South Africa’s Information Regulator (the “Regulator”) issued, on June 22, 2021, a Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information (“Guidance Note”), arising under sections 37 and 38 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”).  The purpose of the Guidance Note is to provide guidance to “responsible parties” who: (i) intend to apply for an exemption from one or more of the eight conditions for the lawful processing of personal information, as prescribed by POPIA (section 37 of POPIA), or (ii) may automatically be exempt from some of these conditions where the processing occurs in the performance of a “relevant function” (section 38 of POPIA).  In a media statement, also issued on June 22, 2021, the Regulator confirmed that the June 20, 2021 deadline for responsible parties to register their Information Officers (“IOs”) and Deputy Information Officers (“DIOs”) was postponed indefinitely.

  1. Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information

The Guidance Note notes that POPIA prescribes eight conditions for the lawful processing of personal information by or for a “responsible party” (akin to a data controller under GDPR), and clarifies that these conditions may not be applicable to the extent that such processing is exempted in the following two instances:

Exemption on application

In order for a responsible party to qualify, they will be required to establish to the satisfaction of the Regulator that its processing (i) is in the public interest and is serves interests so significant  (e.g., freedom of expression and/or national security) that it outweighs the data subject’s competing data protection rights; or (ii) involves a clear benefit to the data subject or a third party and the relevant benefit, outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.

Responsible parties that wish to apply for an exemption under section 37 of POPIA have been invited to submit applications  to the Regulator (which can be found here). The Regulator may, if it grants the application,, exempt a party from complying with a specific data protection condition when processing personal information. Note that an exemption does not mean that an organization will be exempt from all eight conditions for lawful processing.  Nor will this exemption entitle the organization to use personal information freely and without complying with the remainder of POPIA.

 Exemption in respect of certain functions

If a responsible party processes personal information for the purpose of performing certain relevant functions (meaning a function performed by a public body or conferred upon it by law), it may be exempt from complying with certain processing conditions.  The scope of this exemption, however, is limited to the following POPIA provisions:

  • the data subject’s right of objection (sections 11(3) and 11(4) of POPIA);
  • the obligation to ensure that personal information is collected directly from the data subject (section 12 of POPIA);
  • the obligation that further processing must be compatible with the initial purpose of collection (section 15 of POPIA); and
  • the requirement to notify the data subject when collecting their personal information (section 18 of POPIA).

In order for a responsible party to qualify, the nature of the functions performed by the party must be intended to protect the public against:

  • financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate; or
  • malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorized to carry on any other activity.
  1. Registration of Information Officers

The Regulator announced that there will no longer be a deadline for responsible persons to register Information Officers, and that responsible parties will not be held liable for failing to register their IOs and DIOs by the previously announced deadline of June, 30, 2021.  According to the Regulator’s media statement, this decision follows technical glitches with the Regulator’s registration portal and numerous concerns raised by responsible parties regarding the registration process.

It is worth noting that this development poses a challenge in the sense that  POPIA automatically assigns the role of IO to the head of an organization (i.e., the CEO).  However, POPIA also provides that an IO’s duties only commence once he /she has been registered with the Regulator

In addition, the Regulator has in this media statement confirmed that a CEO of  a multinational organization can be the IO for multiple entities.  This statement addresses questions being raised by South African subsidiaries of multinationals wishing to appoint one IO for all the members of a larger corporate group.  Until now, the registration portal would not allow the same person’s details to be used more than once, resulting in each company having to appoint a different IO.  The Regulator is investigating other “alternative registration processes”, which will be announced in due course.

If you are unsure whether your organization qualifies for an exemption under the Guidance Note or if you require assistance with any aspect of compliance with POPIA, please contact Deon Govender at dgovender@cov.com, Dan Cooper at dcooper@cov.com, Witney Schneidman at wschneidman@cov.com, Mosa Mkhize at mmkhize@cov.com or Shivani Naidoo at snaidoo@cov.com.

Photo of Mosa Mkhize Mosa Mkhize

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across…

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across Africa. Mosa does so by leveraging close to two decades of experience in international trade, public policy and government affairs.

Mosa assists clients on a broad range of issues including advocacy, strategic policy, regulatory, and dispute resolution advice in various sectors, including technology, energy and life sciences. In addition to this, Mosa’s capabilities include building strategic relationships and coalitions in support of smart technologies. Furthermore, she is currently working with government officials, private corporations, academia, and the general public on the development of regulations and policies that will bring about an enabling environment for digital transformation and economic growth in Africa.

Photo of Deon Govender Deon Govender

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of…

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of renewable energy and thermal power projects and various other infrastructure assets in the transportation and telecommunications sectors. Deon’s experience additionally includes advising on financing independent power producer projects under the South African government’s Renewable Energy Independent Power Producer Procurement Programme.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.