WHAT IS POPIA AND HOW DOES IT AFFECT ME

What is POPI?

The act has been come about of a need for more stringent rules – and harsher punishments – against the protection of personal information of individuals, thereby affording every person further rights to privacy and protection of their personal data. POPIA Act can be read here

Eight conditions for lawfully processing of personal information:

POPIA’s eight conditions for lawful processing of personal information, as set out in Chapter 3 of POPIA, apply to direct marketing by means of unsolicited electronic communication. In summary, POPIA’s eight conditions are:

  • Accountability – the responsible party takes full responsibility for how a data subject’s personal information is processed;

  • Processing Limitation – the processing of personal information is limited to the consent of the data subject or allowed by law;

  • Purpose Specification – due to the responsible party being limited to the confines of the consent granted, the purpose for why personal information is required must be identified;

  • Further Processing Limitation – there are restrictions on the further distribution of personal information to anyone else or to use the personal information for any other purpose;

  • Information Quality – POPIA places an obligation on a business to ensure that the personal information remains correct and up to date;
  • Openness – the responsible party must inform the data subject in the event of a breach of their personal information, what personal information you have on them; how and where it is stored;

  • Security Safeguards – physical and digital security measures to protect personal information must be put in place; and

  • Data Subject Participation – respecting the rights of every data subject to have access to and control over their personal information.

POPIA and an “opt-in” method for direct marketing via electronic communication:

POPIA essentially replaces the current “opt-out” method established in terms of the CPA and ECTA, with an “opt-in” method. What this means is that direct marketing via unsolicited electronic communications shall not be allowed unless the consent of the data subject is obtained. Section 69(1), to this extent, prohibits the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communications, including automatic calling machines, fax, SMSs or e-mail, unless:

  • the data subject has given their consent to the processing; or
  • the data subject is already a customer of the responsible party (and has had a reasonable opportunity to object to the direct marketing).

Therefore, the position concerning electronic direct marketing under POPIA, may in our view be understood as:

  • New Potential Clients/Customers: A responsible party (e.g. a business) will first need to obtain the data subject’s consent prior to using electronic direct marketing, to contact them and if the data subject withdraws his/her/its consent, cease such direct marketing which was directed to such data subject; and

  • Existing Clients/Customers: A responsible party may continue to send direct marketing, by electronic communication methods, to the existing data subject who is a customer/client, provided the data subject’s initial consent was obtained and such data subject has not since withdrawn their consent.

However, when it comes to existing clientele / customers, same is understood to further be subject to the responsible party being able to reasonably prove, in the circumstances, that:

  • the data subject’s personal information was collected at the time that the data subject inquired about the responsible party’s goods and/or services;
  • the data subject was informed that their personal information may be used for marketing purposes;
  • the responsible party limits the direct marketing to his/her/its own goods and/or services and such goods and/or services are similar the goods and/or services which the data subject contacted the responsible party about, or actually purchased, in the first instance (e.g. a business uses a third party marketing agency to assist in the marketing of its goods and/or services and this marketing agency, over and above attending to electronically market the business’ goods/services to the business’ customer list, further electronically markets its own goods and/or services to the persons on such list. Unless the persons on the list consented to such third party marketing, the lawfulness shall be questionable under the provisions of POPIA); and
  • the data subject is always able to unsubscribe from receiving the direct marketing (i.e. at the time of collection of the personal information and each time the responsible party sends direct marketing communications. E.g., allow the data subject to unsubscribe).

In the case of existing clients or customers, if all of the above cannot be confirmed by the responsible party, he/she/it will need to consider whether obtaining consent afresh will be pursued or risk a compliant being lodged by a disgruntled data subject and/or a potential encounter with the Information Regulator (supervisory authority).

Withdrawal of consent:

In general, a data subject has the right to withdraw their consent at any time, in relation to their own personal information being processed. However, this withdrawal right is subject to the processing of the data subject’s personal information which took place prior to such withdrawal, not being impacted and the processing lawfully continuing, in the absence of consent, based on another recognized justification. POPIA however, does not directly provide for the withdrawal of consent for purposes of direct marketing.

Objection to processing:

A data subject may of course, object to the processing of his/her/its personal information at any time. In this regard, POPIA recognizes the general right of the data subject to object to the processing of his/her/its personal information where processing is based on protecting the legitimate interest of the data subject, the proper performance of a public law duty by a public body and/or pursuing the legitimate interest of the responsible party or of a third party to whom the information is supplied. Such objection is required to be made on reasonable grounds and in the prescribed manner (The Regulations Relating to the Protection of Personal Information (“POPIA Regulations”) prescribes Form 1).

Apart from the aforesaid, a data subject may also specifically object to the processing of his/her/its personal information for purposes of direct marketing by means of unsolicited electronic communication. In terms of this objection, a data subject, who is a customer of the responsible party, must be given a reasonable opportunity to object, free of charge and in manner free of unnecessary formality, to the use of his/her/its electronic details for direct marking purposes, at the time when the information was collected and each time thereafter, when direct marketing electronic communication is sent (unless the data subject has already initially refused).

Obtain consent once and use of prescribed form:

Importantly, under the provisions of POPIA, the responsible party is limited to one approach to obtain consent of the data subject and the data subject’s consent is required to be requested in the prescribed manner and form. The POPIA Regulations, prescribe a form for purposes of obtaining the necessary consent required from a data subject to enable the responsible party to lawfully engage in electronic direct marketing with such data subject. Regulation 6 of the POPIA Regulations provides that a responsible party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must in terms of section 69(2) of the Act, submit a request for written consent to that data subject on Form 4.

A responsible party’s request for consent to electronic direct marketing, directed to the data subject, need not look exactly like Form 4 but must substantially comply therewith. In other words, as long as the consent acquired from such a data subject, duly informed the data subject that the consent given (in whatever form, for instance by a click of a button or clicking, “I agree”) constitutes consent as is contemplated in terms of Form 4 as provided  for in POPIA and complies with all its requirements.

Conclusion:

POPIA therefore, does not outlaw the use of direct marketing however, does to an extent level the playing fields by providing for an opt-in method to direct marketing by electronic communication, as opposed to an opt-out method.

 

Further Reading:

https://popia.co.za/

https://popia.co.za/protection-of-personal-information-act-popia/chapter-8/

 

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How do I check my email online with webmail?

Once your domain has fully propogated to our servers you can go to:...

My account has been deleted, can it be restored?

Once your account has been deleted for non-payment, it cannot be restored. If your account has...

Whitelist Email Addresses OR Domains

Whitelist Email Address OR Domain Name You can do this using Settings option available...

How do I enable parent paths?

If you are seeing an error similar to this Active Server Pages error 'ASP 0131' Disallowed...

How do I edit my web pages?

To edit your web pages, please use a web editor like one of the below editors and then FTP the...