Many have asked the question, “Do I need to sign these agreements?”
Before answering this question, we need to look at the POPI Act and find out under what circumstances personal information can be processed and whether obtaining consent is the only way in which a data subject’s personal information can be processed. From what has been in circulation recently, it appears that there is a misunderstanding or misinterpretation of the Act and its application.
Section 11 of the Protection of Personal Information Act clearly sets out circumstances under which information can be processed lawfully. These are:
- Where the data subject or a competent person where the data subject is a child consents to the processing;
- Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- Processing complies with an obligation imposed by law on the responsible party;
- Processing protects a legitimate interest of the data subject;
- Processing is necessary for the proper performance of a public law duty by a public body; or
- Processing is necessary for pursuing the legitimate interest of the responsible party or of a third party to whom the information is supplied.
Considering the above-mentioned, a signed document plays a crucial part for the business that bears the onus of proof to show that the data subject or competent person has consented to the processing of the personal information. However, this is not the only way.
A business will process a data subject’s (also known as the customer) personal information in the course and scope of business. In order to effectively render a service or to have goods delivered, personal information must be processed. Most of the time, the data subject will be furnishing the supplier of goods or services with the personal information himself/herself/itself. In the ordinary course of business, a quotation may need to be sent to a data subject, or a tax invoice (after the work has been effected), which need to be sent out via email. This use of the data subjects’ email address, in this case, would be necessary for the performance or conclusion of a contract. Therefore, specific consent to have these documents sent via email would become unnecessary and excessive. I find it hard to believe that it would be the intention of the legislature for businesses to obtain consent for every single action and get permission by way of signature specifically. Therefore, Section 11 makes provision for businesses to use information as is necessary.
Let us take another scenario. A business enters into a sale agreement with a data subject The business has the goods on hand and now needs to outsource the delivery to have the goods sent to the data subject. The above-mentioned scenario would require the business to engage the services of a third-party delivery company (TPDC). In order for the TPDC to effect delivery, the business would need to provide the TPDC with the data subjects physical address, and if possible a contact number. This is where the data processing agreement becomes necessary between the business and the third-party delivery company. This data processing agreement would set out what the TPDC can and cannot do with the data subjects personal information. The data processing agreement must also make provision for the TPDC to keep the personal information secure and that the personal information should not be used for any other purposes.
At this stage, it is also important to understand the definition of an operator as defined in the Act. An operator is defined as a person who processes personal information for a responsible party in terms of a contract of mandate, without coming under the direct authority of that party. One needs to distinguish between the processing of information. Note that if a business is processing another business’s landline number or email address, which is already in the public record or public domain, this landline number and email address cannot be considered personal information of that particular business. Whereas, if you look at the example in the preceding paragraph, the TPDC would be an operator because it processes personal information for a responsible party.
It is imperative for a business to understand what is contained in data processing agreements as all are not the same. Some make mention of specific security measures which a business expects you to have, and should you not comply with this after signing the agreement, then you will be in breach of such agreement. Other agreements allow a business to share information with you to gain access to your premises to assess your security measures and to perform audits on your businesses compliance with the POPI Act.
Therefore, data processing agreements are important as long as it is used in the correct context. Be aware of your business’s role in the industry and ensure that that which you are signing actually applies to your business. Lastly, be sure that you are comfortable with the obligations placed on your business due to signing any agreements as some obligations are not necessarily that which the Act specifically allows for.
Contact your SEESA Consumer Protection & POPI Legal Advisor to assist your business with any POPI related queries you might have alternatively, SMS the word “SEESA” to 45776 for an expert legal advisor to contact you.
References:
Protection of Personal Information Act, Act No. 4 of 2013
About the author:
Ashlin Naidoo is a Consumer Protection & POPI Legal Advisor at SEESA’s Durban office. He obtained his LLB From the University of KwaZulu-Natal