I own a local cellphone and electronics store.
We collect personal information from our clients and quite often have to pass on information to third parties such as cellular providers in order to provide our services.
I am not sure where our business fits into the picture with Popi and what my responsibilities are.
Can you provide some clarity?
The Protection of Personal Information (Popi) Act 4 of 2013 has been signed into law, but has not yet come fully into effect.
It protects our right to privacy by setting conditions and requirements for the processing of personal information.
This can be identified as any information relating to a living natural person or an identifiable legal entity and includes, amongst others, information such as names, birth dates, identity or registration numbers, passport numbers, demographic information, occupational information, health information and contact information.
Popi also relates to the processing of such information, which includes, amongst others, the collection, use, storage, deletion or destruction of personal information.
Popi establishes a number of role players with specific rights and responsibilities.
The subject of the protection afforded by Popi is the data subject which is a person (natural person or legal entity) to whom the personal information relates.
This can be a new or existing client, a prospective client, a supplier, or any other person whose personal information is being processed by your organisation.
On the other side of the coin is the responsible party – the party who must comply with Popi.
The responsible party is the party that processes the personal information, determines the purpose for which the personal information is needed and who can even outsource a part or all of the processing of the personal information to a third party who is referred to as an operator in terms of Popi.
Importantly though, despite the processing being outsourced to an operator, the responsible party still remains responsible for such processing, making it imperative that processing of personal information by operators must also be compliant with Popi.
The personal information your cellphone store receives when opening cellular accounts will qualify as personal information in respect of those clients who will also be seen as data subjects for the purposes of Popi.
Your actions of collection, storing and passing such information on to cellular providers will qualify as processing and, since you determine the purpose of the processing, will qualify your business in this context as a responsible party.
This means that Popi will apply to your business and that you will need to ensure that all your processing actions in relation to personal information is compliant with Popi.
My advice is to seek the assistance of a Popi specialist to review your business and how you process personal information to ensure that the correct compliance framework, procedures, client forms and contracts are put in place to ensure you meet all facets of Popi.
- Juanita van Zyl, associate, Phatshoane Henney Attorneys