South Africa’s Information Regulator (the “Regulator”) issued, on June 22, 2021, a Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information (“Guidance Note”), arising under sections 37 and 38 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”).  The purpose of the Guidance Note is to provide guidance to “responsible parties” who: (i) intend to apply for an exemption from one or more of the eight conditions for the lawful processing of personal information, as prescribed by POPIA (section 37 of POPIA), or (ii) may automatically be exempt from some of these conditions where the processing occurs in the performance of a “relevant function” (section 38 of POPIA).  In a media statement, also issued on June 22, 2021, the Regulator confirmed that the June 20, 2021 deadline for responsible parties to register their Information Officers (“IOs”) and Deputy Information Officers (“DIOs”) was postponed indefinitely.

  1. Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information

The Guidance Note notes that POPIA prescribes eight conditions for the lawful processing of personal information by or for a “responsible party” (akin to a data controller under GDPR), and clarifies that these conditions may not be applicable to the extent that such processing is exempted in the following two instances:

Exemption on application

In order for a responsible party to qualify, they will be required to establish to the satisfaction of the Regulator that its processing (i) is in the public interest and is serves interests so significant  (e.g., freedom of expression and/or national security) that it outweighs the data subject’s competing data protection rights; or (ii) involves a clear benefit to the data subject or a third party and the relevant benefit, outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.

Responsible parties that wish to apply for an exemption under section 37 of POPIA have been invited to submit applications  to the Regulator (which can be found here). The Regulator may, if it grants the application,, exempt a party from complying with a specific data protection condition when processing personal information. Note that an exemption does not mean that an organization will be exempt from all eight conditions for lawful processing.  Nor will this exemption entitle the organization to use personal information freely and without complying with the remainder of POPIA.

 Exemption in respect of certain functions

If a responsible party processes personal information for the purpose of performing certain relevant functions (meaning a function performed by a public body or conferred upon it by law), it may be exempt from complying with certain processing conditions.  The scope of this exemption, however, is limited to the following POPIA provisions:

  • the data subject’s right of objection (sections 11(3) and 11(4) of POPIA);
  • the obligation to ensure that personal information is collected directly from the data subject (section 12 of POPIA);
  • the obligation that further processing must be compatible with the initial purpose of collection (section 15 of POPIA); and
  • the requirement to notify the data subject when collecting their personal information (section 18 of POPIA).

In order for a responsible party to qualify, the nature of the functions performed by the party must be intended to protect the public against:

  • financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate; or
  • malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorized to carry on any other activity.
  1. Registration of Information Officers

The Regulator announced that there will no longer be a deadline for responsible persons to register Information Officers, and that responsible parties will not be held liable for failing to register their IOs and DIOs by the previously announced deadline of June, 30, 2021.  According to the Regulator’s media statement, this decision follows technical glitches with the Regulator’s registration portal and numerous concerns raised by responsible parties regarding the registration process.

It is worth noting that this development poses a challenge in the sense that  POPIA automatically assigns the role of IO to the head of an organization (i.e., the CEO).  However, POPIA also provides that an IO’s duties only commence once he /she has been registered with the Regulator

In addition, the Regulator has in this media statement confirmed that a CEO of  a multinational organization can be the IO for multiple entities.  This statement addresses questions being raised by South African subsidiaries of multinationals wishing to appoint one IO for all the members of a larger corporate group.  Until now, the registration portal would not allow the same person’s details to be used more than once, resulting in each company having to appoint a different IO.  The Regulator is investigating other “alternative registration processes”, which will be announced in due course.

If you are unsure whether your organization qualifies for an exemption under the Guidance Note or if you require assistance with any aspect of compliance with POPIA, please contact Deon Govender at dgovender@cov.com, Dan Cooper at dcooper@cov.com, Witney Schneidman at wschneidman@cov.com, Mosa Mkhize at mmkhize@cov.com or Shivani Naidoo at snaidoo@cov.com.

Print:
EmailTweetLikeLinkedIn
Photo of Mosa Mkhize Mosa Mkhize

Mosa Mkhize is a policy advisor in the firm’s Africa Practice Group through which she provides strategic policy and regulatory advice to clients doing business with and across Africa.

Ms. Mkhize, a non-lawyer, has over a decade of experience in international trade and…

Mosa Mkhize is a policy advisor in the firm’s Africa Practice Group through which she provides strategic policy and regulatory advice to clients doing business with and across Africa.

Ms. Mkhize, a non-lawyer, has over a decade of experience in international trade and public policy. During this time, she has supported senior policymakers and private sector companies on a broad range of issues including policymaking and development, negotiating complex international trade deals, and advocating for policies and regulations related to science and technology. In addition to this, Ms. Mkhize’s capabilities include building strategic relationships and coalitions in support of smart technologies. Furthermore, she is currently working with government officials, private corporations, academia, and the general public on facilitating policies in the smart technology space.

Photo of Deon Govender Deon Govender

Deon Govender focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of renewable energy and thermal power projects and various other infrastructure…

Deon Govender focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of renewable energy and thermal power projects and various other infrastructure assets in the transportation and telecommunications sectors. Mr. Govender’s experience additionally includes advising on financing independent power producer projects under the South African government’s Renewable Energy Independent Power Producer Procurement Programme.

Photo of Witney Schneidman Witney Schneidman

Witney Schneidman has nearly 40 years of experience working across Sub-Saharan Africa.

Drawing on his experience in the State Department, the World Bank, think tanks and his own consulting practice, Dr. Schneidman, a non-lawyer, has advised energy, technology, consumer and health companies, among…

Witney Schneidman has nearly 40 years of experience working across Sub-Saharan Africa.

Drawing on his experience in the State Department, the World Bank, think tanks and his own consulting practice, Dr. Schneidman, a non-lawyer, has advised energy, technology, consumer and health companies, among others, on projects in more than 30 African countries. He has also served as Deputy Assistant Secretary of State for African affairs, and on the Africa advisory committees in the Office of the U.S. Trade Representative and at the U.S. Export-Import Bank.

Dr. Schneidman provides strategic advice on the varied political, economic, social and regulatory issues that are critical to companies’ success in Africa. This includes issues related to Corporate Social Responsibility, compliance, market entry and risk mitigation. He played a leading role in the passage and recent reauthorization of the African Growth and Opportunity Act and was a delegate to the Global Entrepreneurship Summit co-hosted by President Obama during his visit to Kenya.

Dr. Schneidman chairs Covington’s Africa Practice Group and is a senior member of the firm’s Public Policy Practice Group, the International Strategy Group and the International Trade and Finance Group.

Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.