U6 part 2

Question 1

When did the Protection of Personal Information Act (POPIA) come into force?

Answer 1

1 July 2020.

Question 2

Why was POPIA implemented in South Africa?

Answer 2

To align with international standards on data protection, balance privacy and access to information rights, and provide remedies for unlawful data processing.

Question 3

Who can address complaints to the Information Regulator under POPIA?

Answer 3

Data subjects can address complaints, and the Regulator can investigate, issue fines, or call for criminal proceedings if necessary.

Question 4

What are the obligations of responsible parties under POPIA?

Answer 4

They must handle personal data lawfully and ensure protection against unauthorized access or breaches.

Question 5

What types of information does POPIA apply to?

Answer 5

All personal information recorded by a responsible party within South Africa or processed by automated or non-automated means in the country.

Question 6

Define “Responsible Party” under POPIA.

Answer 6

A public or private body that determines the purpose and means of processing personal information, either alone or jointly with others.

Question 7

Who is considered an “Operator” under POPIA?

Answer 7

A third party that processes personal information on behalf of a responsible party under a contract or mandate.

Question 8

Who is a “Data Subject”?

Answer 8

Any person (natural or juristic) whose personal information is collected and processed.

Question 9

What qualifies as “Personal Information”?

Answer 9

Any information that identifies a living person or existing juristic entity, including data on minors that require parental consent to process.

Question 10

What is “Special Sensitive Information” under POPIA?

Answer 10

Information like race, health, biometrics, or political beliefs that require strict conditions for processing, often needing consent or legitimate reason.

Question 11

What does “Processing” mean in POPIA?

Answer 11

Any operation regarding personal information, such as collection, recording, storage, updating, or deletion.

Question 12

What is a “Record” in terms of POPIA?

Answer 12

Any recorded information, regardless of its form, such as books, labels, photos, or electronic files.

Question 13

Name an exemption to POPIA’s application.

Answer 13

Personal information that is de-identified or anonymized, making it untraceable to the data subject.

Question 14

Can personal data used for household purposes be exempt from POPIA?

Answer 14

Yes, private use like contact lists or closed social media accounts are exempt.

Question 15

What rights do data subjects have under POPIA?

Answer 15

They have the right to lawful and reasonable processing, to be notified of data collection or breaches, and to access, correct, or delete their personal data

Question 16

What action can a data subject take if their data is processed unlawfully?

Answer 16

They can submit a complaint to the Information Regulator or institute civil proceedings.

Question 17

Under what conditions may “Special Sensitive Information” be processed?

Answer 17

With data subject consent, legitimate public interest, or if the information was publicly shared by the data subject.

Question 18

What is the role of an Operator regarding data security?

Answer 18

They must keep personal information safe and confidential and cannot share it without authorization, with the responsible party remaining liable for any data breaches.

Question 19

What is the principle of accountability in POPIA?

Answer 19

The responsible party must ensure processing is lawful and compliant with POPIA. They remain liable if conditions aren’t met, such as during a data breach.

Question 20

Who is responsible for the safety and confidentiality of personal information in POPIA?

Answer 20

The responsible party, such as a chartered accountant or firm, must ensure information is secure and only disclosed as required for contract purposes or by law.

Question 21

What happens when an operator processes data on behalf of a responsible party?

Answer 21

The responsible party remains liable to ensure lawful processing conditions are met.

Question 22

What does “processing limitation” in POPIA require?

Answer 22

Only relevant, reasonable, minimal data should be processed and must be destroyed or de-identified when no longer needed unless required by law.

Question 23

How must consent for data processing be provided under POPIA?

Answer 23

Consent must be explicit, informed, and voluntary, not assumed through silence, and can be given electronically (e.g., by ticking a box).

Question 24

What must a data subject be informed of when providing consent?

Answer 24

They must be informed about the data being collected, the purpose, duration, transfer details, and their right to object or withdraw consent.

Question 25

What is the "purpose specification" condition in POPIA?

Answer 25

The responsible party must define and inform the data subject of the purpose for collecting data, ensuring it’s lawful and related to the collection reason.

Question 26

Can a responsible party process any data a subject provides?

Answer 26

No, data processing must be aligned with the responsible party’s function and the purpose of collection, even if information is provided voluntarily.

Question 27

What limits "further processing" under POPIA?

Answer 27

Data collected for a specific purpose may not be used for a different purpose unless it’s compatible with the original collection reason.

Question 28

What factors determine the compatibility of further processing in POPIA?

Answer 28

Factors include the relationship between the initial and further processing reasons, data type, collection method, and any contractual rights.

Question 29

What does "information quality" entail under POPIA?

Answer 29

Collected information must be accurate, complete, and kept updated for the purpose it was obtained.

Question 30

What is required under the "openness" condition in POPIA?

Answer 30

The responsible party must inform the data subject about data processing details, maintain accessible records, and notify of any data transfer out of the country.

Question 31

What are "security safeguards" in POPIA?

Answer 31

Responsible parties must implement measures to protect data from loss, destruction, unauthorized access, and perform regular risk assessments.

Question 32

Who must be informed of a data breach under POPIA?

Answer 32

The data subject and the Information Regulator must be notified promptly if a data breach occurs.

Question 33

What rights does a data subject have under "data subject participation"?

Answer 33

They can access, correct, or delete personal data, object to processing, and are protected if data is transferred to a country with equivalent laws.

Question 34

Under what conditions can data be transferred out of South Africa?

Answer 34

Only if the recipient country has similar data protection laws, there's a protection agreement, or it’s necessary for a transaction with the data subject's consent.

Question 35

What is direct marketing under POPIA?

Answer 35

Marketing that offers goods/services or requests donations, and data subjects have the right to object to direct marketing efforts.

Question 36

How does POPIA handle direct marketing to new clients?

Answer 36

Marketers may only request consent once, and if the client declines or doesn’t respond, further contact is prohibited.

Question 37

Can existing clients receive direct marketing without new consent?

Answer 37

Yes, if consent was given at the business relationship's start, marketers can send related marketing, but clients can withdraw consent anytime.

Question 38

What must direct marketing communication include under POPIA?

Answer 38

It must provide the marketer's contact details and inform clients of their right to withdraw consent at any time.