{"id":104936,"date":"2025-04-29T10:14:15","date_gmt":"2025-04-29T10:14:15","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=104936"},"modified":"2025-08-27T09:45:08","modified_gmt":"2025-08-27T09:45:08","slug":"south-africa-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/south-africa-data-protection-cybersecurity\/","title":{"rendered":"South Africa: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-104936","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-south-africa"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">White &amp; Case Inc.<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/08\/White_Case_logo_RGB.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">White &amp; Case Inc.<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/08\/White_Case_logo_RGB.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in South Africa<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data protection, privacy and cybersecurity in South Africa are primarily regulated by the following legislation:<\/p>\n<p>(a) the Protection of Personal Information Act, 4 of 2013 (<strong>POPIA<\/strong>), which establishes minimum requirements for the processing of personal information;<\/p>\n<p>(b) the Promotion of Access to Information Act, 2 of 2000 (<strong>PAIA<\/strong>), which gives effect to the constitutional right of access to information;<\/p>\n<p>(c) the Consumer Protection Act, 68 of 2008 (<strong>CPA<\/strong>), which regulates direct marketing to consumers; and<\/p>\n<p>(d) the Cybercrimes Act, 19 of 2020 (<strong>Cybercrimes Act<\/strong>) which regulates cybersecurity.<\/p>\n<p>We set out an overview of the legislative frameworks below.<\/p>\n<p><strong>(a) <\/strong><strong>POPIA<\/strong><\/p>\n<p>POPIA applies to the processing of personal information:<\/p>\n<ol style=\"padding-left: 0\" type=\"i\">\n<li>entered in a record by or for a responsible party by making use of automated or non-automated means (provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part of a filing system); and<\/li>\n<li>where the responsible party is domiciled in South Africa or not domiciled in South Africa but makes use of automated or non-automated means in South Africa (unless those means are used only to forward information through South Africa).<\/li>\n<\/ol>\n<p>Importantly, personal information includes that of natural persons and juristic persons (i.e., incorporated entities). The &#8220;processing&#8221; of personal information is broadly defined and includes the collection, receipt, recording, organisation, collation, storage, updating, modification, dissemination, merging, restriction, erasure or destruction of personal information.<\/p>\n<p>The safeguards established by POPIA include: (i) minimum requirements for the processing of personal information; (ii) the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions, both in terms of POPIA and PAIA; (iii) to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; and (iv) to regulate the flow of personal information across the borders of South Africa.<\/p>\n<p><strong>(b) <\/strong><strong>PAIA<\/strong><\/p>\n<p>PAIA was enacted to give effect to the constitutional right of access to any information held by the State and any information that is held by another person, including private entities, required for the exercise or protection of any rights.<\/p>\n<p>PAIA, read together with POPIA, requires that public and private bodies register an information officer and deputy information officers, as necessary, to ensure compliance with POPIA and to deal with information requests made in terms of PAIA.<\/p>\n<p><strong>(c) <\/strong><strong>CPA<\/strong><\/p>\n<p>While the CPA is geared towards establishing norms and standards relating to consumer protection and improved standards of consumer information, it also applies to direct marketing, particularly, a consumer&#8217;s right to restrict unwanted direct marketing. In this respect, the provisions in POPIA and the CPA overlap but they differ in their application in respect of the types and instances of direct marketing.<\/p>\n<p><strong>(d) <\/strong><strong>Cybercrimes Act<\/strong><\/p>\n<p>The Cybercrimes Act criminalizes various cyber-related offenses, including unlawful access to data, interception of data, cyber fraud, and the distribution of malicious software. The Cybercrimes Act has broad application in that it applies to any offense committed within South Africa and may also apply extraterritorially if the conduct has an impact within South Africa.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No, we do not anticipate material changes; however, we are anticipating a cybersecurity bill at some stage in the future, there being no legislation governing aspects related to cybersecurity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no licensing requirements, however, all private and public entities that process personal information are required to register their information and deputy information officers with the Information Regulator. There are currently no specific exemptions for this requirement.<\/p>\n<p>Under POPIA, a failure to appoint an information officer or deputy information officers may result in an information or enforcement notice by the Information Regulator. If a responsible party fails to comply with either an information or enforcement notice, they are guilty of an offence and are liable to a fine or to imprisonment for a period not exceeding ten years, or to both a fine and such imprisonment.<\/p>\n<p>If an enforcement notice is served in terms of POPIA and the private body fails to comply, the information officer or head of the private body who refuses to comply with an enforcement notice is guilty of offence and liable upon conviction to a fine or imprisonment for a period not exceeding three years or to both such a fine and imprisonment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How do the data protection laws in your jurisdiction define \u201cpersonal data,\u201d \u201cpersonal information,\u201d \u201cpersonally identifiable information\u201d or any equivalent term in such legislation (collectively, \u201cpersonal data\u201d)? Do such laws include a specific definition for special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction (e.g., \u201ccontroller\u201d, \u201cprocessor\u201d, \u201cdata subject\u201d, etc.)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>POPIA defines personal information as information relating to an identifiable, living, natural person and where applicable, an identifiable, existing juristic person, including but not limited to:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person);<\/li>\n<li>information relating to the education or the medical, financial, criminal or employment history of the person;<\/li>\n<li>any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;<\/li>\n<li>the biometric information of the person;<\/li>\n<li>the personal opinions, views or preferences of the person;<\/li>\n<li>correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;<\/li>\n<li>the views or opinions of another individual about the person; and<\/li>\n<li>the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.<\/li>\n<\/ol>\n<p>Special personal information (akin to sensitive personal data) includes: (a) religious or philosophical beliefs; (b) race or ethnic origin; (c) trade union membership; (d) political persuasion; (e) health or sex life; (f) biometric information; and (g) criminal behaviour.<\/p>\n<p>A &#8220;responsible party&#8221; (akin to a data controller) is defined as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and mean for processing personal information. An &#8220;operator&#8221; (akin to a data processor) on the other hand, is defined as person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.<\/p>\n<p>A data subject includes that of natural persons and juristic persons (i.e., incorporated entities).<\/p>\n<p>&#8220;Processing&#8221; means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;<\/li>\n<li>dissemination by means of transmission, distribution or making available in any other form; or<\/li>\n<li>merging, linking as well as restriction, degradation, erasure or destruction of information.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are eight principles (or conditions as referred to in POPIA) which apply to the processing of personal information:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li><strong>Accountability<\/strong>: The responsible party is required to ensure compliance with the conditions for processing.<\/li>\n<li><strong>Processing limitation<\/strong>: The processing of personal information must be lawful and in a reasonable manner that does not infringe the privacy of the data subject. Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive and must be collected directly from the data subject, except as otherwise provided. In addition, personal information may only be processed if:\n<ol style=\"padding-left: 5\" type=\"i\">\n<li>a data subject, or a competent person where the data subject is a child, consents to the processing;<\/li>\n<li>the processing is required to carry out actions for the conclusion of performance of a contract to which the data subject is a party;<\/li>\n<li>the processing complies with an obligation imposed by law on the responsible party;<\/li>\n<li>the processing protects a legitimate interest of the data subject;<\/li>\n<li>the processing is necessary for the proper performance of a public law duty by a public body; or<\/li>\n<li>the processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.<\/li>\n<\/ol>\n<\/li>\n<li><strong>Purpose specification<\/strong>: Personal information must be collected for a specific, explicitly defined and lawful purpose and records of personal information must not be retained any longer than is necessary for achieving such purpose.<\/li>\n<li><strong>Further processing limitation<\/strong>: Further processing must be in accordance or compatible with the original purpose for which it was collected.<\/li>\n<li><strong>Information quality<\/strong>: A responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary.<\/li>\n<li><strong>Openness<\/strong>: The responsible party must record and take steps to ensure that the data subject is aware of certain facts, including that information is being collected, the name and address of the responsible party and the purpose for which the information is being collected.<\/li>\n<li><strong>Security safeguards<\/strong>: A responsible party must secure the integrity and confidentiality of personal information through appropriate measures. These include requisite written contracts in certain instances, and notification obligations in relation to security compromises (the equivalent of data breaches).<\/li>\n<li><strong>Data subject participation<\/strong>: Data subjects acquire rights against responsible parties, including, the rights to:\n<ol style=\"padding-left: 5\" type=\"i\">\n<li>request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject;<\/li>\n<li>request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information; and<\/li>\n<li>in the prescribed manner, request a responsible party to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully or destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Consent is not a requirement but one of the justifications for processing personal information, meaning that other justifications may be relied on for processing personal information.<\/p>\n<p>Consent cannot be implied; consent is defined as any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. Similarly, consent may be withdrawn.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is a general prohibition on processing special personal information and the information of children, but the prohibition is not applicable if the:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>processing is carried out with the consent of a data subject (or a competent person, in the case of a child);<\/li>\n<li>processing is necessary for the establishment, exercise or defence of a right or obligation in law;<\/li>\n<li>processing is necessary to comply with an obligation of international public law;<\/li>\n<li>processing is for historical, statistical or research purposes to the extent that: (i) the purpose serves a public interest and the processing is necessary for the purpose concerned; or (ii) it appears to be impossible or would involve a disproportionate effort to ask for consent; and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;<\/li>\n<li>information has deliberately been made public by the data subject (or child with the consent of a competent person); or<\/li>\n<li>specific authorisations in respect the relevant category of special personal information are met.<\/li>\n<\/ol>\n<p>POPIA places a general prohibition on the processing of a child&#8217;s personal information, unless there is consent from a competent person or it is necessary for an obligation in law or for historical, statistical or research purposes that serve a public interest.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, POPIA does not apply to the processing of personal information:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>in the course of a purely personal or household activity;<\/li>\n<li>information that has been de-identified to the extent that it cannot be re-identified again;<\/li>\n<li>information by or on behalf of a public body: (i) which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public strategy; or (ii) the purpose of which is the prevention, detection, including assistance in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in legislation for the protection of such personal information;<\/li>\n<li>by the South African Cabinet and its committees or the Executive Council of a province; or<\/li>\n<li>relating to the judicial functions of a court.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, the Regulations relating to the Protection of Personal Information (GNR.1383 of 14 December 2018) (<strong>POPIA Regulations<\/strong>) impose a responsibility on an information officer to ensure that a &#8220;<em>personal information impact assessment is done to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information<\/em>&#8220;. The Information Regulator has not published any specific guidelines that deal with how these assessments should be carried out.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, there are specific codes of conduct which govern the Banking Association of South Africa and the South African Credit Bureau Association.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, organisations are required to maintain the documentation of their processing activities in terms of PAIA. This requirement is met by public and private bodies by making a manual available on the website (if any) at its principal place of business for inspection during normal business hours or to the Information Regulator upon request, which contains, <em>inter alia<\/em>,<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>a notice regarding the categories of record of the body which are available without a person having to request access in terms of PAIA (if any);<\/li>\n<li>a description of the records of the body which are available in accordance with any other legislation;<\/li>\n<li>sufficient detail to facilitate a request for access to a record of the body, a description of the subjects on which the body holds records and the categories of records held on each subject; and<\/li>\n<li>insofar as POPIA is concerned:\n<ol style=\"padding-left: 5\" type=\"i\">\n<li>the purpose of the processing;<\/li>\n<li>a description of the categories of data subjects and of the information or categories of information relating thereto;<\/li>\n<li>the recipients or categories of recipients to whom the personal information may be supplied;<\/li>\n<li>planned transborder flows of personal information; and<\/li>\n<li>a general description allowing a preliminary assessment of the suitability of the information security measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information which is to be processed.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend data retention and\/or data disposal policies and procedures? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless\u2014<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>retention of the record is required or authorised by law;<\/li>\n<li>the responsible party reasonably requires the record for lawful purposes related to its functions or activities;<\/li>\n<li>retention of the record is required by a contract between the parties thereto; or<\/li>\n<li>the data subject or a competent person where the data subject is a child has consented to the retention of the record.<\/li>\n<\/ol>\n<p>Records of personal information may be retained for periods in excess of that which is necessary for achieving its original purpose, for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes. In addition, a responsible party that has used a record of personal information of a data subject to make a decision about the data subject, must: (a) retain the record for such period as may be required or prescribed by law or a code of conduct; or (b) if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.<\/p>\n<p>As soon as reasonably practicable after a responsible party is no longer authorised to retain the record, it must destroy or delete a record of personal information or de-identify it. The destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>A responsible party is required to consult, notify or obtain approval from the Information Regulator:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person;<\/li>\n<li>if the responsible party applies for an authorisation to process special personal information or the personal information of children;<\/li>\n<li>if the responsible party applies for an exemption from the conditions for processing of personal information;<\/li>\n<li>for prior authorisation if the responsible party intends to:\n<ol style=\"padding-left: 5\" type=\"i\">\n<li>process any unique identifiers of data subjects for a purpose other than the one for which the identifier was specifically intended at collection and with the aim of linking the information together with information processed by other responsible parties;<\/li>\n<li>process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;<\/li>\n<li>process information for the purposes of credit reporting; or<\/li>\n<li>transfer special personal information, as referred to in section 26, or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information; and<\/li>\n<\/ol>\n<\/li>\n<li>in pre-investigation and investigation conducted in terms of POPIA and PAIA.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, PAIA, read together with POPIA, requires that public and private bodies register an information officer and deputy information officers, as necessary, to ensure compliance with POPIA and to deal with information requests made in terms of PAIA.<\/p>\n<p>The duties and responsibilities of information officers include:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;<\/li>\n<li>dealing with requests made to the body pursuant to POPIA;<\/li>\n<li>working with the Regulator in relation to investigations;<\/li>\n<li>otherwise ensuring compliance by the body with the provisions of POPIA; and<\/li>\n<li>as may be prescribed.<\/li>\n<\/ol>\n<p>In addition to the above, the POPIA Regulations prescribe further responsibilities, which require that an information officer ensure that:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>a compliance framework is developed, implemented, monitored and maintained;<\/li>\n<li>a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;<\/li>\n<li>a manual is developed, monitored, maintained and made available as prescribed in PAIA and to provide copies of the manual to any person upon request and upon payment of a prescribed fee;<\/li>\n<li>internal measures are developed together with adequate systems to process requests for information or access thereto; and<\/li>\n<li>internal awareness sessions are conducted regarding the provisions of POPIA, its regulations, codes of conduct, or information obtained from the Information Regulator.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The POPIA Regulations require that an information officer ensure that internal awareness sessions are conducted regarding the provisions of POPIA, its regulations, codes of conduct, or information obtained from the Information Regulator.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>the information being collected and where the information is not collected from the data subject, the source from which it is collected;<\/li>\n<li>the name and address of the responsible party;<\/li>\n<li>the purpose for which the information is being collected;<\/li>\n<li>whether or not the supply of the information by that data subject is voluntary or mandatory;<\/li>\n<li>the consequences of failure to provide the information;<\/li>\n<li>any particular law authorising or requiring the collection of the information;<\/li>\n<li>the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation; and<\/li>\n<li>any further information such as the: (i) recipient or category of recipients of the information; (ii) nature or category of the information; (iii) existence of the right of access to and the right to rectify the information collected; (iv) the existence of the right to object to the processing of personal information as prescribed in POPIA; and (v) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator, which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction draw any distinction between the responsibility of controllers and the processors of personal data? If so, what are the implications?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. A responsible party (akin to a data controller) is a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and mean for processing personal information. An operator (akin to a data processor) on the other hand, is defined as person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.<\/p>\n<p>As such the responsible party is accountable for upholding and maintaining its responsibilities in terms of POPIA and enforcing those same responsibilities on the operator in terms of a written mandate.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>A data subject has the right not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of their personal information intended to provide a profile of that data subject. These circumstances are that a data subject may not be subject to a decision which results in legal consequences for them or which affects them to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including their performance at work, or their credit worthiness, reliability, location, health, personal preferences or conduct.<\/p>\n<p>This restriction does not apply if the decision: (a) has been taken in connection with the conclusion or execution of a contract, and (i) the request of the data subject in terms of the contract has been met; or (ii) appropriate measures have been taken to protect the data subject&#8217;s legitimate interests; or (b) is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.<\/p>\n<p>The appropriate measures, referred to above must: (a) provide an opportunity for a data subject to make representations about an automated decision; and (b) require a responsible party to provide a data subject with sufficient information about the underlying logic of the automated processing of the information relating to them to enable them to make representations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on targeted advertising and\/or behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>If the targeted or behavioural advertising is conducted by way of automated decision making, then the same considerations in the answer to question 18 will apply.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting the sale of personal data. How is the term \u201csale\u201d or such related terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>POPIA does not explicitly regulate the sale of personal data or &#8220;lead generation&#8221; for the purposes of direct marketing.<\/p>\n<p>Where responsible parties share the contact details of data subjects with other responsible parties and where third parties sell or rent lists in the context of direct marketing, this is deemed as further processing, and such processing must comply with the conditions for lawful processing, which include processing limitations (e.g., the processing must be relevant and for the purpose for which it was originally processed), purpose and specification (e.g., the processing must have a specific, explicitly defined purpose) and openness (i.e., notification to the data subject).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting telephone calls, text messaging, email communication, or direct marketing. How are these terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>has given their consent to the processing; or<\/li>\n<li>is, subject to certain restrictions, a customer of the responsible party.<\/li>\n<\/ol>\n<p>A responsible party may approach a data subject: (a) whose consent is required; and (b) who has not previously withheld such consent, only once in order to request the consent of that data subject. The data subject&#8217;s consent must be requested in the prescribed manner and form.<\/p>\n<p>If the data subject is a customer of the responsible party, a responsible party may only process their personal information if:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;<\/li>\n<li>for the purpose of direct marketing of the responsible party&#8217;s own similar products or services; and<\/li>\n<li>if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of their electronic details: (i) at the time when the information was collected; and (ii) on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.<\/li>\n<\/ol>\n<p>The CPA regulates direct marketing that takes place through telephone calls (as opposed to automatic calling machines) which provides the consumer a right to:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>refuse to accept;<\/li>\n<li>require another person to discontinue; or<\/li>\n<li>in the case of an approach other than in person,<\/li>\n<\/ol>\n<p>to pre-emptively block, any approach or communication to that person, if the approach or communication is primarily for the purpose of direct marketing.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>POPIA defines &#8220;<em>biometrics<\/em>&#8221; as a technique of personal identification that is based on physical, physiological, or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning, and voice recognition.<\/p>\n<p>Biometric data is categorised as special personal information under POPIA. Apart from requirements in the answer to question 7 above, a responsible party can also rely on the following three requirements to process biometric information, namely, if:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>the processing is carried out by bodies charged by law with applying criminal law or by responsible parties who have obtained that information in accordance with the law;<\/li>\n<li>the processing of information concerning personnel in the service of the responsible party must take place in accordance with the rules established in compliance with labour legislation; and<\/li>\n<li>such processing is necessary to supplement the processing of information on criminal behaviour or biometric information as permitted.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (\u201cAI\u201d).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>AI remains largely unregulated, however, it is likely that the restrictions on automated decisions would apply if decisions made by an AI programme meets the requirements set out in the answer to question 18.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. A responsible party in South Africa may not transfer personal information about a data subject to a third party who is in a foreign country unless:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that:\n<ol style=\"padding-left: 5\" type=\"i\">\n<li>effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and<\/li>\n<li>includes provisions, that are substantially similar to that in POPIA, relating to the further transfer personal information from the recipient to third parties who are in a foreign country;<\/li>\n<\/ol>\n<\/li>\n<li>the data subject consents to the transfer;<\/li>\n<li>the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject\u2019s request;<\/li>\n<li>the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or<\/li>\n<li>the transfer is for the benefit of the data subject, and (i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and (ii) if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent: (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information. In order to give effect to this, the responsible party must take reasonable measures to:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;<\/li>\n<li>establish and maintain appropriate safeguards against the risks identified;<\/li>\n<li>regularly verify that the safeguards are effectively implemented; and<\/li>\n<li>ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.<\/li>\n<\/ol>\n<p>The responsible party must also have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.<\/p>\n<p>Where information is processed by an operator or anyone processing personal information on behalf of a responsible party or an operator, that operator must:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>process such information only with the knowledge or authorisation of the responsible party; and<\/li>\n<li>treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.<\/li>\n<\/ol>\n<p>In addition, a responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to above.<\/p>\n<p>Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify: (a) the Information Regulator; and (b) subject to certain conditions, the data subject, unless the identity of such data subject cannot be established.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of  security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>POPIA refers to a security compromise (as opposed to a data breach) and requires that where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and affected data subjects (subject to certain requirements). Unfortunately, there is no <em>de minimis<\/em> requirement for reporting a security compromise and it appears that all security compromises must be reported.<\/p>\n<p>The notification to the Information Regulator and data subjects must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party\u2019s information system. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned. The notification to a data subject referred must be in writing and communicated to the data subject in at least one of the following ways:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>mailed to the data subject\u2019s last known physical or postal address;<\/li>\n<li>sent by e-mail to the data subject\u2019s last known e-mail address;<\/li>\n<li>placed in a prominent position on the website of the responsible party;<\/li>\n<li>published in the news media; or<\/li>\n<li>as may be directed by the Regulator.<\/li>\n<\/ol>\n<p>The notification must also provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including: (a) a description of the possible consequences of the security compromise; (b) a description of the measures that the responsible party intends to take or has taken to address the security compromise; (c) a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and (d) if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. A data subject has the right to have their personal information processed in terms of the conditions for lawful processing, including the right:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>to be notified that: (i) personal information about them is being collected; or (ii) their personal information has been accessed or acquired by an unauthorised person in a security compromise;<\/li>\n<li>to establish whether a responsible party holds personal information of that data subject and to request access to their personal information;<\/li>\n<li>to request, where necessary, the correction, destruction or deletion of their personal information;<\/li>\n<li>to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as prescribed;<\/li>\n<li>to object to the processing of his, her or its personal information: (i) at any time for purposes of direct marketing; or (ii) in response to a request from a responsible party where the data subject is a customer;<\/li>\n<li>not to have their personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as provided for in POPIA;<\/li>\n<li>not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person;<\/li>\n<li>to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator; and<\/li>\n<li>to institute civil proceedings regarding the alleged interference with the protection of their personal information.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Data subjects have the right institute civil proceedings regarding the alleged interference with the protection of their personal information. This right triggers the ability of data subjects to institute a claim for damages for the breach of certain provisions of POPIA and without having to prove negligence.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. A court may award an amount that is just and equitable, including: (a) payment of damages as compensation for patrimonial and non-patrimonial loss suffered by a data subject as a result of breach of the provisions of POPIA; (b) aggravated damages, in a sum determined in the discretion of the court; (c) interest; and (d) costs of suit on such scale as may be determined by the court.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Information Regulator typically enforces the provisions of POPIA and PAIA. The enforcement mechanism involves a combination of oversight, compliance monitoring, investigation of complaints, and imposition of fines for non-compliance.<\/p>\n<p>If the Information Regulator finds that a responsible party is not complying with POPIA, it can issue an information or enforcement notice, the latter detailing the steps the responsible party must take to remedy the non-compliance within a specific timeframe.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Any person convicted of an offence in terms of POPIA, is liable to a fine or to a maximum imprisonment for a period of ten years, or to both a fine and such imprisonment. If a responsible party is alleged to have committed an offence, the Information Regulator may choose to deliver an infringement notice with an administrative fine which fine may not exceed ZAR 10 million.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>POPIA does not specify the exact calculation method for fines, but in the case of administrative fines, the Information Regulator must consider the following factors:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>the nature of the personal information involved;<\/li>\n<li>the duration and extent of the contravention;<\/li>\n<li>the number of data subjects affected or potentially affected by the contravention;<\/li>\n<li>whether or not the contravention raises an issue of public importance;<\/li>\n<li>the likelihood of substantial damage or distress, including injury to feelings or anxiety suffered by data subjects;<\/li>\n<li>whether the responsible party or a third party could have prevented the contravention from occurring;<\/li>\n<li>any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information; and<\/li>\n<li>whether the responsible party has previously committed an offence in terms of POPIA.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. A responsible party on whom an information or enforcement notice has been served may, within thirty days of receiving the notice, appeal to the High Court having jurisdiction for the setting aside or variation of the notice.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Information Regulator periodically conducts assessments on public and private bodies, focusing on specific sectors in each quarter of the year, for compliance with the provisions of POPIA and PAIA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide details.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While the Cybercrimes Act does not explicitly mandate specific cybersecurity measures, its provisions imply the need for organizations to implement certain cybersecurity practices to comply with the law and protect against cybercrimes. These practices may include:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>incident response plans;<\/li>\n<li>access controls and monitoring policies;<\/li>\n<li>data protection and retention policies; and<\/li>\n<li>cybersecurity awareness.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose information sharing requirements on organisations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Under the Cybercrimes Act, electronic communications service providers and financial institutions must report any cybercrime involving their electronic communications service or network to the Information Regulator and the South African Police Service (<strong>SAPS<\/strong>) within\u00a072 hours\u00a0of becoming aware of the offence.\u00a0 Any information which may be of assistance to the SAPS in conducting their investigation must also be preserved. A failure to comply with these obligations may upon conviction attract a fine of up to ZAR 50 000.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there specific cybersecurity laws \/ regulations for different industries (e.g., finance, healthcare, government)? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The South African Reserve Bank has issued a directive outlining cybersecurity and cyber-resilience requirements for payment institutions and operators within the national payment system, which includes reporting requirements for cyber incidents, vulnerability assessments and the need for continuous monitoring. South African banks are also subject to PCI DSS , which outlines security standards for handling credit card information to prevent fraud and data breaches.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What impact do international cybersecurity standards have on local laws and regulations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>International cybersecurity standards significantly influence local laws and regulation. International standards such as the ISO\/IEC 27001 (Information Security Management Systems), the NIST Cybersecurity Framework, and, to an extent, the General Data Protection Regulation, set benchmarks for cybersecurity practices.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose obligations in the context of  cybersecurity incidents? If so, how do such laws define a cybersecurity incident and under what circumstances must a cybersecurity incident be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, cybersecurity laws in South Africa impose specific obligations in the context of cybersecurity incidents. These obligations are primarily outlined in the POPIA and the Cybercrimes Act. Both laws provide definitions and requirements for reporting cybersecurity incidents to various stakeholders, including regulators, impacted individuals, law enforcement, and other relevant entities.<\/p>\n<p>Under POPIA, a data breach or security compromise is defined broadly to mean that there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. Responsible parties must notify the Information Regulator and data subjects (subject to certain requirements) as soon as reasonably possible after becoming aware of the security compromise.<\/p>\n<p>The Cybercrimes Act defines various cybercrimes, including unlawful access to data, unlawful interception of data, cyber fraud, cyber extortion, and the unlawful distribution of malware. Electronic communications service providers and financial institutions are required to report certain cybercrimes to the SAPS within 72 hours of becoming aware of them.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The enforcement of the Cybercrimes Act is primarily the responsibility of law enforcement agencies, particularly the SAPS, in collaboration with other relevant authorities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The SAPS is empowered to investigate cybercrimes as defined under the Cybercrimes Act, which includes unlawful access to data, cyber fraud, and other cyber-related offenses. SAPS has the authority to conduct searches and seize evidence related to cybercrimes. This may involve accessing computer systems, networks, and data storage devices. SAPS may also issue preservation orders requiring entities, such as electronic communications service providers, to preserve data that is relevant to an investigation of a cybercrime.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cybercrimes Act places certain obligations on institutions and corporations to comply with stringent security requirements in managing the data of citizens and employees. Contravention of the Cybercrimes Act may, upon conviction, result in several penalties, including fines and up to fifteen years of imprisonment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Cybercrimes Act does not provide for any specific guidelines for the calculation of such fines.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. While the Cybercrimes Act does not provide a detailed, specific appeals process for every type of enforcement action, individuals and organizations generally have the right to contest enforcement decisions through the existing legal and judicial frameworks. This includes search and seizure warrants or orders issued by law enforcement agencies, which can be challenged in court.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>South Africa still requires comprehensive legislation addressing cybersecurity issues (as opposed to cybercrimes which have been addressed in the Cybercrimes Act). It could benefit from stronger enforcement agencies, who are only just beginning to flex their newfound powers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">8534<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/104936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=104936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}