Tax and Legal Insights | 4 min read

POPIA Explained – Part 5

By Lize de la Harpe, legal adviser

In the last edition we recapped on the eight conditions for the lawful processing of personal information and discussed Purpose Specification in detail.

In this edition we will move on to further processing limitation.

Let’s recap

As explained in the last edition, POPIA requires the responsible party to process personal information lawfully and in a manner that does not infringe on the privacy of data subjects.

In order for such processing to be “lawful” it must comply with the conditions as set out in the act.

Section 4 of POPI lists eight conditions for the lawful processing of personal information, namely:

  1. Accountability (as referred to in section 8);
  2. Processing Limitation (as referred to in sections 9 to 12);
  3. Purpose specification (as referred to in sections 13 and 14);
  4. Further processing limitation (as referred to in section 15);
  5. Information Quality (as referred to in section 16);
  6. Openness (as referred to in sections 17 and 18);
  7. Security safeguards (as referred to in sections 19 to 22); and
  8. Data subject participation (as referred to in sections 23 to 25).

Let’s look at Condition 4 (Further processing limitation) in more detail.

Further processing limitation - section 15

In the last edition I mentioned that Condition 3 (Purpose specification) states that the personal information must be collected for a specific, explicitly defined and lawful purpose related to the function or activity of the responsible party.

This ties up specifically with Condition 4 (Further processing limitation). Section 15(1) states that further processing of personal information must be in accordance with, or compatible with, the original purpose of collection.

To put it differently: responsible parties may only process personal information for another (further) purpose if such processing is compatible with the original purpose for which it was collected.

Compatible with the original purpose

Whether further processing is compatible with the original purpose for which it was collected will depend on the circumstances. Although the act does not spell out what would be compatible, sections 15(2) and (3) at least gives us some guidance as to what is meant by compatibility.

To determine whether or not further processing is compatible with the original purpose for collection, one should have regard to:

  1. the relationship between the initial purpose and the further purpose;
  2. the nature of the information;
  3. the consequences of the intended further processing for the data subject;
  4. the manner in which the information has been collected; and
  5. the contractual rights and obligations between the parties.

(*PS: in determining compatibility, responsible parties should also take the reasonable expectations of the data subject into account).

Section 15(3) then goes on to list instances where further processing will NOT be considered incompatible with the purpose of collected, such as where:

  1. the data subject consented (*remember, such consent must be specific – we will cover the concept of “consent” in a later edition!); OR
  • the information is available in or derived from a public record or has deliberately been made public by the data subject; OR
  • further processing is necessary:
  1. for maintenance of the law by a public body, or
    1. to comply with an obligation imposed by law (*for example, providing information to the FSCA when requested to do so) or to enforce legislation relating to taxes (*for example providing client info to SARS);
    1. to conduct proceedings in a court or in a tribunal (*for example providing client info to an ombud or similar complaints body); or
    1. in interests of national security; OR
  • further processing is necessary to prevent or mitigate a serious or imminent threat to:
  1. public health and public safety; or
    1. the life or health of the data subject or another individual OR
  • the information is used for historical, statistical or research purposes and the further processing is solely for those purposes and will not be published in an identifiable form; OR
  • further processing is in accordance with an exemption granted under section 37.

To summarise: each time that a responsible party intends to further process personal information, the responsible party must first assess whether the further processing is compatible with the original purpose for which it was collected by using the factors as listed in section 15.

What would constitute further processing?

Examples of further processing include:

  • cross-selling;
  • the direct marketing of products to existing and potential customers (*PS: we will cover direct marketing in a separate edition); and
  • profiling (*PS: remember, information that has been de-identified to the extent that it cannot be re-identified again will be excluded!).

For this edition, I am going to focus specifically on cross-selling.

The term cross-selling typically refers to the practice of selling an additional product or service to an existing customer. To use an example in the financial services industry – financial advisers can often earn additional revenue by cross-selling additional products and services to their existing client base.

Questions to ask yourself before embarking on your cross-selling campaign (i.e. before you further process personal information):

  • is it compatible with the purpose for which it was collected? If not, you will need the data subject’s consent to do so (*PS: remember we will cover consent in a separate edition);
  • is the data subject aware of the continued use of their personal information? Remember, in terms of Condition 6 (Openness), when collecting personal information, you have to ensure that the data subject is aware of the information being collected and the purpose for which it will be used (*PS we will discuss Openness in a later edition).

Conclusion

We have now covered Condition 4, namely Further processing limitation – in the next edition we will discuss the next two conditions, namely Information Quality (as referred to in section 16) and Openness (as referred to in sections 17 and 18).

Glacier Financial Solutions (Pty) Ltd and Sanlam Life Insurance Ltd are licensed financial services providers

Your Next Read

Investment Insights | 3 min read
How the Glacier AI Flexible Fund of Funds helps to navigate uncertainty and deliver stellar performance.

We use cookies to give you the very best possible online experience. By continuing, you confirm that you’re on board with our privacy policy.

What Glacier Insights is…and isn’t

Glacier Insights provides investment professionals and financial intermediaries with information on the markets in general, Glacier products, and the services we offer. This website is not primarily for private individuals, but we are pretty sure that everyone interested in investing would find the content useful. If you are a private individual, please seek financial advice from a registered financial intermediary before you invest. A trained financial intermediary will help you determine which of our products are most appropriate for your needs. Glacier Insights is not designed to replace the job and expertise of a professional financial intermediary.

Content use and ownership

We love that you want to browse Glacier Insights, and please let us know if there is any more information that you would like us to provide. Also know that the intellectual property rights in the content are protected by local and international laws and agreements. So, our intellectual property may not be used in any way without our consent or the consent of any business that licensed us to use its intellectual property. This includes reproducing, changing, publishing, displaying, distributing, licensing or creating by-products of the content on this site, unless you receive our permission in writing. The website with all its content is owned by or licensed to Glacier by Sanlam, and includes text, graphics, icons, hyperlinks, private information and designs.

I have read the above and understand the purpose of the Glacier Insights website.

No, I do not agree

Receive the latest Glacier Insights delivered to your inbox


Please enabled javascript to view Glacier.