPTER 3 > SECTION 13 > Collection for specific purpose
  1. Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
  2. Steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.
POPIA > CHAPTER 3 > SECTION 14 > Retention and restriction of records
  1. Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—
    1. retention of the record is required or authorised by law;
    2. the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
    3. retention of the record is required by a contract between the parties thereto; or
    4. the data subject or a competent person where the data subject is a child has consented to the retention of the record.
  2. Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
  3. A responsible party that has used a record of personal information of a data subject to make a decision about the data subject, must—
    1. retain the record for such period as may be required or prescribed by law or a code of conduct; or
    2. if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.
  4. A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in terms of subsection (1) or (2).
  5. The destruction or deletion of a record of personal information in terms of subsection (4) must be done in a manner that prevents its reconstruction in an intelligible form.
  6. The responsible party must restrict processing of personal information if—
    1. its accuracy is contested by the data subject, for a period enabling the responsible party to verify the accuracy of the information;
    2. the responsible party no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof;
    3. the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or
    4. the data subject requests to transmit the personal data into another automated processing system.
  7. Personal information referred to in subsection (6) may, with the exception of storage, only be processed for purposes of proof, or with the data subject’s consent, or with the consent of a competent person in respect of a child, or for the protection of the rights of another natural or legal person or if such processing is in the public interest.
  8. Where processing of personal information is restricted pursuant to subsection (6), the responsible party must inform the data subject before lifting the restriction on processing.
POPIA > CHAPTER 3 > SECTION 15 > Further processing to comply with purpose of collection
  1. Further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of section 13.
  2. To assess whether further processing is compatible with the purpose of collection, the responsible party must take account of—
    1. the relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
    2. the nature of the information concerned;
    3. the consequences of the intended further processing for the data subject;
    4. the manner in which the information has been collected; and
    5. any contractual rights and obligations between the parties.
  3. The further processing of personal information is not incompatible with the purpose of collection if—
    1. the data subject or a competent person where the data subject is a child has consented to the further processing of the information;
    2. the information is available in or derived from a public record or has deliberately been made public by the data subject;
    3. further processing is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
      4. in the interests of national security;
    4. the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to—
      1. public health or public safety; or
      2. the life or health of the data subject or another individual;
    5. the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; or
    6. the further processing of the information is in accordance with an exemption granted under section 37.
POPIA > CHAPTER 3 > SECTION 16 > Quality of information
  1. A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
  2. In taking the steps referred to in subsection (1), the responsible party must have regard to the purpose for which personal information is collected or further processed.
POPIA > CHAPTER 3 > SECTION 17 > Documentation

A responsible party must maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act.

POPIA > CHAPTER 3 > SECTION 18 > Notification to data subject when collecting personal information
  1. If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of—
    1. the information being collected and where the information is not collected from the data subject, the source from which it is collected;
    2. the name and address of the responsible party;
    3. the purpose for which the information is being collected;
    4. whether or not the supply of the information by that data subject is voluntary or mandatory;
    5. the consequences of failure to provide the information;
    6. any particular law authorising or requiring the collection of the information;
    7. the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
    8. any further information such as the—
      1. recipient or category of recipients of the information;
      2. nature or category of the information;
      3. existence of the right of access to and the right to rectify the information collected;
      4. existence of the right to object to the processing of personal information as referred to in section 11(3); and
      5. right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
  2. The steps referred to in subsection (1) must be taken—
    1. if the personal information is collected directly from the data subject, before the information is collected, unless the data subject is already aware of the information referred to in that subsection; or
    2. in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
  3. A responsible party that has previously taken the steps referred to in subsection (1) complies with subsection (1) in relation to the subsequent collection from the data subject of the same information or information of the same kind if the purpose of collection of the information remains the same.
  4. It is not necessary for a responsible party to comply with subsection (1) if—
    1. the data subject or a competent person where the data subject is a child has provided consent for the non-compliance;
    2. non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act;
    3. non-compliance is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated; or
      4. in the interests of national security;
    4. compliance would prejudice a lawful purpose of the collection;
    5. compliance is not reasonably practicable in the circumstances of the particular case; or
    6. the information will—
      1. not be used in a form in which the data subject may be identified; or
      2. be used for historical, statistical or research purposes.
POPIA > CHAPTER 3 > SECTION 19 > Security measures on integrity and confidentiality of personal information
  1. A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
    1. loss of, damage to or unauthorised destruction of personal information; and
    2. unlawful access to or processing of personal information.
  2. In order to give effect to subsection (1), the responsible party must take reasonable measures to—
    1. identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
    2. establish and maintain appropriate safeguards against the risks identified;
    3. regularly verify that the safeguards are effectively implemented; and
    4. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
  3. The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
POPIA > CHAPTER 3 > SECTION 20 > Information processed by operator or person acting under authority
  1. An operator or anyone processing personal information on behalf of a responsible party or an operator, must—
    1. process such information only with the knowledge or authorisation of the responsible party; and
    2. treat personal information which comes to their knowledge as confidential and must not disclose it,

unless required by law or in the course of the proper performance of their duties.

POPIA > CHAPTER 3 > SECTION 21 > Security measures regarding information processed by operator
  1. A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19.
  2. The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
POPIA > CHAPTER 3 > SECTION 22 > Notification of security compromises
  1. Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—
    1. the Regulator; and
    2. subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
  2. The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
  3. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
  4. The notification to a data subject referred to in subsection (1) must be in writing and communicated to the data subject in at least one of the following ways:
    1. Mailed to the data subject’s last known physical or postal address;
    2. sent by e-mail to the data subject’s last known e-mail address;
    3. placed in a prominent position on the website of the responsible party;
    4. published in the news media; or
    5. as may be directed by the Regulator.
  5. The notification referred to in subsection (1) must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
    1. a description of the possible consequences of the security compromise;
    2. a description of the measures that the responsible party intends to take or has taken to address the security compromise;
    3. a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
    4. if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
  6. The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.
POPIA > CHAPTER 3 > SECTION 23 > Access to Personal Information
  1. A data subject, having provided adequate proof of identity, has the right to—
    1. request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and
    2. request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information—
      1. within a reasonable time;
      2. at a prescribed fee, if any;
      3. in a reasonable manner and format; and
      4. in a form that is generally understandable.
  2. If, in response to a request in terms of subsection (1), personal information is communicated to a data subject, the data subject must be advised of the right in terms of section 24 to request the correction of information.
  3. If a data subject is required by a responsible party to pay a fee for services provided to the data subject in terms of subsection (1)(b) to enable the responsible party to respond to a request, the responsible party—
    1. must give the applicant a written estimate of the fee before providing the services; and
    2. may require the applicant to pay a deposit for all or part of the fee.
  4. A responsible party may or must refuse, as the case may be, to disclose any information requested in terms of subsection (1) to which the grounds for refusal of access to records set out in the applicable sections of Chapter 4 of Part 2 and Chapter 4 of Part 3 of the Promotion of Access to Information Act apply.
  5. The provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.
  6. If a request for access to personal information is made to a responsible party and part of that information may or must be refused in terms of subsection (4)(a), every other part must be disclosed.
POPIA > CHAPTER 3 > SECTION 24 > Correction of Personal Information
  1. A data subject may, in the prescribed manner, request a responsible party to—
    1. correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
    2. destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain in terms of section 14.
  2. On receipt of a request in terms of subsection (1) a responsible party must, as soon as reasonably practicable—
    1. correct the information;
    2. destroy or delete the information;
    3. provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
    4. where agreement cannot be reached between the responsible party and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
  3. If the responsible party has taken steps under subsection (2) that result in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, the responsible party must, if reasonably practicable, inform each person or body or responsible party to whom the personal information has been disclosed of those steps.
  4. The responsible party must notify a data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.
POPIA > CHAPTER 3 > SECTION 25 > Manner of Access

The provisions of sections 18 and 53 of the Promotion of Access to Information Act apply to requests made in terms of section 23 of this Act.

POPIA > CHAPTER 3 > SECTION 26 > Prohibition on processing of special personal information
  1. A responsible party may, subject to section 27, not process personal information concerning—
    1. the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
    2. the criminal behaviour of a data subject to the extent that such information relates to—
      1. the alleged commission by a data subject of any offence; or
      2. any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
POPIA > CHAPTER 3 > SECTION 27 > General authorisation concerning special personal information
  1. The prohibition on processing personal information, as referred to in section 26, does not apply if the—
    1. processing is carried out with the consent of a data subject referred to in section 26;
    2. processing is necessary for the establishment, exercise or defence of a right or obligation in law;
    3. processing is necessary to comply with an obligation of international public law;
    4. processing is for historical, statistical or research purposes to the extent that—
      1. the purpose serves a public interest and the processing is necessary for the purpose concerned; or
      2. it appears to be impossible or would involve a disproportionate effort to ask for consent,
      3. and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;
    5. information has deliberately been made public by the data subject; or
    6. provisions of sections 28 to 33 are, as the case may be, complied with.
  2. The Regulator may, subject to subsection (3), upon application by a responsible party and by notice in the Gazette, authorise a responsible party to process special personal information if such processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the data subject.
  3. The Regulator may impose reasonable conditions in respect of any authorisation granted under subsection (2).
POPIA > CHAPTER 3 > SECTION 28 > Authorisation concerning data subject’s religious or philosophical beliefs
  1. The prohibition on processing personal information concerning a data subject’s religious or philosophical beliefs, as referred to in section 26, does not apply if the processing is carried out by—
    1. spiritual or religious organisations, or independent sections of those organisations if—
      1. the information concerns data subjects belonging to those organisations;
      2. or
      3. it is necessary to achieve their aims and principles;
    2. institutions founded on religious or philosophical principles with respect to their members or employees or other persons belonging to the institution, if it is necessary to achieve their aims and principles; or
    3. other institutions: Provided that the processing is necessary to protect the spiritual welfare of the data subjects, unless they have indicated that they object to the processing.
  2. In the cases referred to in subsection (1)(a), the prohibition does not apply to processing of personal information concerning the religion or philosophy of life of family members of the data subjects, if—
    1. the association concerned maintains regular contact with those family members in connection with its aims; and
    2. the family members have not objected in writing to the processing.
  3. In the cases referred to in subsections (1) and (2), personal information concerning a data subject’s religious or philosophical beliefs may not be supplied to third parties without the consent of the data subject.
POPIA > CHAPTER 3 > SECTION 29 > Authorisation concerning data subject’s race or ethnic origin
  1. The prohibition on processing personal information concerning a data subject’s race or ethnic origin, as referred to in section 26, does not apply if the processing is carried out to—
    1. identify data subjects and only when this is essential for that purpose; and
    2. comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination.
POPIA > CHAPTER 3 > SECTION 30 > Authorisation concerning data subject’s trade union membership
  1. The prohibition on processing personal information concerning a data subject’s trade union membership, as referred to in section 26, does not apply to the processing by the trade union to which the data subject belongs or the trade union federation to which that trade union belongs, if such processing is necessary to achieve the aims of the trade union or trade union federation.
  2. In the cases referred to under subsection (1), no personal information may be supplied to third parties without the consent of the data subject.
POPIA > CHAPTER 3 > SECTION 31 > Authorisation concerning data subject’s political persuasion
  1. The prohibition on processing personal information concerning a data subject’s political persuasion, as referred to in section 26, does not apply to processing by or for an institution, founded on political principles, of the personal information of—
    1. its members or employees or other persons belonging to the institution, if such processing is necessary to achieve the aims or principles of the institution; or
    2. a data subject if such processing is necessary for the purposes of—
      1. forming a political party;
      2. participating in the activities of, or engaging in the recruitment of members for or canvassing supporters or voters for, a political party with the view to—
        1. an election of the National Assembly or the provincial legislature as regulated in terms of the Electoral Act, 1998 (Act No. 73 of 1998);
        2. municipal elections as regulated in terms of the Local Government: Municipal Electoral Act, 2000 (Act No. 27 of 2000); or
        3. a referendum as regulated in terms of the Referendums Act, 1983 (Act No. 108 of 1983); or
      3. campaigning for a political party or cause.
  2. In the cases referred to under subsection (1), no personal information may be supplied to third parties without the consent of the data subject.
POPIA > CHAPTER 3 > SECTION 32 > Authorisation concerning data subject’s health or sex life
  1. The prohibition on processing personal information concerning a data subject’s health or sex life, as referred to in section 26, does not apply to the processing by—
    1. medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned;
    2. insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for—
      1. assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing;
      2. the performance of an insurance or medical scheme agreement; or
      3. the enforcement of any contractual rights and obligations;
    3. schools, if such processing is necessary to provide special support for pupils or making special arrangements in connection with their health or sex life;
    4. any public or private body managing the care of a child if such processing is necessary for the performance of their lawful duties;
    5. any public body, if such processing is necessary in connection with the implementation of prison sentences or detention measures; or
    6. administrative bodies, pension funds, employers or institutions working for them, if such processing is necessary for—
      1. the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject; or
      2. the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.
  2. In the cases referred to under subsection (1), the information may only be processed by responsible parties subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between the responsible party and the data subject.
  3. A responsible party that is permitted to process information concerning a data subject’s health or sex life in terms of this section and is not subject to an obligation of confidentiality by virtue of office, profession or legal provision, must treat the information as confidential, unless the responsible party is required by law or in connection with their duties to communicate the information to other parties who are authorised to process such information in accordance with subsection (1).
  4. The prohibition on processing any of the categories of personal information referred to in section 26, does not apply if it is necessary to supplement the processing of personal information concerning a data subject’s health, as referred to under subsection (1)(a), with a view to the proper treatment or care of the data subject.
  5. Personal information concerning inherited characteristics may not be processed in respect of a data subject from whom the information concerned has been obtained, unless—
    1. a serious medical interest prevails; or
    2. the processing is necessary for historical, statistical or research activity.
  6. More detailed rules may be prescribed concerning the application of subsection (1)(b) and (f).
POPIA > CHAPTER 3 > SECTION 33 > Authorisation concerning data subject’s criminal behaviour or biometric information
  1. The prohibition on processing personal information concerning a data subject’s criminal behaviour or biometric information, as referred to in section 26, does not apply if the processing is carried out by bodies charged by law with applying criminal law or by responsible parties who have obtained that information in accordance with the law.
  2. The processing of information concerning personnel in the service of the responsible party must take place in accordance with the rules established in compliance with labour legislation.
  3. The prohibition on processing any of the categories of personal information referred to in section 26 does not apply if such processing is necessary to supplement the processing of information on criminal behaviour or biometric information permitted by this section.
POPIA > CHAPTER 3 > SECTION 34 > Prohibition on processing personal information of children

A responsible party may, subject to section 35, not process personal information concerning a child.

POPIA > CHAPTER 3 > SECTION 35 > General authorisation concerning personal information of children
  1. The prohibition on processing personal information of children, as referred to in section 34, does not apply if the processing is—
    1. carried out with the prior consent of a competent person;
    2. necessary for the establishment, exercise or defence of a right or obligation in law;
    3. necessary to comply with an obligation of international public law;
    4. for historical, statistical or research purposes to the extent that—
      1. the purpose serves a public interest and the processing is necessary for the purpose concerned; or
      2. it appears to be impossible or would involve a disproportionate effort to ask for consent,
      3. and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
    5. of personal information which has deliberately been made public by the child with the consent of a competent person.
  2. The Regulator may, notwithstanding the prohibition referred to in section 34, but subject to subsection (3), upon application by a responsible party and by notice in the Gazette, authorise a responsible party to process the personal information of children if the processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the child.
  3. The Regulator may impose reasonable conditions in respect of any authorisation granted under subsection (2), including conditions with regard to how a responsible party must—
    1. upon request of a competent person provide a reasonable means for that person to—
      1. review the personal information processed; and
      2. refuse to permit its further processing;
    2. provide notice—
      1. regarding the nature of the personal information of children that is processed;
      2. how such information is processed; and
      3. regarding any further processing practices;
    3. refrain from any action that is intended to encourage or persuade a child to disclose more personal information about him- or herself than is reasonably necessary given the purpose for which it is intended; and
    4. establish and maintain reasonable procedures to protect the integrity and confidentiality of the personal information collected from children.
POPIA > CHAPTER 3 > Chapter 3 > Conditions for Lawful Processing

Protection of Personal Information Act (POPI Act) or POPIA South Africa | POPI Act Compliance | Information Regulator | Chapters | Sections | POPI Act Compliance Plan | POPIA Chapters 1-12 | POPIA Sections 1 – 115 | POPI Act Documents

Translate
error: Protected Content
POPIA