Regulations relating to the Protection of Personal Information, 2018

Jurisdiction
South Africa
Citation
Government Notice R1383 of 2018
Primary work
Protection of Personal Information Act, 2013
Date
14 December 2018
Language
English
Type
Legislation
Download
Download PDF (1.6 MB)
Taxonomies
Related documents
South Africa
Protection of Personal Information Act, 2013

Regulations relating to the Protection of Personal Information, 2018

Government Notice R1383 of 2018

The Information Regulator has, under section 112(2) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013), made the regulations in the Schedule.

1. Definitions

In these Regulations, any word or expression to which a meaning has been assigned in the Act has the meaning so assigned and, unless the context otherwise indicates:data message” includes a data message as defined in section 1 of the Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002);form(s)” as referred to in these Regulations, means a form referred to in the annexures to these Regulations or any form which is substantially similar to that form;signature” includes an electronic signature as defined in section 1 of the Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002)"submit" means submit by—(a)data message;(b)electronic communication;(c)registered post;(d)electronic mail;(e)facsimile; and(f)personal delivery."the Act" means the Protection of Personal Information Act, 2013 (Act No. 4 of 2013); andwriting” includes writing as referred to in section 12 of the Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002).

2. Objection to the processing of personal information

(1)A data subject who wishes to object to the processing of personal information in terms of section 11(3)(a) of the Act, must submit the objection to the responsible party on Form 1.
(2)The responsible party, or a designated person, must render such reasonable assistance as is necessary, free of charge, to enable the data subject to make an objection on Form 1.

3. Request for correction or deletion of personal information or destruction or deletion of record of personal information

(1)A data subject who wishes to request a correction or deletion of personal information or the destruction or deletion of a record of personal information in terms of section 24(1) of the Act, must submit a request to the responsible party on Form 2.
(2)The responsible party, or a designated person, must render such reasonable assistance, as is necessary free of charge, to enable a data subject to complete Form 2.

4. Responsibilities of information officers

(1)An information officer must, in addition to the responsibilities referred to in section 55(1) of the Act, ensure that—
(a)a compliance framework is developed, implemented, monitored and maintained
(b)a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
(c)a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);
(d)internal measures are developed together with adequate systems to process requests for information or access thereto; and
(e)internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.
(2)The information officer shall upon request by any person, provide copies of the manual to that person upon the payment of a fee to be determined by the Regulator from time to time.

5. Application for issuing code of conduct

A private or public body which is sufficiently representative of any class of bodies, or of any industry, profession, or vocation that wishes to apply for the issuing of a code of conduct in terms of section 61(1)(b) of the Act, must submit an application to the Regulator on Form 3.

6. Request for data subject's consent to process personal information

A responsible party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must in terms of section 69(2) of the Act submit a request for written consent to that data subject on Form 4.

7. Submission of complaint

(1)Any person who wishes to submit a complaint contemplated in section 74(1) of the Act must submit such a complaint to the Regulator on Part I of Form 5.
(2)A responsible party or a data subject who wishes to submit a complaint contemplated in section 74(2) of the Act must submit such a complaint to the Regulator on Part II of Form 5.

8. Regulator acting as conciliator during investigation

(1)If during the investigation of a complaint the Regulator decides to act as a conciliator in terms of section 76(1)(b) of the Act, and convene a conciliation meeting, the Regulator must, as soon as it is practically possible, inform the data subject and the responsible party implicated in the complaint on Form 6 of the following:
(a)the Regulator’s decision to act as a conciliator in the matter; and
(b)the date, time and place of the conciliation meeting.
(2)The Regulator—
(a)may consolidate separate complaints, which are alleged to relate to the same interference with the protection of personal information by the same responsible party, in order to deal with the complaints in the same conciliation proceedings;
(b)must ensure that all persons entitled to attend the conciliation meeting are notified within a reasonable time, of the date, time and place of the meeting;
(c)may request all the relevant documentation relating to the complaint from the data subject and the responsible party; and
(d)may confer with the parties in person, by electronic communication means, or by any other means as is deemed appropriate.
(3)Where a conciliation meeting fails to take place, the Regulator must arrange for an alternative date and notify the persons entitled to attend the conciliation meeting accordingly.
(4)The Regulator must issue a conciliation certificate on Form 7 within a reasonable time after the date of the conclusion of the conciliation meeting.
(5)If the complaint is not resolved, or either or both of the parties did not attend a conciliation meeting, the Regulator must proceed with the complaint as provided for in terms of section 76 of the Act.

9. Pre-investigation proceedings of Regulator

(1)If the Regulator intends to investigate any matter contemplated in Chapter 10 of the Act, the Regulator must in terms of section 79 of the Act, notify the parties to whom the investigation relates of such intention on Part I of Form 8 prior to conducting the investigation.
(2)The Regulator must inform the responsible party to whom the investigation relates on Part II of Form 8 of the complaint, or the subject matter of the investigation, and must inform the responsible party of the right to submit a written response to the complaint or the subject matter of the investigation within the time allocated by the Regulator.

10. Settlement of complaints

(1)If it appears from a complaint or any written reply to the complaint under section 79(b)(ii) of the Act or during a conciliation meeting, that it may be possible to secure a settlement between the parties and if appropriate, satisfactory assurances as contemplated in section 80 of the Act, the Regulator may confer with the parties in person, by electronic communication means, or by any other means as is deemed appropriate to endeavour to obtain a settlement and if appropriate, satisfactory assurances as contemplated in section 80 of the Act.
(2)If during the process referred to in sub-regulation (1) the Regulator decides to convene a settlement meeting, the Regulator must, as soon as it is practically possible, inform the data subject and the responsible party on Form 9 of the date, time and place of the settlement meeting.
(3)For the purpose of settlement proceedings, the Regulator has the same powers of a conciliator contemplated in sub-regulations (2) to (3) of Regulation 8.
(4)The Regulator must issue a settlement certificate on Form 10 within a reasonable time after the date of the conclusion of the settlement meeting.
(5)If no settlement and assurance is secured or if either or both of the parties did not wish to attend a settlement meeting, the Regulator must proceed with the matter as provided for in terms of section 76 of the Act.

11. Assessments

(1)A request for an assessment in terms of section 89(1) of the Act must be submitted to the Regulator on Part 1 of Form 11
(2)The Regulator must inform the requester on Part II of Form 11 if it has decided to conduct an assessment on—
(a)its own initiative; or
(b)as requested in terms of sub-regulation (1);
within a reasonable time from the date that the decision was made,
(3)The period of assessment will be determined by the Regulator on a case by case basis.
(4)The Regulator must notify the requester or the responsible party (if not the requester) of any decision made, or action taken, or view formed on Form 12 within a reasonable time from the date that the decision was made or action taken or view formed.

12. Informing the parties of developments regarding investigation

(1)During the course of an investigation, the Regulator must within a reasonable time from the date of a decision being made or action being taken—
(a)keep the complainant, the data subject (if not the complainant) and the responsible party informed of the developments of the investigation; and
(b)inform the complainant, data subject (if not complainant) and the responsible party of the result of the investigation.
(2)The notifications contemplated in sub-regulation (1) must be served at the designated addresses of the complainant, the data subject and the responsible party advising—
(a)on Form 13 that an enforcement notice will not be issued in terms of section 94(a) of the Act;
(b)on Form 14 that the complaint has been referred to the Enforcement Committee in terms of section 92 of the Act;
(c)on Form 15 that an enforcement notice has been served in terms of section 95 of the Act;
(d)on Form 16 that an enforcement notice had been cancelled or varied in terms of section 96 of the Act;
(e)on Form 17 that an appeal has been lodged against an enforcement notice for cancellation or variation of the notice in terms of section 97 of the Act;
(f)on Form 18 that an appeal against an enforcement notice has been allowed and that an enforcement notice has been substituted in terms of section 98 of the Act; or
(g)on Form 19 that an appeal has been dismissed in terms of section 98 of the Act.

13. Short title

These Regulations shall be called the Regulations relating to the Protection of Personal Information, 2018 and shall commence on a date to be determined by the Regulator by proclamation in the Government Gazette.

Forms

Form 1 – Objection to the processing of personal information in terms of section 11(3)

Form 2 – Request for correction or deletion of personal information or destroying or deletion of record of personal information in terms of section 24(1)

Form 3 – Application for the issue of a code of conduct in terms of section 61(1)(b)

Form 4 – Application for the consent of a data subject for the processing of personal information for the purpose of direct marketing in terms of section 69(2)

Form 5 – Complaint regarding interference with the protection of personal information/complaint regarding determination of an adjudicator in terms of section 74

Form 6 – Notice to parties: conciliation meeting regarding interference with the protection of personal information in terms of section 76

Form 7 – Notice to parties: conciliation regarding interference with the protection of personal information in terms of section 76

Form 8 – Notice to parties of intention of regulator to investigate a complaint in terms of section 79

Form 9 – Notice to parties: settlement meeting regarding interference with the protection of personal information in terms of section 76

Form 10 – Notice to parties: settlement regarding interference with the protection of personal information in terms of section 76

Form 11 – Request for an assessment in terms of section 89(1)

Form 12 – Notification in terms of section 89

Form 13 – Notice to parties not to issue an enforcement notice in terms of section 94

Form 14 – Referral to enforcement committee in terms of section 92

Form 15 – Enforcement notice in terms of section 95

Form 16 – Cancellation or variation of enforcement notice in terms of section 96

Form 17 – Notice of appeal in terms of section 97

Form 18 – Substitution or setting aside of enforcement notice in terms of section 98

Form 19 – Notice of dismissal of appeal in terms of section 98
▲ To the top