Guidance note on exemptions from the conditions for lawful processing of personal information, 2021

Jurisdiction
South Africa
Date
30 June 2021
Language
English
Type
Guidance Note
Download
Download PDF (309.7 KB)
Taxonomies

Guidance note on exemptions from the conditions for lawful processing of personal information, 2021

1.DefinitionsBelow are the definitions relevant to this Guidance Note. For a complete list of definitions, please refer to the Protection of Personal Information Act 4 of 2013 (POPIA)1.1Data subject” means the person to whom personal information relates;1.2De-ldentify”, in relation to personal information of a data subject, means to delete any information that—(a)identifies the data subject;(b)can be used or manipulated by a reasonably foreseeable method to identify the data subject; or(c)can be linked by a reasonably foreseeable method to other information that identifies the data subject,1.3Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—(a)the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;(b)dissemination by means of transmission, distribution or making available in any other form; or(c)merging, linking, as well as restriction, degradation, erasure or destruction of information;1.4Public body” means—(d)any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or(e)any other functionary or institution when—(i)exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or(j)exercising a public power or performing a public function in terms of any legislation;[Please note: numbering as in original.]1.5Relevant function” for purposes of section 38(1) of POPIA, means any function—(a)of a public body; or(b)conferred on any person in terms of the law, which is performed with the view to protecting members of the public against—i)financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate; orii)dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity.1.6Responsible party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;
2.Introduction
2.1POPIA prescribes the eight (8) conditions for the lawful processing of personal information by or for a responsible party. These conditions are not applicable to the processing of personal information to the extent that such processing is exempted in terms of section 37 or 38, from one or more of the conditions concerned in relation to such processing.
2.2Processing of personal information is not in breach of a condition for the processing of such information if the—
2.2.1Regulator grants an exemption in terms of section 37; or
2.2.2processing is in accordance with section 38.
2.3In terms of section 37(1) of POPIA the Regulator may by notice in the Gazette grant an exemption to a responsible party to process certain personal information, even if that processing is in breach of a condition for the lawful processing of such information, or any measure that gives effect to such condition, if the Regulator is satisfied that the requirements that are stated therein are met.
2.4In terms of section 38(1) of POPIA, personal information processed for the purpose of discharging a relevant function is exempt from sections 11(3) and (4), 12, 15 and 18 of POPIA in any case to the extent to which the application of those provisions to the personal information would be likely to prejudice the proper discharge of that function.
3.Purpose
3.1The purpose of this Guidance Note is to provide guidance to the responsible parties who—
3.1.1intend to apply for exemption in terms of section 37 of POPIA; or
3.1.2are exempt from the processing of personal information in respect of certain functions in terms of section 38 of POPIA.
3.2This document provides guidance only and the responsible parties are therefore required to ensure compliance with the relevant provisions of POPIA.
4.Exemptions from the conditions for lawful processing of personal information
4.1General
4.1.1Processing of personal information is not in breach of a condition for the processing of such information if the Regulator grants an exemption in terms of section 37 of POPIA or where processing is in accordance with section 38 of POPIA.
4.1.2The exemptions are strictly applicable in instances provided for in sections 37 and 38 of POPIA. They should not be routinely relied on and should be considered on a case-by-case basis.
4.1.3If an exemption is not applicable to the processing of personal information, the applicable conditions for lawful processing of personal information must be complied with.
4.1.4The Regulator may impose reasonable conditions in respect of any exemption granted in terms of section 37 of POPIA.
4.2Exemptions on applications
4.2.1The Regulator may, in terms of section 37(1) and on application by a responsible party (using the attached exemption application form), grant an exemption from complying with a specific condition when processing personal information, even if such processing is in breach of any of the condition for the lawful processing of such information, or any measure that gives effect to such condition.
4.2.2The responsible party applying for an exemption must satisfy the Regulator that either of the following requirements are met-
4.2.2.1processing is in the public interest; or
4.2.2.2processing involves a clear benefit to the data subject.
4.2.3Public interest
4.2.3.1The responsible party must satisfy the Regulator that:—
4.2.3.1.1the processing of personal information in question is in the public interest; and
4.2.3.1.2the public interest is so significant that it outweighs the data subject’s right to the protection of its or his or her personal information.
4.2.3.2POPIA does not define public interest but furnishes examples of what constitutes public interest, as stipulated in paragraph 4.2.3.4 below.
4.2.3.3Public interest is a wide and diverse concept that cannot and should not be limited in its scope and application. The definition of what constitutes public interest varies across jurisdictions and should be assessed on a case-by-case basis. In its very basic formulation, public interest is the notion that an action or process or outcome widely and generally benefits the public at large (as opposed to a few or a single entity or person) and should be accepted, imposed or pursued in the spirit of equality and justice.
4.2.3.4In terms of section 37(2) of POPIA, public interest includes the following:
4.2.3.4.1the interests of national security;
a)“National Security” is not specifically defined in any law in South Africa. However, section 198 of the Constitution of the Republic of South Africa prescribed principles which govern national security in the Republic.
b)A responsible party who applies for an exemption from complying with a condition for lawful processing of personal information on the ground of national security should be guided by the following constitutional principles—
i)National security must reflect the resolve of South Africans, as individuals and as a nation, to live as equals, to live in peace and harmony, to be free from fear and want and to seek a better life.
ii)The resolve to live in peace and harmony precludes any South African citizen from participating in armed conflict, nationally or internationally, except as provided for in terms of the Constitution or national legislation.
iii)National security must be pursued in compliance with the law, including international law.
iv)National security is subject to the authority of Parliament and the national executive.
c)The responsible party will not be exempted if the impact of compliance would be trivial or is not linked to national security (e.g. to avoid embarrassment). The responsible party must be able to show—
i)how compliance with the privacy rights of data subjects jeopardises national security;
ii)that processing the personal information of the data subject is in the public interest as it safeguards the national security;
iii)that such public interest in the national security outweighs to a substantial degree the privacy rights of the data subject.
4.2.3.4.2the prevention, detection and prosecution of offences;
4.2.3.4.3important economic and financial interests of a public body;
a)A public body which intends investigating fraud and corruption that impacts its economic and financial interests may apply for exemption from any condition for lawful processing of processing of personal information.
4.2.3.4.4fostering compliance with legal provisions established in the interests referred to under paragraphs 4.2.3.4.2 and 4.2.3.4.3 above;
4.2.3.4.5historical, statistical or research activity; or
4.2.3.4.6the special importance of the interest in freedom of expression:
4.2.4Clear benefit to the data subject
4.2.4.1The responsible party should prove that:
4.2.4.1.1the processing involves a clear benefit to the data subject or a third party; and
4.2.4.1.2the clear benefit, referred to in paragraph 4.2.4.1.1 above, outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.
4.2.4.2The responsible party must, in its application for an exemption—
4.2.4.2.1provide adequate reasons why processing of personal information, in breach of any of the conditions for lawful processing of personal information, will be to the benefit of the data subject;
4.2.4.2.2state the nature of the benefits to a data subject or a third party;
4.2.4.2.3specify how the benefit to a data subject or a third party outweighs, to a substantial degree, any interference with the privacy of such data subject or third party.
4.2.5An exemption in terms of section 37 of POPIA may not be a full exemption from all the conditions for the lawful processing of personal information but may only be granted for one or some of the conditions for the lawful processing of personal information.
4.2.6In the event that the Regulator is satisfied that the application for exemption meets the requirements listed in paragraph 4.2.3 or 4.2.4 above, it may impose reasonable conditions in respect of any exemption granted and these conditions will be decided on a case-by-case basis. The conditions may include, for example, the requirement for a responsible party to implement certain appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of personal information.
4.2.7Before submitting the exemption application, a responsible party must consider whether its processing falls under—
4.2.7.1Exemptions provided for in section 37 of POPIA; or
4.2.7.2Exemptions provided for in section 38 of POPIA, as detailed in paragraph 4.3 below.
4.2.8A completed Exemption Application Form, attached hereto, may be submitted to the Regulator through the following channels—
4.2.8.1Email:exemptions.IR@justice.gov.za
4.2.8.2Postal:P.O Box 31533
Braamfontein
Johannesburg
2017
4.2.8.3Hand delivery:JD House
27 Stiemens Street
Braamfontein Johannesburg
2001
4.2.9Due to the current pandemic (Covid-19), the Regulator recommends that applications for exemptions in terms of section 37 of POPIA be submitted by email to limit the transmission of the virus. However, the Regulator will accept applications in accordance with paragraph 4.2.8.2 or 4.2.8.3 above.
4.2.10Once the exemption application is received and recorded in the system of the Regulator, the responsible party will receive an acknowledgement email or letter with a reference number for the application. When submitting additional information to the application, the responsible party must include the allocated reference number to enable the Regulator to link the additional information to the existing application.
4.3Exemption in respect of certain functions
4.3.1Section 38(1) of POPIA provides for an exemption from complying with sections 11(3) and (4), 12, 15 and 18 if the responsible party processes personal information for the purpose of discharging a relevant function.
4.3.2A relevant function for the purpose of section 38(1) of POPIA means any function—
4.3.2.1of a public body; or
4.3.2.2conferred on any person in terms of the law.
4.3.3The relevant function referred to in paragraph 4.3.2 above must be performed with the view to protect members of the public against—
4.3.3.1financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate; or
4.3.3.2dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity.
4.3.4The relevant function must comply with all the conditions for the lawful processing of personal information. However such function may be exempted from compliance with sections 11(3) and (4), 12, 15, and 18 of POPIA, in any case to the extent to which the application of these provisions to the personal information would be likely to prejudice the discharge of that function.
4.3.5The exempted functions referred to in paragraph 4.3.4 above, only relate to the following conditions—
4.3.5.1The data subject’s right to object to the processing of personal information, in terms of section 11(3) and (4);
4.3.5.2The obligation to ensure that personal information is collected directly from the data subject, in terms of section 12;
4.3.5.3The requirement that further processing must be compatible with purpose of collection, in terms of section 15; and
4.3.5.4The requirement to notify data subject when collecting personal information, in terms of section 18.
4.3.6The responsible party relying on any of the conditions referred to in paragraph 4.3.5 above, must document its reasons for relying on an exemption under section 38. Those reasons will be crucial when the Regulator investigates any complaint in terms section 74 of POPIA or conducts an assessment in terms of section 89 of POPIA.
5.Publication of an exemption noticeThe Regulator will, upon granting an exemption, publish a notice in the Gazette in terms of section 37(1) of POPIA. The exemption granted by the Regulator only comes into operation on the date of publication in the Gazette.
6.Contact details
6.1.If after reading this Guide, the responsible party still requires help in completing the exemption application form, they may contact our Customer Service Centre on—Email: exemptions.IR@justice.gov.za
6.2.Please note that the Regulator’s operating hours are from 08h30 am to 17h00 Monday to Friday only.

Exemption application form

NOTE: The personal information submitted herein shall be solely used for purposes of an exemption application submitted to the Information Regulator (“Regulator’) in terms of section 37(1) of the Protection of Personal Information Act 04 of 2013 (POPIA).All the information submitted herein shall be used for the purpose stated above, as mandated by POPIA. This Information may be disclosed to the public. The Regulator undertakes to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information.

Part A – Responsible party

Type of BodyPublic Body Private Body 
Full Name of the Body (Registered Name)
Trading Name		 
 
Registration No, if any 
Full Name of Information Officer 
Information Officer’s Registration Number 
Postal Address (Official) 
 
 
Physical Address (Official) 
 
 
Official Landline Number 
Official Cell Number 
Official Fax Number 
Official Email Address 
Website, if any 

Part B – Conditions for the lawful processing of personal information

Please select the condition(s) for lawful processing of personal information from which you apply to be exempted
Accountability-as referred to in section 8 
Processing limitation-as referred to in sections 9 to 12 
Purpose specification-as referred to in sections 13 and 14 
Further processing limitation-as referred to in section 15 
Information quality-as referred to in section 16 
Openness-as referred to in sections 17 and 18 
Security safeguard-as referred to in sections 19 to 22 
Data subject participation-as referred to in sections 23 to 25. 

Part C – Provide reasons why it is necessary for the responsible party to process personal information in breach of the conditions for lawful processing of personal information

The public interest in the processing of personal information outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from such processing. 
Select the applicable public interesta)The interests of national security 
b)The prevention, detection and prosecution of offences 
c)Important economic and financial interests of a public body 
d)Fostering compliance with legal provisions established in the interests referred to under paragraphs (b) and (c) above 
e)Historical, statistical or research activity 
f)The special importance of the interest in freedom of expression 
Specify any other public interest not specifically provided herein  
Please provide reasons how selected or specified public interest in the processing of personal information outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from such processing. 
The processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.
Please specify the nature of the clear benefits to a data subject or a third party. 
Please explain how the above-mentioned benefits to a data subject or a third outweigh, to a substantial degree, any interference with the privacy of such data subject or third party. 

Part D – Declaration

I declare that the information contained herein is true, correct and accurate.SIGNED and DATED at __________________ on this the ________ day of ________ 20______________________Information officer

Part E

The following information is required for statistical purposes. Please choose a sector(s) that apply to your body.
GovernmentPublic entitiesPrivate bodyProfession
ItemClassification of GovernmentXItemClassification of a public entityXItemName of industry or sectorXItemType of professionX
1.National Government 1.Constitutional Entities 1Education 1Legal 
2.Provincial Government 2.Schedule 2 Public entity 2Insurance 2Built environment 
3.Local Government 3.Schedule 3A Public entity 3Health facilities 3Financial 
Legislature4.Schedule 3B Public entity 4Telecommunications 4Medical and Allied Health Services 
Parliament 5.Schedule 3C Public entity 5Pharmaceutical Others, specify
Others, specify6Media and social media 
Gauteng Provincial Legislature    7Retail/Direct marketing 
Western Cape Provincial Legislature  8Tourism 5.  
Northern Cape Provincial Legislature 9Transportation, storage and logistics  
Limpopo Provincial Legislature 10Manufacturing/Production  
Northwest Provincial Legislature 11Banks 
Free State Provincial Legislature  12International organizations  
Mpumalanga Provincial Legislature 13Real estate 
14Credit bureaus 
Eastern Cape Provincial Legislature Others, specify
Kwazulu-Natal Provincial Legislature    
▲ To the top

Cited documents 2

Legislation 2
  1. Constitution of the Republic of South Africa, 1996
  2. Protection of Personal Information Act, 2013

Documents citing this one 0