Page 54 - Nexia SAB&T Business in South Africa Guide 2024
P. 54

of personal information. “Processing” includes collecting, receiving, recording,
       organising, retrieving, or using such information; or disseminating, distributing or
       making such personal information of the data subject, available.
       “Personal information” includes a wide range of information that can be used
       to identify a data subject. It relates to information pertaining to an identifiable,
       living natural person, and where it is applicable, an identifiable existing juristic
       person, including and not limited to information relating to race, gender, marital
       status, pregnancy, ethnic or social origin, colour, sexual orientation, age, physical
       or mental health, well-being, disability, religion, conscience, belief, culture,
       language and birth.
       In order to comply with POPIA, public and private bodies or ‘organisations’ are
       required to implement a ‘POPI’ programme to ensure that the safety and privacy
       of the personal information for their ‘data subjects’ is protected. This applies
       to their information capturing, storage and usage systems. The Act requires
       that businesses in SA identify and appoint an Information Officer within their
       organisation. He is responsible for encouraging compliance to the conditions
       for the lawful processing of personal information as set out in POPIA, within the
       organisation, and is also required to work with the Information Regulator, with
       regards to any investigations it may conduct in terms of the Act.
       The Information Regulator (IR) is responsible for the enforcement of POPIA’s
       provisions, as well as handling of complaints, performing research and facilitating
       cross-border co-operation. Should a business be in violation of any of POPIA’s
       provisions, the IR may issue an enforcement notice. If the enforcement notice is
       not complied with, the penalty that may be imposed is a fine or imprisonment,
       or both. Up to twelve months imprisonment may be imposed for lesser offences,
       and up to ten years for more serious offences. The maximum fine that may be
       imposed is R10-million.
       A company may transfer personal information to recipients in locations outside
       SA if the recipient country has data protection laws similar to POPIA.






                              52
   49   50   51   52   53   54   55   56   57   58   59