Chapter 6 

Prior Authorisation

Section 57
Processing subject to prior authorisation

The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to—process any unique identifiers of data subjects—for a purpose other than the one for which the identifier was specifically intended at collection; and
with the aim of linking the information together with information processed by other responsible parties;

process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
process information for the purposes of credit reporting; or
transfer special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.

The provisions of subsection (1) may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.
This section and section 58 are not applicable if a code of conduct has been issued and has come into force in terms of Chapter 7 in a specific sector or sectors of society.
A responsible party must obtain prior authorisation as referred to in subsection (1) only once and not each time that personal information is received or processed, except where the processing departs from that which has been authorised in accordance with the provisions of subsection (1).

Section 58
Responsible party to notify Regulator if processing is subject to prior authorisation

Information processing as contemplated in section 57(1) must be notified as such by the responsible party to the Regulator.
Responsible parties may not carry out information processing that has been notified to the Regulator in terms of subsection (1) until the Regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conducted.
In the case of the notification of information processing to which section 57(1) is applicable, the Regulator must inform the responsible party in writing within four weeks of the notification as to whether or not it will conduct a more detailed investigation.
In the event that the Regulator decides to conduct a more detailed investigation, it must indicate the period within which it plans to conduct this investigation, which period must not exceed 13 weeks.
On conclusion of the more detailed investigation referred to in subsection (4) the Regulator must issue a statement concerning the lawfulness of the information processing.
A statement by the Regulator in terms of subsection (5), to the extent that the information processing is not lawful, is deemed to be an enforcement notice served in terms of section 95 of this Act.
A responsible party that has suspended its processing as required by subsection (2), and which has not received the Regulator’s decision within the time limits specified in subsections (3) and (4), may presume a decision in its favour and continue with its processing.

Section 59
Failure to notify processing subject to prior authorisation

If section 58(1) or (2) is contravened, the responsible party is guilty of an offence and liable to a penalty as set out in section 107.