Contact

The POPI Act – increased liability for employers

Back to top

The POPI Act – increased liability for employers

With effect from 1 July 2021, employers will bear increased liability for the conduct of their employees. Significant sections of the POPI Act will come into effect on 1 July 2020 including section 99 relating to civil remedies. Employers have one year to prepare for and take steps to mitigate the risk which this section creates.   

30 Jun 2020 3 min read POPI Bumper Special Alert Article

Under the common law an employer may be held vicariously liable for a wrong committed by an employee during the course and scope of his or her employment. The fact that an employer has taken steps to train its employees, issued instructions and developed policies to ensure that its employees conduct themselves in a certain manner when performing their work and do not engage in certain forms of conduct, often serves as a competent defence in a claim of statutorily created vicarious liability. These steps limit the risk to the employer. However, the nature of the civil liability created in terms of section 99(1) of the POPI Act and the restricted nature of the defences in terms of section 99(2) create significant risk for employers which may not be adequately addressed by the steps typically taken by employers to limit such risk.

Section 99(1) provides that a data subject, or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court against a responsible party for breach of the POPI Act, whether or not there is intent or negligence on the part of the responsible party. Responsible party includes an employer. In terms of section 99(1) an employer may be held liable for the conduct of its employees, regardless of whether there is any willful or negligent conduct on the part of the employer.

Most employees process personal information as contemplated in the POPI Act. For example, employees employed in human resources are continuously engaged in the processing of personal and special personal information. The following HR related processes involve the processing of personal information:

  • The recruitment and selection process starting with application forms, the sorting and storing of CVs, the shortlisting process, conducting interviews, vetting and verifying of references,
  • Processing payment of remuneration and recording bank account details,
  • Receiving and storing of leave applications and records, sick leave and medical records,
  • Monitoring performance, conducting written performance assessments, and
  • Investigating possible misconduct and conducting disciplinary processes.

Many employees engage in the process of significant volumes of varied personal information, both internal and external to a business, on a daily basis.

Measures which employers can implement to limit the risk of employees processing information in breach of the POPI Act include the implementation of internal policies relating to the processing of personal information and compliance with the conditions for lawful processing in terms of the POPI Act and compulsory training sessions, workshops and awareness campaigns. Application forms for employment and employment contracts should also include consents to the processing of information.

But, as already stated, these measures may not always be sufficient to limit the risk. Section 99(2) of the POPI Act sets out the limited defences which an employer may raise in response to a claim in terms of section 99(1). The defences include vis major, consent of the plaintiff, fault on the part of the plaintiff, compliance was not reasonably practicable in the circumstances of the particular case or the Regulator has granted an exemption in terms of section 37.

Of concern to employers will be the fact that the defences do not include circumstances in which the employer is able to show that it did all that was reasonably practicable to ensure that the employee did not breach the POPI Act.

While steps taken by an employer to limit the risk of a breach by one of its employees may not serve as a defence to a breach of the POPI Act by one of its employees, such steps on the part of an employer may serve to limit the quantum of the award. In terms of section 99(3) a court is empowered to award an amount that is just and equitable.

Having regard to the provisions of section 99, employers will be well advised to take steps over the next year to limit the risks created by the section in particular ensuring that their employees do not process information unlawfully and that they are aware of the conditions for lawful processing and act in accordance with these conditions at all times.                   

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

13 Mar 2024

by Timothy Baker, Claudia Moser and Denzil Mhlongo

Business rescue with an ulterior purpose

A financially distressed company facing a liquidation application may be tempted to try and avoid or delay the inevitable by launching a business rescue application in order to suspend the liquidation process. However, if there is no merit in such an application, it will inevitably be found by the courts to be an abuse of process and the stratagem will thus be doomed to failure. The Supreme Court of Appeal in the case of PFC Properties (Pty) Ltd v Commissioner for the South African Revenue Services and Others (543/21; 409/22) ZASCA 111; (1) SA 400 (SCA) (21 July 2023) adjudicated precisely thisscenario.  

4 min read

11 May 2023

by Jackwell Feris

Understanding the importance of the European Delegated Acts for the developing green hydrogen industry in Africa

As part of the European Commission’s (the Commission) REPowerEU plan to scale-up the production and use of renewable hydrogen, ammonia and other derivatives in the European Union (EU) the Commission adopted two European Delegated Acts (Acts) in February 2023. The Acts includes a set of rules and guidelines for the certification of green hydrogen produced within the EU, as well as imported hydrogen from other countries, such as Namibia and South Africa.

Industrials, Manufacturing & Trade

7 min read

2 Jun 2023

Celebrating our win for our regional pro bono work

Our firm has emerged as winner in the category “ Regional Law Firm of the Year Award ” under the auspices of the TrustLaw Awards 2023, facilitated by the highly respected Thomson Reuter’s Foundation. The award received through our Kenyan office is a testament to the dedication, expertise, and unwavering commitment of our teams in acting on pro bono matters.

Firm News

1 min read

24 Aug 2023

by Puleng Mothabeng

Remote working in jeopardy? Or is Caesar (SARS) securing what is due to Caesar?

It is no secret that the COVID-19 pandemic has radically changed our thinking towards how and where we work. Since 2020, many companies have adjusted and sometimes overhauled their working models to fit into the ‘new way of working’ and meet the global demand for remote and hybrid work arrangements in order to stay competitive and retain the best talent.

Tax & Exchange Control

5 min read

31 Aug 2023

by Njeri Wagacha, Martha Mbugua and Brian Muchiri

The Competition Authority of Kenya imposes the highest penalty in history for anti-competitive behaviour

On 23 August 2023, the Competition Authority of Kenya (CAK) made a landmark announcement, revealing its imposition of a record penalty on nine (9) steel manufacturers totalling KES 338,848,427.89, the highest fine the CAK has meted out to date for engaging in price fixing and output restriction. In addition to the financial penalties, the CAK has mandated these companies to cease any participation in anti-competitive activities going forward. It has also required them to establish robust competition compliance programs to ensure adherence to fair market practices.

Competition Law

5 min read

10 Aug 2023

by Nomlayo Mabhena-Mlilo

The test for insolvency revisited: Setting aside liquidation proceedings

In the case of The Commissioner for the South African Revenue Service v Nyhonyha and Others (1150/2021) ZASCA 69 (18 May 2023) the Supreme Court of Appeal (SCA) was confronted with the question of whether the High Court erred in setting aside an order for the liquidation of Regiments Capital (Pty) Ltd (Regiments) in circumstances where the conditions that led to the order for liquidation had sincechanged. 

Business Rescue, Restructuring & Insolvency

7 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline