Previous: POPI Act Part 2 – Conditions for the lawful processing of personal information
In all instances, the Act refers to the POPI Act No. 4 of 2013.
You can download the Act here.
This is the last section dealing with the responsibilities of businesses as related to the lawful processing of personal information. The first one will have a massive effect on businesses as it restricts how marketing can be done via email, and then also regulator the trans-border flow of information. Let’s jump right in!
Rights of data subjects regarding direct marketing.
1.1 Unsolicited Electronic Communication:
This section deals with the right of data subject regarding the processing of personal information for the purpose of direct marketing by means of any electronic communications. This includes automatic calling machines, fax machines, SMS or email communication.Unsolicited electronic communication is prohibited unless the data subject has given consent to such processing, or the data subject is a customer of the responsible party. Click To Tweet
Unsolicited electronic communication is prohibited unless the data subject has given consent to such processing, or the data subject is a customer of the responsible party. A responsible party are allowed to approach a data subject who have not previously withheld his consent, only once in order to request the consent of the data subject. Consent must be requested in the prescribed manner and form. This means consent must be in writing and identify all parties (data subject and responsible party) – including details such as:
- Name of the data subject
- Name of the responsible party, their address and contact details
- Name and signature of
persondesignated to sign on behalf of the responsible party.
- Give the data subject the option to consent via signature to receive direct marketing relating to specified good or services by means of electronic communication.
The personal information of a data subject can only be processed if it was obtained in context of the sale of a product or a service. And for the marketing of the responsible party’s own or similar services. The data subject must be given the option to object, free of charge or unnecessarily formality, to the use of his electronic details. This option must be made available at the time when the information is collected; as well as with each further communication for the purpose of marketing.
Communication for marketing purposes must contain the details of the identity of the sender or person on whose behalf the communication is send. As well as the address and other contact details to which the data subject may send a request to cease such communication.
An automatic calling machine is any machine able to do automated calls without human intervention
This can be a printed or electronic directory, containing personal information of a data subject. The information is publicly available or obtainable via directory enquiry services. Any data subject subscribed to such a service – must be informed, free or charge – about the purpose of the directory. As well as any other possible future uses, based on search functions embedded in the directory. This must be done before personal information of the data subject is included in the directory.
A data subject has the right to object – free of charge and without unnecessary formality – to the use of personal information. Or to request verification, confirmation or withdrawal of information, if the data subject has not originally refused to such use. Although, consent is not required for printed directories produced before the commencement of the Act.
Information of subscribers to fixed or mobile public voice telephony services, that has been included in a public subscriber directory, prior to commencement of the Act, may remain in the directory. But only once the data subject has been informed about the purpose or possible future use of the directory. This applies to both printed and electronic versions of the directory.
A subscriber has a contract with a provider for the supply of electronic communication services. Where these electronic communication services are publicly available.
1.3 Automated Decision Making
A data subject may not be subject to a decision by automated means, that results in legal consequences or affects them to a substantial degree. Where the automated processing of personal information has created a profile including:
- Work performance
- Credit score
- Personal preferences
This excludes when the decision has been taken regarding the conclusion or execution of a contract. Where the request of the data subject was met in terms of the contract. Or when appropriate measures have been taken to protect the legitimate interests of the data subject. Also when appropriate measures for protection of information are specified by law of codes of conduct.
These measures must give the data subject the opportunity to make representations about such decisions. And require the responsible party to provide sufficient information to the data subject about the logic used during the processing of personal information.
2.Trans-border information flows
Personal information about a data subject can only be transferred to a third party in a foreign country, if the data subject consents to this transfer. Or if the receiving party is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection. It must effectively uphold principles for reasonable processing of personal information that is similar to the conditions for the lawful processing of personal information. And it should include provisions, substantially similar to regulations, for the further transfer of personal information form the recipient to the third party in a foreign country.
Or if the transfer is related to a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures in the interest of the data subject. Also if the transfer is in the interest of a data subject, concerning a contract that includes a third party.
If the transfer is to the benefit of the data subject, but it is not reasonably practical to obtain consent, or if the data subject is like to give such consent.
Binding corporate rules refers to personal information processing policies, within a group of undertakings. Where the responsible party or operator adheres to such policies within such group.
Group of undertakings implies a controlling undertaking and its controlled undertakings.We can see that the POPI Act will have a huge impact on marketing, as you have only one chance to get a person to consent to receive your marketing material. It is important to take note that this first communication can only be of an… Click To Tweet
We can see that the POPI Act will have a huge impact on marketing, as you have only one chance to get a person to consent to receiving your marketing material. It is important to take note that this first communication can only be of an informative nature and cannot contain any marketing material. Any marketing material should also always contain an option to opt-out of any future marketing communications.
From Part 4 we will look at the responsibilities of Government relating to the POPI Act. Starting off with discussing Supervision. As well as the role of the Information Regulator and Information Officer.