Contact

A look at some practical implications of POPI on the Real Estate industry

Back to top

A look at some practical implications of POPI on the Real Estate industry

Each person has a constitutional right to privacy. This includes the right to have personal information safeguarded by a person entrusted with such information. On 1 July 2020 substantive provisions of the Protection of Personal Information Act 4 of 2013 (POPI) will come into operation and this article discusses some practical implications that POPI requires of service providers in the real estate industry.

30 Jun 2020 4 min read POPI Bumper Special Alert Article

The real estate sector consists of various responsible parties and operators for the purposes of POPI. All these role players collect personal information from data subjects in the performance of their duties. The data gleaned from data subjects are used to complete various commercial instruments such as lease agreements, sales of property, FICA compliance affidavits, bond approvals, mortgage bonds, notarial bonds, antenuptial contracts and deeds of transfer.

The processing of personal information by various persons is integral to the operation of the real estate industry. Conveyancers, for example, receive personal information from purchasers, sellers, developers, estate agents, insurers, auditors, homeowners’ associations and financial institutions. Some of the information is, in turn, passed onto government institutions such as SARS, deeds registries and municipalities for further processing either directly or via various vendor software packages. 

Responsible Parties

A responsible party like an estate agent, broker, mortgage originator or conveyancer is defined in section 1 of POPI as a “public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

A responsible party has the duty to ensure that it meets the conditions of lawful processing of personal information and adheres to the security measures on integrity and confidentiality in respect thereof under section 19 of POPI.

In terms of the security safeguards, a responsible party must take appropriate, reasonable technical and organisational measures to prevent the loss of, damage to, or unauthorised destruction and unlawful access to or processing of personal information. This includes the duty to take reasonable measures to identify all reasonably foreseeable internal and external risks to personal information; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and to ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

Data Subjects

A data subject is the person to whom personal information relates and POPI provides a non-exhaustive list of what constitutes personal information in terms of section 1. In addition, POPI awards rights to data subjects, which include the right to have their personal information processed in accordance with prescribed conditions for its lawful application.

Processing of personal information and what is required from a real estate perspective

Section 11 of POPI provides for the consent, justification and objection of processing of personal information. Processing of information includes the collection, recording or use thereof, the dissemination thereof and the merging or destruction of such personal information. Personal information may only be processed if the “processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party; for the proper performance of a public law duty by a public body; for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied”. Processing personal information, in addition must, “comply with an obligation imposed by law on the responsible party” and protect the interests of the data subject.

The conditions for lawful processing of personal information notably also require the data subject to consent to the processing of the personal information.  Examples of data subjects include landlords, tenants, sellers, purchasers and their authorised representatives. It is required that a consent be obtained from a data subject prior to receiving any personal information and we would recommend that such consent be in writing.

Furthermore, the collection of the personal information must be taken directly from the data subject unless the information contained is derived from a public record or has deliberately been made public by the data subject (section 12 of POPI) and obtained for a specific purpose related to a function of the responsible party (section 13 of POPI), which the data subject must be informed of.

All real estate role players are required to notify all data subjects (section 18 of POPI) of inter alia the collection of and the manner in which their personal information will be processed. We recommend that such notification be advanced in writing and is to specifically be brought to the attention of the data subject who is to confirm that they understand the contents thereof. It should be noted that the notification must be provided prior to the personal information of a data subject being disclosed to the responsible person.

It is also important to note that responsible parties who authorise operators like a vendor software operator to collect personal information on their behalf, must ensure that POPI compliance is included as one of the obligations of their contract. Operators must ensure that they maintain security safeguards and must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

Sanctions

Contravention of POPI could result in far-reaching sanctions, these include the imposition of fines, imprisonment for a period of 12 months to 10 years and/or a damages claim by the data subject. Each role player has one year within which to ensure that their business practices comply with POPI, failing which, they will fall foul of the statutory provisions.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

10 Jul 2023

by Imraan Mahomed and Thato Makoaba

Cannabis in the workplace: Clearing the air

In 2018 the Constitutional Court handed down the landmark judgment of Minister of Justice and Constitutional Development and Others v Prince (6) SA 393 (CC), which legalised the private use and possession of cannabis. Concerns about the effect of the judgment in the workplace were ameliorated with an interpretation of the law, mostly in arbitration awards, which found that employers remain empowered to set workplace policies regulating substance abuse, including the use of cannabis. This position was recently confirmed in the 27 June 2023 Labour Court judgment of Marasi v Petroleum Oil and Gas Corporation of South Africa (C219/2020) ZALCCT 34.

Employment Law

3 min read

30 Nov 2023

by Nicholas Carroll and Jerome Brink

Tax Vertical mergers are back

Section 44 of the Income Tax Act 58 of 1962 (Tax Act) is one of the lesser used of the so-called “ corporate rollover relief rules ”, but is nevertheless one of the more hotly contested. Broadly, it provides for rollover relief from tax where two companies amalgamate to form one company, the other being liquidated.

Tax & Exchange Control

6 min read

28 Sep 2023

by Shem Otanga and Stephen Maina

Cracking the whip: Implications of the recent imposition of penalties by the Office of the Data Protection Commissioner in Kenya

On 26 September 2023, the Office of the Kenyan Data Protection Commissioner (ODPC) issued a press release (2023 ODPC press release) indicating that it had imposed penalties on a number of data controllers for the infringement of the privacy rights of data subjects and non-compliance with the requirements of the Data Protection Act (DPA).

Technology, Media & Telecommunications

5 min read

17 Oct 2023

by Sune Kruger

Extending your sectional title unit? What you need to know before laying the first brick

Have you made any additions to your home and had your building plans approved by the relevant municipality, but after attempting to sell your property found that the purchaser’s bank requires you to provide a registered sectional plan of the extension of your section before the transaction can proceed?

Real Estate Law

5 min read

14 Jun 2023

by Tendai Jangara

Introducing CDH's Corporate and White Collar Investigations Services Offering

CDH's Corporate & White Collar Investigations sector provides an internationally aligned standard of corporate investigations and advisory services.

Corporate & White Collar Investigations

11:23 Minutes

11 Apr 2024

by Puleng Mothabeng

Don’t kill my dream: I promise to comply with my tax obligations

“ Nothing is certain but death and taxes .” This infamous proverb confirms the obligation that we all have to pay tax – in some way or another. However, how many of us are actually aware of this obligation and how to go about discharging it?

Tax & Exchange Control

8 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline