While allegedly attending to meetings with ex-President Jacob Zuma, King Goodwill Zwelithini was inundated with direct marketing calls from a MiWay Insurance Company Limited (MiWay) sales representative. After the leaked audio recording of the resulting conversation between King Zwelithini and the MiWay sales representative caused a media frenzy, a media statement was released by the Information Regulator of South Africa (established under the now effective s39 of POPIA).
In its media statement, the Information Regulator utilised the media attention surrounding the audio recording to express its concerns about the fact that the personal information of King Zwelithini would effectively have been processed unlawfully by MiWay if the salient provisions of POPIA had already come into effect. Despite such salient provisions not yet being operative, the Information Regulator stated that it intends to “proactively engage” MiWay in order to assist them in bringing their processing activities in line with the provisions of POPIA. Furthermore, the Chairperson of the Information Regulator – Advocate Pansy Tlakula – made a statement to the effect that direct marketers often ignore POPIA completely when communicating with (and thereby processing the personal information of) members of the South African public.
The evident consequence is that direct marketers need to reassess the manner in which they process personal information and ensure that they become compliant with POPIA before the Act comes into effect (noting that POPIA does allow for a one-year compliance grace period (which can be extended by up to three years by the Minister)).
Under POPIA, direct marketers (who will be “responsible parties” under POPIA) will be prohibited from processing personal information in the following circumstances:
- where the data subject in question has not provided the direct marketer with their consent to such processing;
- where the processing is not necessary to carry out actions for the conclusion or performance of a contract to which the relevant data subject is a party;
- where there is no obligation imposed by law on the direct marketer to process the relevant data subject’s information;
- where processing is not in the legitimate interest of the relevant data subject; or
- where the processing is not necessary for the pursuit of the legitimate interests of the direct marketer or a third party to whom the information is supplied.
Despite the above, in terms of s11(3)(b) of POPIA, if the personal information of a member of the South African public is processed for the purposes of direct marketing, the relevant data subject concerned will have the right to object to such processing. In such circumstances, the direct marketer will have to refrain from processing the relevant data subject’s information from the moment that such objection is communicated to the direct marketer. Furthermore, where direct marketing is carried out by means of unsolicited electronic communications, including by way of automated calling machines, SMSs, facsimile machines or e-mails, the direct marketer will have to comply with the even more stringent rules set out in s69 of POPIA, in terms of which direct marketing by means of unsolicited electronic communications is prohibited unless:
- the relevant person is not a customer of the direct marketer and has consented to the processing of his/her personal information; or
- the relevant person is a customer of the direct marketer.
Further conditions also apply. Where the relevant person is not the customer of the direct marketer, the Act follows what is referred to as an “opt in” approach, in terms of which the direct marketer has to obtain the consent of the relevant person before sending a direct marking communication to such person. In this situation, the direct marketer may only approach the relevant person on one occasion in order to obtain the necessary consent (so as to prevent the relevant person being harassed for consent). Furthermore, the consent should not be obtained by way of duress or be of a general nature – it will specifically have to relate to the purpose for which it is obtained. In this regard, the draft Regulations relating to the Protection of Personal Information, 2017 contain a model form which may be used by a responsible party wishing to obtain the consent of a data subject for the processing of their personal information for purposes of direct marketing by means of any form of electronic communications. The form (which is still in draft format) requires, among other things, that:
- specific reference be made to s69 of POPIA;
- the data subject be made aware of what the terms “processing” and “personal information” mean in terms of POPIA, before being requested to give his/her consent;
- such consent must be in relation to specified:
- goods and/or services; and
- means of electronic communication (ie fax, email, SMS or other).
On the other hand, where the relevant person is a customer of the direct marketer, the Act follows what is referred to as an “opt out” approach, in terms of which the direct marketer must give the relevant customer the opportunity to object to the processing of his/her personal information. In this situation, the direct marketer may only send a direct marketing communication to the customer if:
- the direct marketer obtained the customer’s contact details in the context of the sale of a product or service;
- such contact details were obtained for the purpose of direct marketing in relation to the direct marketer’s own products or services that are of a similar nature; and
- the customer is provided with a reasonable opportunity to object to the processing of his personal information. In this regard, the opportunity to object should be provided to the customer at the time when the personal information is collected and, if the customer has not objected to this at the time of collection, the direct marketer must provide such opportunity on every occasion when a direct marketing communication is sent to the customer.
The direct marketer will also have to comply with a general condition (regardless of whether the relevant party is the direct marketer’s customer or not) before it sends a data subject a direct marketing communication: in terms of s69(4) of the Act, any direct marking communication must contain:
- details of the direct marketer; and
- an address or other contact details to which the relevant data subject (recipient) may send an objection to the processing of his personal information.
Under certain circumstances where a direct marketer does infringe POPIA, the affected data subject can lodge a complaint with the Information Regulator or institute a civil claim for damages, which may ultimately lead to the imposition of a hefty fine, imprisonment and/or civil liability for violating the Act.