《南非个人信息保护法.docx》由会员分享,可在线阅读,更多相关《南非个人信息保护法.docx(38页珍藏版)》请在三一文库上搜索。
1、南非个人信息保护法 Act No. 4 of 2021 Protection Of Personal Information Act, 2021 1 Protection of Personal Information A c t , 2021 Ensuring protection of your personal information and effective access to information Act No. 4 of 2021 2 Protection Of Personal Information Act, 2021 Protection of Personal Info
2、rmation A c t , 2021 Act No. 4 of 2021 GENERAL EXPLANATORY NOTE: Words in bold type in square brackets indicate omissions from existing enactments. Words underlined with a solid line indicate insertions in existing enactments. (English text signed by the President) (Assented to 19 November 2021) ACT
3、 To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and t
4、o perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2021; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the fl ow
5、of personal information across the borders of the Republic; and to provide for matters connected therewith. PREAMBLE PREAMBLE RECOGNISING THAT section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy; the right to privacy includes a right
6、to protection against the unlawful collection, retention, dissemination and use of personal information; the State must respect, protect, promote and fulf i l the rights in the Bill of Rights; AND BEARING IN MIND THAT consonant with the constitutional values of democracy and openness, the need for e
7、conomic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free fl ow of information, including personal information; AND IN ORDER TO regulate, in harmony with international standards, the processing of personal information by
8、 public and private bodies in a manner that gives effect to the right to privacy subject to justif i able limitations that are aimed at protecting other rights and important interests, Parliament of the republic of south africa therefore anacts as follows:- CONTENTS OF ACT CHAPTER 1 DEFINITIONS AND
9、PURPOSE 1. Def i nitions 2. Purpose of Act CHAPTER 2 APPLICATION PROVISIONS 3. Application and interpretation of Act 4. Lawful processing of personal information 5. Rights of data 6. Exclusions 7. Exclusion for journalistic, literary or artistic purposes CHAPTER 3 CONDITIONS FOR LAWFUL PROCESSING OF
10、 PERSONAL INFORMATION Part A Processing of personal information in general Condition 1 Accountability 8. Responsible party to ensure conditions for lawful processing Condition 2 Processing limitation 9. Lawfulness of processing 10. Minimality 11. Consent, justif i cation and objection 12. Collection
11、 directly from data subject Condition 3 Purpose specif i cation 13. Collection for specif i c purpose 14. Retention and restriction of records Condition 4 Further processing limitation 15. Further processing to be compatible with purpose of collection Condition 5 Information quality 16. Quality of i
12、nformation 17. Documentation Condition 6 Openness 18. Notif i cation to data subject when collecting personal information Condition 7 Security safeguards 19. Security measures on integrity and conf i dentiality of personal information 20. Information processed by operator or person acting under auth
13、ority 21. Security measures regarding information processed by operator 22. Notif i cation of security compromises Condition 8 Data subject participation 23. Access to personal information 24. Correction of personal information 25. Manner of access Part B Processing of special personal information 2
14、6. Prohibition on processing of special personal information 27. General authorisation concerning special personal information 28. Authorisation concerning data subjects religious or philosophical beliefs 29. Authorisation concerning data subjects race or ethnic origin 30. Authorisation concerning d
15、ata subjects trade union membership 31. Authorisation concerning data subjects political persuasion 32. Authorisation concerning data subjects health or sex life 33. Authorisation concerning data subjects criminal behaviour or biometric 25 information Part C Processing of personal information of chi
16、ldren 34. Prohibition on processing personal information of children 35. General authorisation concerning personal information of children 30 CHAPTER 4 EXEMPTION FROM CONDITIONS FOR PROCESSING OF PERSONAL INFORMATION 36. General 37. Regulator may exempt processing of personal information 35 38. Exem
17、ption in respect of certain functions CHAPTER 5 SUPERVISION Part A Information Regulator 40 39. Establishment of Information Regulator 40. Powers, duties and functions of Regulator 41. Appointment, term of office and removal of members of Regulator 42. Vacancies 43. Powers, duties and functions of C
18、hairperson and other members 44. Regulator to have regard to certain matters 45. Conf l ict of interest Remuneration, allowances, benef i ts and privileges of members 46. Staff 47. Powers, duties and functions of chief executive officer 48. Committees of Regulator 49. Establishment of Enforcement Co
19、mmittee 50. Meetings of Regulator 51. Funds 52. Protection of Regulator 53. Duty of conf i dentiality Part B Information Officer 54. Duties and responsibilities of Information Officer 55. Designation and delegation of deputy information officers CHAPTER 6 PRIOR AUTHORISATION Prior Authorisation 56.
20、Processing subject to prior authorisation 57. Responsible party to notify Regulator if processing is subject to prior authorisation 58. Failure to notify processing subject to prior authorisation CHAPTER 7 CODES OF CONDUCT 59. Issuing of codes of conduct 60. Process for issuing codes of conduct 61.
21、Notif i cation, availability and commencement of code of conduct 62. Procedure for dealing with complaints 63. Amendment and revocation of codes of conduct 64. Guidelines about codes of conduct 65. Register of approved codes of conduct 66. Review of operation of approved code of conduct 67. Effect o
22、f failure to comply with code of conduct CHAPTER 8 RIGHTS OF DATA SUBJECTS REGARDING DIRECT MARKETING BY MEANS OF UNSOLICITED ELECTRONIC COMMUNICATIONS, DIRECTORIES AND AUTOMATED DECISION MAKING 68. Direct marketing by means of unsolicited electronic communications 69. Directories 70. Automated deci
23、sion making CHAPTER 9 TRANSBORDER INFORMATION FLOWS 72. Transfers of personal information outside Republic CHAPTER 10 ENFORCEMENT5 71. Interference with protection of personal information of data subject 72. Complaints 73. Mode of complaints to Regulator 74. Action on receipt of complaint 75. Regula
24、tor may decide to take no action on complaint 76. Referral of complaint to regulatory body 77. Pre-investigation proceedings of Regulator 78. Settlement of complaints 79. Investigation proceedings of Regulator 80. Issue of warrants 81. Requirements for issuing of warrant 82. Execution of warrants 83
25、. Matters exempt from search and seizure 84. Communication between legal adviser and client exempt 85. Objection to search and seizure 86. Return of warrants 87. Assessment 88. Information notice 89. Parties to be informed of result of assessment 90. Matters referred to Enforcement Committee Functio
26、ns of Enforcement Committee 91. Parties to be informed of developments during and result of investigation 92. Enforcement notice 93. Cancellation of enforcement notice 94. Right of appeal 95. Consideration of appeal 96. Civil remedies CHAPTER 11 OFFENCES, PENALTIES AND ADMINISTRATIVE FINES 97. Obstr
27、uction of Regulator Breach of conf i dentiality 98. Obstruction of execution of warrant 99. Failure to comply with enforcement or information notices 100. Offences by witnesses 101. Unlawful acts by responsible party in connection with account number 102. Unlawful acts by third parties in connection
28、 with account number 103. Penalties 104. Magistrates Court jurisdiction to impose penalties 105. Administrative fi nes 106. Amendment of laws 107. Fees 108. Regulations CHAPTER 12 GENERAL PROVISIONS 109. Procedure for making regulations Transitional arrangements 110. Short title and commencement 111
29、. Fees 112. Regulations 113. Procedure for making regulations 114. Transitional arrangements 115. Short title and commencement Act No. 4 of 2021 12 Protection Of Personal Information Act, 2021 CHAPTER 1 DEFINITIONS AND PURPOSE SCHEDULE Laws amended by section 110 Def i nitions CHAPTER 1 DEFINITIONS
30、AND PURPOSE 1. In this Act, unless the context indicates otherwise biometrics means a technique of personal identif i cation that is based on physical, physiological or behavioural characterisation including blood typing, fi ngerprinting, DNA analysis, retinal scanning and voice recognition; child m
31、eans a natural person under the age of 18 years who is not legally 10 competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself; code of conduct means a code of conduct issued in terms of Chapter 7; competent person me
32、ans any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child; consent means any voluntary, specif i c and informed expression of will in terms of which permission is given for the processing of personal information; Constitution
33、 means the Constitution of the Republic of South Africa, 1996; data subject means the person to whom personal information relates; de-identify, in relation to personal information of a data subject, means to delete 20 any information that (a) identif i es the data subject; (b) can be used or manipul
34、ated by a reasonably foreseeable method to identify the data subject; or (c) can be linked by a reasonably foreseeable method to other information that 25 identif i es the data subject, and de-identif i ed has a corresponding meaning; direct marketing means to approach a data subject, either in pers
35、on or by mail or electronic communication, for the direct or indirect purpose of (a) promoting or offering to supply, in the ordinary course of business, any goods 30 or services to the data subject; or (b) requesting the data subject to make a donation of any kind for any reason; electronic communi
36、cation means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipients terminal equipment until it is collected by the recipient;35 enforcement notice means a notice issued in terms of section 95; f i ling system means
37、any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specif i c criteria; information matching programme means the comparison, whether manually 40 or by means of any electronic or other dev
38、ice, of any document that contains personal information about ten or more data subjects with one or more documents that contain personal information of ten or more data subjects, for the purpose of producing or verifying information that may be used for the purpose of taking any action in regard to
39、an identif i able data subject;45 information officer of, or in relation to, a (a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or (b) private body means the head of a private body as contemplated in section 1, of the Promotion o
40、f Access to Information Act;50 Minister means the Cabinet member responsible for the administration of justice; operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party; person means
41、a natural person or a juristic person; personal information means information relating to an identif i able, living, natural person, and where it is applicable, an identif i able, existing juristic person, including, but not limited to (a) information relating to the race, gender, sex, pregnancy, ma
42、rital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, fi nancial, criminal or employment h
43、istory of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identif i er or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the pe
44、rson; (f) correspondence sent by the person that is implicitly or explicitly of a private or conf i dential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person
45、 if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person; prescribed means prescribed by regulation or by a code of conduct; private body means (a) a natural person who carries or has carried on any trade,
46、 business or profession, but only in such capacity; (b) a partnership which carries or has carried on any trade, business or profession; or (c) any former or existing juristic person, but excludes a public body; processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including (a) the collection