Page 35 - Q&A.indd
P. 35

One should note that although the Protection of Personal Information
            Act 4  of 2013 (“POPI”) was signed into law on 19 November 2013, it
            has to date, not yet fully come into effect. It is already law, but we are
            still awaiting the final date for the commencement of mandatory
            compliance with its provisions.
            POPI protects persons from suffering damage and harm by requiring
            entities and persons who receive personal information to protect such
            information and to keep it private and confidential. POPI places an
            important responsibility on parties who collect, store, use and destroy
            personal information and also provides rights and remedies to persons
            whose rights have been infringed in terms of the provisions of POPI. The   Commercial
            entities and persons who carry this responsibility are termed “responsible
            parties”.

            POPI does not aim to stop the flow or sharing of personal information,
            but  rather aims to  establish and  set guidelines and rules in line with
            international standards, for how this must be done, in order to protect the
            privacy of the persons whose personal information is being processed.

            In order for POPI to apply to any processing activity, such activity must
            take place in South Africa and the responsible party processing the
            information must have a place of business in South Africa. However the
            person whose information is processed does not have to be a South
            African.
            In circumstances where personal information is transferred outside the
            borders  of  South Africa,  the  responsible  party  must  notify  all  persons
            who will be affected, that it intends to transfer their personal information
            to another country. The responsible party must also inform the persons
            whose personal information is being transferred abroad of the level of
            protection that their information will be afforded in such foreign country.
            These considerations are based on the underlying intention of POPI that
            personal information should remain protected and secure even after
            it has been transferred to another country where POPI does not apply.

            In addition to the above, POPI also requires that personal information
            can only be transferred to another country if one of the following primary
            circumstances is present:

            •       The country to which the information will be sent affords an
                    adequate and similar level of protection to the personal
                    information as that afforded by POPI, as well as other countries
                    to which the personal information may be subsequently
                    transferred.
            •       The recipient of the personal information in the foreign country
                    agrees to treat the personal information in accordance with the
                    provisions of POPI.




                                                                        29
   30   31   32   33   34   35   36   37   38   39   40