This Act applies to the processing of personal information—entered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof; and
where the responsible party is— domiciled in the Republic; or
not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic.
This Act applies, subject to paragraph (b), to the exclusion of any provision of any other legislation that regulates the processing of personal information and that is materially inconsistent with an object, or a specific provision, of this Act.
If any other legislation provides for conditions for the lawful processing of personal information that are more extensive than those set out in Chapter 3, the extensive conditions prevail.
This Act must be interpreted in a manner that—gives effect to the purpose of the Act set out in section 2; and
does not prevent any public or private body from exercising or performing its powers, duties and functions in terms of the law as far as such powers, duties and functions relate to the processing of personal information and such processing is in accordance with this Act or any other legislation, as referred to in subsection (2), that regulates the processing of personal information.
‘‘Automated means’’, for the purposes of this section, means any equipment capable of operating automatically in response to instructions given for the purpose of processing information.
The conditions for the lawful processing of personal information by or for a responsible party are the following:
‘‘Accountability’’, as referred to in section 8;
‘‘Processing limitation’’, as referred to in sections 9 to 12;
‘‘Purpose specification’’, as referred to in sections 13 and 14;
‘‘Further processing limitation’’, as referred to in section 15;
‘‘Information quality’’, as referred to in section 16;
‘‘Openness’’, as referred to in sections 17 and 18;
‘‘Security safeguards’’, as referred to in sections 19 to 22; and
‘‘Data subject participation’’, as referred to in sections 23 to 25.
The conditions, as referred to in subsection (1), are not applicable to the processing of personal information to the extent that such processing is—excluded, in terms of section 6 or 7, from the operation of this Act; or
exempted in terms of section 37 or 38, from one or more of the conditions concerned in relation to such processing.
The processing of the special personal information of a data subject is prohibited in terms of section 26, unless the—provisions of sections 27 to 33 are applicable; or
Regulator has granted an authorisation in terms of section 27(2), in which case, subject to section 37 or 38, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.
The processing of the personal information of a child is prohibited in terms of section 34, unless the—provisions of section 35(1) are applicable; or
Regulator has granted an authorisation in terms of section 35(2), in which case, subject to section 37, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.
The processing of the special personal information of a child is prohibited in terms of sections 26 and 34 unless the provisions of sections 27 and 35 are applicable in which case, subject to section 37, the conditions for the lawful processing of personal information as referred to in Chapter 3 must be complied with.
The conditions for the lawful processing of personal information by or for a responsible party for the purpose of direct marketing by any means are reflected in Chapter 3, read with section 69 insofar as that section relates to direct marketing by means of unsolicited electronic communications.
Sections 60 to 68 provide for the development, in appropriate circumstances, of codes of conduct for purposes of clarifying how the conditions referred to in subsection (1), subject to any exemptions which may have been granted in terms of section 37, are to be applied, or are to be complied with within a particular sector.
A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right—to be notified that—personal information about him, her or it is being collected as provided for in terms of section 18; or
his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;
to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
to object to the processing of his, her or its personal information—at any time for purposes of direct marketing in terms of section 11(3)(b); or
in terms of section 69(3)(c);
not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;
to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.
(1) This Act does not apply to the processing of personal information—in the course of a purely personal or household activity;
that has been de-identified to the extent that it cannot be re-identified again;
by or on behalf of a public body—which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public safety; or
the purpose of which is the prevention, detection, including assistance in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in legislation for the protection of such personal information;
by the Cabinet and its committees or the Executive Council of a province; or
relating to the judicial functions of a court referred to in section 166 of the Constitution.
‘‘Terrorist and related activities’’, for purposes of subsection (1)(c), means those activities referred to in section 4 of the Protection of Constitutional Democracy against Terrorist and Related Activities Act, 2004 (Act No. 33 of 2004).
This Act does not apply to the processing of personal information solely for the purpose of journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.
Where a responsible party who processes personal information for exclusively journalistic purposes is, by virtue of office, employment or profession, subject to a code of ethics that provides adequate safeguards for the protection of personal information, such code will apply to the processing concerned to the exclusion of this Act and any alleged interference with the protection of the personal information of a data subject that may arise as a result of such processing must be adjudicated as provided for in terms of that code.
In the event that a dispute may arise in respect of whether adequate safeguards have been provided for in a code as required in terms of subsection (2) or not, regard may be had to—the special importance of the public interest in freedom of expression;
domestic and international standards balancing the—public interest in allowing for the free flow of information to the public through the media in recognition of the right of the public to be informed; and
public interest in safeguarding the protection of personal information of data subjects;
the need to secure the integrity of personal information;
domestic and international standards of professional integrity for journalists; and
the nature and ambit of self-regulatory forms of supervision provided by the profession.