Page 25 - Q&A.indd
P. 25

with your RMCP and to ensure that such is in line with the new legal
            framework established by the Amendment Act.
            The “who’s who” of POPI

            August 2017

            “I own a local cellphone and electronics store. We collect
            personal information from our clients, and quite often have
            to pass on information to third parties such as cellular
            providers etc. in order to provide our services. I’m not sure       Commercial
            where our business fits into the picture with POPI and what my
            responsibilities are? Can you provide some clarity?”

            The Protection of Personal Information Act 4 of 2013 (“POPI”), which has
            been signed into law, but has not yet come fully into effect, protects
            our rights to privacy by setting conditions and requirements for the
            processing of ‘personal information’, which is any information relating
            to a living natural person or an identifiable legal entity and includes,
            amongst others, information such as names, birth dates, identity/
            registration numbers, passport numbers, demographic information,
            occupational information, health information, contact information etc.
            POPI also relates to the ‘processing’ of such information, which includes,
            amongst others, the collection, use, storage, deletion or destruction of
            personal information, etc.

            POPI establishes a number of role players with specific rights and
            responsibilities under POPI. The subject of the protection afforded by
            POPI is the ‘data subject’ which is a person (natural person or legal
            entity) to whom the personal information relates. This can be a new
            or existing client, a prospective client, a supplier, or any other person
            whose personal information is being processed by your organisation.
            Data subjects can also be resident anywhere in the world and will
            qualify as a data subject if their personal information is processed by a
            responsible party in South Africa.
            On the other side of the coin is the ‘responsible party’ who is the party
            who must comply with POPI. The responsible party is the party that
            processes the personal information, determines the purpose for which
            the personal information is needed and who can even outsource
            a part or all of the processing of the personal information to a third
            party who is referred to as an ‘operator’ in terms of POPI. Importantly
            though, despite the processing being outsourced to an operator, the
            responsible party still remains responsible for such processing, making
            it imperative that processing of personal information by operators must
            also be compliant with POPI.




                                                                        19
   20   21   22   23   24   25   26   27   28   29   30