Population: 59,308,690

Capitals: Pretoria (executive), Bloemfontein (judicial), Cape Town (legislative)

President: Cyril Ramaphosa, elected 2019

2020 Freedom House Score: 79/100

Data protection law? Yes

Privacy is a fundamental human right as enshrined in section 14 of the Constitution of the Republic of South Africa. It is further protected under the common law.

The Protection of Personal Information Act (POPIA) gives effect to the right to privacy, and seeks to balance it against other important rights such as access to information. The Act was signed in 2013 and has come into operation incrementally. The final sections of POPIA came into force on 1 July 2020, giving Responsible Parties one year within which to comply.

Under POPIA, the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information. This includes the right to be notified of the collection of one’s information, and to be informed of unauthorised access to personal information by an unauthorised party.

Other rights held by data subjects include rights to:

• establish whether personal information is held by a responsible party, and request access to such information;
• request that if necessary, their personal information be deleted, corrected or destroyed;
• object to the processing of their personal information, provided that such objection is reasonable, unless the data subject was allowed to object free of charge, and failed to do so upon the initial collection of the data;
• object to the processing of personal information for direct marketing purposes at any time, unless the data subject gave their consent and is a customer of the responsible party;
• not have their personal information processed by means of unsolicited electronic communications;
• submit a complaint to the Information Regulator regarding alleged interference with their personal information; and
• institute civil proceedings in relation to the alleged interference with the protection of their personal information.

Personal information includes information relating to an identifiable, living, natural person, and to juristic persons.
Personal information includes, but is not limited to:

• information relating to gender, sex, pregnancy, marital status, and nationality;
• information relating to the education or the medical, financial, criminal or employment history of the person;
• any identifying number, symbol, e-mail address, physical address, telephone number, location
  information, online identifier, or other particular assignment to the person;
• personal opinions, views or preferences of the person;
• correspondence sent by the person that is implicitly or explicitly private and would reveal the contents of the original correspondence;
• views or opinions of another individual about the person; and
• the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

The following types of information constitute special personal information and certain additional conditions must be met for its processing to be lawful:

• religious or philosophical beliefs;
• race or ethnic origin;
• political persuasion or trade union membership;
• health or sex life;
• biometric information; and
• criminal behaviour.

There are eight conditions required for the lawful processing of personal information by or on behalf of a responsible party:

1. Accountability 

• The responsible party must ensure that the conditions for lawful processing are satisfied.

2. Processing limitation 

• Processing must be conducted lawfully, for necessary and not excessive purposes, in a manner that protects the legitimate interests of the data subject and does not infringe on their rights.
• Personal information may only be processed with the consent of the data subject (or competent person where the subject is a minor). Such consent is revocable at any time, and at such point, the responsible party must cease processing the information. Personal information may also be processed for a lawfully recognised purpose as specified in POPIA, such as the protection of a legitimate interest of the data subject.
• Generally, personal information must be obtained directly from the data subject unless an exception applies.

3. Purpose specification 

• Personal information must be collected for a specific, explicitly defined, lawful purpose related to a particular function or activity of the responsible party. In most circumstances, the responsible party must act to ensure the data subject is aware of this purpose.
• Personal information may not be retained for any longer than is necessary to achieve the purpose for which it was collected, barring certain exceptions.

4. Further processing limitation 

• Further processing of personal information must be compatible with the original purpose for which it was collected, as determined by factors such as the nature of the information concerned, possible consequences of further processing on the data subject, the manner in which the
  information was collected, and contractual rights and obligations existing between parties.

5. Information quality 

• The responsible party must take reasonably practicable measures to ensure that the personal information provided is accurate, complete and not misleading. The purpose for which the personal information is collected or further processed determines what is reasonably practical under the circumstances.

6. Openness 

• The responsible party must keep documentation of all processing operations and notify the data subject when collecting personal information, barring certain exceptions.

7. Security safeguards  

• The responsible party is required to safeguard the integrity and confidentiality of personal information in its possession and / or under its control by taking the appropriate, reasonable technical and organisational measures to prevent loss, damage or unauthorised destruction. Necessary measures are also to be taken to prevent unlawful access to or processing of personal
  information.

8. Data subject participation 

• The responsible party must allow data subjects to exercise their rights under POPIA regarding their personal data.

POPIA established the Office of the Information Regulator (Information Regulator), comprised of a Chairperson and additional members. Its functions include providing education on protection and processing of personal information; monitoring and enforcing POPIA compliance; consulting and mediating; investigating and resolving complaints; issuing enforcement notices; and facilitating cross-border cooperation.

Public and private bodies who process personal information are expected to designate an information officer (and if necessary, deputy information officers) and register them with the Information Regulator. These individuals will deal with requests made to the responsible party regarding POPIA and assist the Information Regulator during the course of investigations related to the responsible party.

Responsible parties must obtain prior authorisation from the Regulator to:

• process and transfer special personal information;
• process unique identifiers for purposes other than initially specified;
• process information for the purposes of credit reporting; or
• transfer the personal information of children to a third party in a foreign country that does not offer adequate protection.

Transferring the personal information of a data subject outside of South Africa to a third party located in a foreign country is prohibited unless the following can be shown:

• the third party who is receiving the information is subject to a set of legal rules or regulations that provide an adequate level of protection;
• the data subject consents to the transfer;
• the transfer of such information is necessary for the performance of a contract between the responsible party and data subject, or for other pre-contractual measures taken in response to a request made by the data subject;
• the transfer is required for the conclusion or performance of a contract concluded in the interest of the data subject, between the responsible party and third party; or
• the transfer is to the benefit of the data subject and it is not reasonably possible to obtain the consent of the data subject, and it is highly likely that consent would be given if it were possible to obtain.

In the event that the personal information of a data subject is believed to have been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and the data subject if they can be identified. Notification is to occur as soon as reasonably possible after the discovery of the data breach.

Delayed notification to the data subject is only permitted if a public body determines that notification will impede a criminal investigation. The notification to a data subject must be in writing and sufficiently informative. The Information Regulator may direct a responsible party to publicise a breach of personal information if it is of the view that doing so will protect data subjects.