DATA PROTECTION & PRIVACY

OUR DATA PROTECTION & PRIVACY GROUP IS THE LARGEST PRACTICE OF ITS KIND

IN SOUTH AFRICA

DATA PROTECTION & PRIVACY | cliffedekkerhofmeyr.com

OUR DATA PROTECTION & PRIVACY GROUP

Cliffe Dekker Hofmeyr’s Data Protection & Privacy Group is a dedicated, multi-disciplinary team of lawyers with specialist knowledge of the Protection of Personal Information Act, No 4 of 2013 (POPI). We also have extensive experience in every aspect of privacy of information and data protection.

Our Data Protection & Privacy Group is the largest practice of

its kind in South Africa. Our team consists of lawyers drawn

from across the firm’s practice areas and sectors, which include

Technology & Sourcing, Convergence & New Media, Employment

law, Dispute Resolution and Commercial law. Our team is able

to advise you on the practical implications of the POPI Act, such

as addressing your privacy of information and data protection

requirements under the new legislation.

Our team’s specialist know-how means that we combine our

technical knowledge of data retention and protection, data

security, data transfer, privacy, confidentiality and freedom of

information, with practical experience.

We act for clients from a wide range of sectors, so we understand

the requirements of clients from diverse industries. We are also

ideally positioned to offer bespoke solutions to a client’s specific

situation and business environment.

INTERNATIONAL SCOPE, LOCAL EXPERTISEWe give you immediate access to a global network of lawyers who

have expert knowledge and practical experience in international

information law. Borders are no barrier. With our network across

Africa, Asia Pacific, Europe, the Middle East and the United States,

we are able to provide sophisticated and practical legal advice to

our clients, wherever they operate.

We are kept fully up to date on international trends, precedents

and developments – an essential component to maintaining a

competitive edge in this highly specialised area.

Our Data Protection & Privacy Group is unique in its focus on

giving advice that draws on international experience in the

information and data protection field. Our team has in-depth

knowledge of international privacy laws, notably the European

Union data protection model on which the POPI Act is based. We

are also familiar with privacy laws in the US, Canada and other

jurisdictions around the world.

Our experience and our immediate access to similar laws in

jurisdictions around the globe, equips our local team to interpret

and provide recommendations on the practical application of the

POPI Act in South Africa.

OUR SERVICES

DATA PROTECTION

We have a strong track record in advising clients on all

contentious and non-contentious issues related to privacy and

data protection. Selected examples include:

∞ Conducting large-scale national and international data protection due diligence exercises and audits

∞ Advising on data protection issues in corporate transactions and in insolvency proceedings, including database ownership and transfer

∞ Advising on international transfers of personal data, and drafting inter-group and third party data transfer agreements

∞ Advising on direct marketing campaigns and on the application of related privacy and consumer protection laws

∞ Advising clients on their preparedness for the promulgation of the POPI Act

∞ Advising on privacy policies and procedures

∞ Advising on relevant data subject consent documentation

∞ Advising on revisions to existing agreements to comply with the provisions of the POPI Act

∞ Advising on business process changes required to ensure compliance with the provisions of the POPI Act

∞ Advising clients on dealing with sensitive or special personal information, which includes information relating to children, medical information and certain employee information

∞ Advising on the POPI Act’s implications on HR processes and procedures, and on amendments to employee contracts to comply with the provisions of the POPI Act

∞ Advising on agreements to be concluded with third party service providers with whom clients share data, including third parties who process data on behalf of a client

∞ Advising on document and data retention policies and procedures

∞ Advising on website terms and conditions, including opt-in/opt-out boxes

ASSISTING WITH THE POPI ACT COMPLIANCE STEPS

Our core services in this area include:

∞ Assessing and analysing current data management policies and procedures to gauge the current level of compliance with legislation across:

∞ data collection

∞ storage

∞ processing

∞ records retention

∞ implementation

∞ training processes

∞ Assisting in developing a comprehensive data management strategy to ensure and maintain compliance with legislation, and reduce the risk of claims, regulatory enforcement and possible criminal liability

DATA PROTECTION AND PRIVACY | cliff edekkerhofmeyr.com

∞ Assisting in compiling policies to regulate compliance with related current legislation, such as the Constitution, consumer protection laws, the Electronic Communications and Transactions Act, No 25 of 2002, the Promotion of Access to Information Act, No 2 of 2000 and the POPI Act; also including procuring the necessary consents to process information, allowing for access to information, maintaining information so that it is kept up to date, employing effective security safeguards and data retention

∞ Advising on effective data management strategies and structures to underpin commercial deals, including in relation to multi-jurisdictional outsourcing transactions

∞ Providing training to clients in relation to effective data management to ensure that all responsible parties comply with legislation

∞ Assisting in preparing internal policy documents

∞ Advising on domestic and international data compliance and public policy

∞ Advising IT and corporate clients on managing risk and security; we are well placed to assist clients in dealing with data breaches

∞ Assisting with compliance strategies and policies, regulatory investigations, transactional support and litigation

∞ Advising on and assisting with employment related privacy issues

OUR RECENT EXPERIENCE ∞ Advising large corporates on implementing privacy policies

∞ Advising on the employment aspect of a global oil company’s audit on South African data protection law

∞ Advising in relation to data retention requirements in South Africa for a multinational banking group

∞ Advising a large local bank on various aspects of compliance with the provisions of the POPI Act

∞ Advising the Independent Schools Association of South Africa about the POPI Act

∞ Presenting seminars on the POPI Act to local and multinational companies

∞ Advising a major petroleum company on data protection law for their internal compliance process

∞ Providing general advice on data protection law for a major listed company’s internal policy documents

∞ Giving opinions on the Home Affairs National Identification System (HANIS) database access identification verification matter

∞ Advising a state-owned enterprise on achieving compliance with the provisions of the POPI Act

∞ Giving general opinions relating to identity verification systems

∞ Advising a multinational outdoor advertising company on its data protection legislation compliance across 14 African jurisdictions

∞ Advising state-owned entities on compliance with the POPI Act

DATA PROTECTION AND PRIVACY | cliff edekkerhofmeyr.com

WHAT IS THE POPI ACT?

The POPI Act is new legislation designed to ensure that the personal information of individuals is protected under a regulatory framework within which organisations may process personal information.

The POPI Act (which has solicited significant and lengthy debate

among citizens and corporate South Africa since it was first

introduced in Parliament in 2009) was finally promulgated into

law on 26 November 2013 and will commence on a date to be

determined by the President by proclamation in the Gazette.

Different dates of commencement may be determined in respect

of different provisions of the the POPI Act. We note that the

provisions of the the POPI Act dealing with the establishment of

the office of the Information Regulator as well as the powers,

duties and functions of the Information Regulator have, on

proclamation by the President, come into effect as of 11 April 2014.

The the POPI Act gives effect to the right to privacy contained in

the Constitution, while protecting the free-flow of information

and advancing the right of access to information.

WHAT IS MEANT BY ‘PROCESSING’?

The concept of processing is broadly defined. The POPI Act will apply to you if you in any manner collect, receive, record, organise, collate, store, update, alter or modify, retrieve, consult, use, disseminate, distribute, merge, link, erase or destroy personal information.

While the POPI Act provides for certain exceptions, you should

seek professional advice to assess possible exceptions on a

case-by-case basis.

If you or your companyprocesses personal informationABOUT ANY SOUTH AFRICANperson or concerning anySouth African business you will NEED TO COMPLY WITH POPI

DATA PROTECTION & PRIVACY | cliff edekkerhofmeyr.comDATA PROTECTION & PRIVACY | cliff edekkerhofmeyr.com

WHAT IS MEANT BY ‘PERSONAL INFORMATION’?

Personal information is any information that identifies a natural or juristic (corporate) person and can be linked back to that person, such as contact information, and information regarding race, gender, marital status, religious beliefs, as well as medical and financial information.

Personal information includes:

∞ Information relating to an identifiable, living natural person and, where applicable, an identifiable, existing juristic person

∞ Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person

∞ Information relating to the education, medical, financial, criminal or employment history of the person

∞ Any identifying number, symbol, email address, physical address, telephone number or other particular assignment to the person

∞ The blood type or any other biometric information of the person

∞ The personal opinions, views or preferences of the person

∞ Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature

∞ The view or opinions of another individual about the person

∞ The name of the person if it appears with other personal information or if the disclosure of the name itself would reveal information about the person

WHAT STEPS CAN BE TAKEN TO COMPLY WITH THE ACT?

The POPI Act allows for a one-year compliance period (which

may be extended). However, because the POPI Act imposes

such broad obligations, you are encouraged to consider, without

delay, the steps you will need to take and changes you will need

to implement in standard processes and procedures, in order to

comply with the requirements of the POPI Act.

PERSONAL INFORMATION IS ANY INFORMATION THAT IDENTIFIES

a natural or juristic person and can be linked back to that person

BBBEE STATUS: LEVEL TWO CONTRIBUTOR

This information is published for general information purposes and is not intended to constitute legal advice. Specialist legal advice should always be sought in

relation to any particular situation. Cliff e Dekker Hofmeyr will accept no responsibility for any actions taken or not taken on the basis of this publication.

JOHANNESBURG

1 Protea Place, Sandton, Johannesburg, 2196. Private Bag X40, Benmore, 2010, South Africa. Dx 154 Randburg and Dx 42 Johannesburg.

T +27 (0)11 562 1000 F +27 (0)11 562 1111 E jhb@cdhlegal.com

CAPE TOWN

11 Buitengracht Street, Cape Town, 8001. PO Box 695, Cape Town, 8000, South Africa. Dx 5 Cape Town.

T +27 (0)21 481 6300 F +27 (0)21 481 6388 E ctn@cdhlegal.com

©2018 0706/JULY

DATA PROTECTION & PRIVACY | cliff edekkerhofmeyr.com