The Defense of Personal Facts Act 4 of 2013 (“POPIA“) necessitates that a liable get together get prior authorisation for certain processing of personalized information and facts the place the particular processing of sure own information and facts is possible to cause a larger possibility to the details issue.
Unless of course exempt, a liable occasion must utilize for prior authorisation in the adhering to instances:
- Processing of exclusive identifiers. Where the responsible party procedures a unique identifier for a purpose other than the reason precisely meant at collection of the identifier AND with the intention of linking the info with facts processed by other dependable get-togethers.
Exclusive identifiers consist of for instance any account numbers plan number identity variety worker number university student selection or unique reference quantity.
- Prison, illegal or objectionable behaviour. Exactly where the responsible celebration procedures details on criminal conduct or unlawful or objectionable conduct on behalf of 3rd get-togethers.
For instance, exactly where the responsible bash is a business that carries out track record examine services on behalf of their clients.
- Credit reporting. Exactly where the liable get together procedures personalized details for credit history reporting applications.
For instance, credit history bureaus and other persons processing information for credit reporting functions.
- Cross border transfers of exclusive and children’s own information and facts. Where specific or children’s individual facts is transferred to a 3rd celebration in a place that does not have suitable knowledge safety guidelines. The present-day placement is that the Information and facts Regulator necessitates responsible parties to make a willpower as to whether or not the country in which the 3rd celebration is located has suitable guidelines and use for authorisation to transfer the personalized information to individuals nations around the world (which transfers will have to be topic to contractual safeguards) who do not have enough legal guidelines.
- As even further determined by the Regulator. The Details Regulator may perhaps establish that sure types or types of info processing carries a specific hazard for the authentic passions of the data subject matter, in which case, a responsible party will need to utilize for prior authorisation in respect of these types of data processing.
Unless of course a code of carry out has been released by the Information Regulator in regard of specific processing that is matter to prior authorisation, a responsible occasion will need to have to implement for prior authorisation to keep on processing particular information and facts that falls inside the previously mentioned types of details / processing. To date, the Credit Bureau Affiliation has utilized for a code of conduct for the processing by credit rating bureaus of individual details for credit score reporting needs.
ALSO Study: Support settlement essentials
For most shoppers, the groups of processing that may well be especially relevant is the processing of exclusive identifiers, processing for credit history reporting purposes and the transfer of exclusive and children’s private info cross border (for case in point, wherever medical details is processed for insurance plan applications and transferred to countries with no sufficient information protection laws, most notably, the United states of america).
Exactly where a liable party is expected to implement for prior authorisation in conditions of section 58(1), the Act needs that the accountable party must suspend its processing of the particular information and facts topic to the prior authorisation software when the software has been submitted and until eventually the Info Regulator has permitted the application or discovered that prior authorisation is not required. Section 58(1) will on the other hand only come to be successful from 1 February 2022, so responsible get-togethers will not require to suspend their processing for programs submitted prior to 1 February 2022, but if the Regulator has not finalised its thought of the software, the place in regulation is that the dependable occasion will be demanded to suspend processing from 1 February 2022.
Composed by Jessica Paterson
This short article was originally revealed by Dommisse Attorney’s Inc