Do you have a legal basis for processing personal information?

Do you have a legal basis for processing personal information?

Section 11 of the Protection of Personal Information Act (POPI) “Consent, justification and objection”, forms part of the second condition for lawful processing, namely “processing limitation”. The purpose of this condition is to make the responsible party (the Party that determines the purpose of and means for processing personal information) aware that there are restrictions on the processing of personal information.

Personal information should only be processed if the purpose of the processing could not reasonably be fulfilled by other means and if there is a valid lawful basis in order to process personal data.

There are 6 justification grounds in order to lawfully process personal information. The POPI Act calls for accountability in the way a company processes personal information. Therefore a company should clearly document their lawful basis so that they can demonstrate their compliance in line with the POPI Act. The lawful basis will have to be determined before a company may start processing personal information.

No single basis is more important than the other and there are no hierarchy in the order of the list. The basis most appropriate to use will depend on the company’s purpose and relationship with the individual.

The 6 justification grounds include:

  1. Consent: The individual has given clear consent for a business to process the data subject’s personal data for a specific purpose.
  2. Contract: The processing is necessary for the performance or conclusion of a contract to which the data subject is a party.
  3. Legal obligation: The processing is necessary as it complies with an obligation imposed by law.
  4. Legitimate Interest: Processing protects the legitimate interests of the data subject.
  5. Public law: The processing is necessary to perform a public law duty by a public body.
  6. Legitimate interests: The processing is necessary for pursuing the legitimate interests of the responsible party or the legitimate interests of a third party to whom the information is supplied.

The POPI Act further requires one to act in a reasonable manner and collect and process personal information in a manner that could be defended. It is of vital importance that the personal information only be processed, providing the purpose for which it is processed is adequate, relevant and not excessive. Businesses need to take into account the interest and reasonable expectations of the data subject when processing personal information.

Companies must also ensure that they operate in a transparent manner and that they inform clients upfront about their lawful basis for processing information.


Melindi Dean is a SEESA Consumer Protection & POPI legal advisor in Pretoria. She graduated from the University of South Africa with her LLB degree Cum Laude. She started her career at SEESA in 2018.


Leave a reply

Your email address will not be published. Required fields are marked *