Contact

When is the further processing of personal information applicable?

Back to top

When is the further processing of personal information applicable?

The Protection of Personal Information Act 4 of 2013 (POPI) provides that personal information must be collected for a specific, explicitly defined and lawful purpose related to the function or activity of the responsible party. From this it appears that any consent obtained from a data subject should not be generic in nature but should set out details as to the purpose for which the personal information is sought and how the personal information of the data subject will be processed.

30 Jun 2020 4 min read POPI Bumper Special Alert Article

POPI defines “processing” as ‘any operation or activity or any set of operations, whether or not by automatic means, concerning person information’. This includes, amongst other things, the collection, recording, organisation, storage, modification or transmission of personal information. Despite this definition of “processing” no indication has been provided in POPI as to what the section 15 phrase “further processing” means. Since POPI is a new piece of legislation (only coming into force on 1 July 2020) there is no case law, at this stage, which can assist us in interpreting the phrase. However, POPI does provide that the further processing of personal information must be in accordance or compatible with the purpose for which the personal information was originally collected.

From this, it may be deduced that where a data subject provides consent to the processing of personal information for a specific expressly-defined purpose, and during the processing of such personal information it transpires that further processing (not originally envisaged and for which consent was not originally received) is required in order to fulfil the purpose that such further processing will fall within the ambit of section 15 of POPI. However, this viewpoint is yet to be tested and will, mostly likely, be expanded upon by our courts in the future.

Section 15 of POPI provides that in order to determine whether further processing is compatible with the purpose for which the personal information was originally collected. The following factors must be taken into consideration, namely:

  • the relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
  • the nature of the information concerned;
  • the consequences of the intended further processing for the data subject;
  • the manner in which the information has been collected; and
  • any contractual rights and obligations between the parties.

POPI further provides that where the purpose of the further processing is not compatible with the purpose for which such personal information was originally collected, further processing of such personal information may still occur where:

  • the data subject consents to such further processing;
  • the personal information is available in or derived from a public record or has deliberately been made public by the data subject;
  • further processing is necessary to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences; to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue; for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or if in the interests of national security;
  • the further processing of the personal information is necessary to prevent or mitigate a serious and imminent threat to public health or public safety; or the life or health of the data subject or another individual;
  • the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in identifiable form; or
  • the further processing of the information is in accordance with an exemption granted by the Regulator in accordance with the provisions of POPI.

It may be difficult to determine the extent of processing which needs to be undertaken by a responsible party in order to fulfil the purpose for which the personal information of the data subject was originally sought and for which such data subject originally provided consent. The provisions of POPI pertaining to the further processing of personal information appear to create an instance where the responsible party does not need to constantly revert to the data subject to obtain the relevant consent to further process the personal information, provided that the further processing is in accordance or compatible with the provisions of POPI as detailed in this article. Where it is not, the responsible party may be required to once again approach the data subject to obtain consent for further processing.

It is important to ensure from the outset that the consent you, as the responsible party, obtain from a data subject provides such data subject with enough information regarding how and what manner the provided personal information will be processed. It is also important to understand and keep in mind the instances where further processing will occur and to ensure that it is compatible with the original purpose for which the personal information was provided.

This is a difficult concept to navigate and we are happy to provide assistance with regards to the content which should be set out in your consents as well as provide you with advice as to when further processing may occur during your processing method.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

27 Mar 2024

by Emma Kingdon

One step closer to law: The Copyright Amendment Bill and Performers’ Protection Amendment Bill

On 29 February 2024, both houses of the National Assembly approved these two controversial bills and sent them to the President for assent. The drafters of the Copyright Amendment Bill (CAB) stated that it is aimed at updating the Copyright Act 98 of 1978 (Copyright Act) to make it more effective for educators, researchers, and people with disabilities and also to ensure that artists “ do not die as paupers due to ineffective protection ”. This latter aspect is also addressed by the Performers’ Protection Amendment Bill (PPAB) which states that it seeks to protect performers’ moral and economic rights, as well as the rights of producers of soundrecordings.  

Corporate & Commercial Law

7 min read

4 Dec 2023

Four-day working week trial run in South Africa

We have written previously about the concept of the four-day work week and its relevance to the South African context (you can read our previous alerts here and here ).

Employment Law

3 min read

19 Jul 2023

by Deepesh Desai and Tessa Brewis

Back to basics: Financial assistance in terms of section 45 of the Companies Act

Section 45 of the Companies Act 71 of 2008 (Companies Act) governs direct and indirect financial assistance to directors and prescribed officers as well as certain companies and corporations, with the purpose of protecting shareholder and creditor interests by preventing the board of a company from exploiting its power of providing financial assistance which may unduly burden the company for the benefit of directors.

Corporate & Commercial Law

4 min read

7 Dec 2023

by Belinda Scriba and Claudia Grobler

Aggrieved by the decision of the Master of the High Court? Remedies should be considered carefully

What happens when the Master of the High Court (Master) accepts or rejects a creditor’s claim in liquidation proceedings and the affected person wishes to challenge the decision?

Business Rescue, Restructuring & Insolvency

4 min read

18 Oct 2023

by Deepesh Desai, Jamie Oliver, Tessa Brewis and Alecia Pienaar

Eskom’s grid allocation rules: On your marks, ready, set, halt!

The national grid, which facilitates the conveyance of electricity between points of generation and offtake, is a pivotal piece of South Africa’s energy infrastructure. Owing to the country’s historical reliance on coal as a main energy generation resource, the development and upkeep of the national grid was primarily centred around Eskom’s coal fleet in Mpumalanga, with little attention paid to implementing the same level of upkeep in other areas of the country where renewable energy resources are most concentrated.

Corporate & Commercial Law

5 min read

26 May 2023

by Louis Botha

Four new circulars: Recent developments on the exchange control front

On 23 May 2023, the Financial Surveillance Department of the South African Reserve Bank (FinSurv) issued four new circulars containing various amendments to the Currency and Exchanges Manual for Authorised Dealers (AD Manual). The AD Manual contains the permissions and exceptions contemplated in the Exchange Control Regulations, 1961. In this article, we briefly discuss the amendments proposed in each circular. In light of the recent challenges facing the South African economy and the rand, these changes are of potentially greater importance, but we will analyse their practical importance in further detail in a subsequent alert.

Tax & Exchange Control

3 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline