
GENERAL PROVISIONS: Short title and commencement
This Act is called the Protection of Personal Information Act, 2013, and commences on a date determined by the President by proclamation in the Gazette...
This Act is called the Protection of Personal Information Act, 2013, and commences on a date determined by the President by proclamation in the Gazette...
All processing of personal information must within one year after the commencement of this section be made to conform to this Act...
The Minister, before making or amending any regulations referred to in section 112(1), must publish a notice in the Gazette setting out that draft regulations have been developed...
The Minister may, subject to section 113, make regulations relating to the establishment of the Regulator...
The Minister may, subject to section 113 and after consultation with the Regulator, prescribe fees to be paid by data subjects...
The laws mentioned in the Schedule are amended to the extent indicated in the third column of the Schedule...
If a responsible party is alleged to have committed an offence in terms of this Act, the Regulator may cause to be delivered by hand to that person...
Despite anything to the contrary contained in any other law, a Magistrate’s Court has jurisdiction to impose any penalty provided for in section 107...
Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of...
A person who knowingly or recklessly, without the consent of the responsible party obtains or discloses an account number of a data subject...
A responsible party who contravenes the provisions of section 8 insofar as those provisions relate to the processing of an account number of a data subject is, subject to subsections (2) and (3), guilty of an offence...
Any person summoned in terms of section 81 to attend and give evidence or to produce any book, document or object before the Regulator who, without sufficient cause fails...
A responsible party which fails to comply with an enforcement notice served in terms of section 95, is guilty of an offence...
Any person who intentionally obstructs a person in the execution of a warrant issued under section 82...
101. Any person who contravenes the provisions of section 54, is guilty of an offence...
Any person who hinders, obstructs or unlawfully influences the Regulator or any person acting on behalf of or under the direction of the Regulator in the performance of the Regulator’s duties and functions under this Act...
A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act...
If in an appeal under section 97 the court considers that the notice or decision against which the appeal is brought is not in accordance with the law...
A responsible party on whom an information or enforcement notice has been served may, within 30 days of receiving the notice...
A responsible party on whom an enforcement notice has been served may, at any time after the expiry of the period during which an appeal may be brought against that notice...
If the Regulator, after having considered the recommendation of the Enforcement Committee in terms of section 93, is satisfied that a responsible party has interfered...
If an investigation is made following a complaint, and the Regulator believes that no interference with the protection of the personal information...
The Enforcement Committee must consider all matters referred to it by the Regulator in terms of section 92 or the Promotion of Access to Information Act...
After completing the investigation of a complaint or other matter in terms of this Act, the Regulator may refer such complaint or other matter to the Enforcement Committee for consideration...
After completing the assessment referred to in section 89 the Regulator must report to the responsible party the results of the assessment and any recommendations...
If the Regulatorhas received a request under section 89 in respect of any processing of personal information...
The Regulator, on its own initiative, or at the request by or on behalf of the responsible party, data subject or any other person must make an assessment in the prescribed manner...
A warrant issued under section 82 must be returned to the court from which it was issued after being executed...
If the person in occupation of any premises in respect of which a warrant is issued under this Act objects to the inspection or seizure under the warrant of any material on the ground that it...
Subject to the provisions of this section, the powers of search and seizure conferred by a warrant issued under section 82 must not be exercised in respect of...
If the Regulator has granted an exemption in terms of section 37, the information that is processed in terms of that exemption is not subject to search and seizure empowered by a warrant issued under section 82...
A police officer who is assisting a person authorised to conduct an entry and search in terms of a warrant issued under section 82 may overcome resistance to the entry and search...
A judge or magistrate must not issue a warrant under section 82 unless satisfied that the Regulator has given seven days...
A judge of the High Court, a regional magistrate or a magistrate, if satisfied by information on oath supplied by the Regulator that there are reasonable grounds for suspecting that...
For the purposes of the investigation of a complaint the Regulator may summon and enforce the appearance of persons before the Regulator and compel...
If it appears from a complaint, or any written response made in relation to a complaint under section 79(b)(ii), that it may be possible to secure...
Before proceeding to investigate any matter in terms of this Chapter, the Regulator must, in the prescribed manner, inform...
If, on receiving a complaint in terms of section 74, the Regulator considers that the complaint relates, in whole or in part, to a matter that is more properly within the jurisdiction of another regulatory body...
The Regulator, after investigating a complaint received in terms of section 73, may decide to take no action or, as the case may be, require no further action in respect of the complaint if, in the Regulator’s opinion...
On receiving a complaint in terms of section 74, the Regulator may conduct a pre-investigation as referred to in section 79...
A complaint to the Regulator must be made in writing...
Any person may submit a complaint to the Regulator in the prescribed manner and form alleging interference with the protection of the personal information of a data subject....
For the purposes of this Chapter, interference with the protection of the personal information of a data subject consists, in relation to that data subject, of...
A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless...
Subject to subsection (2), a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a 20 substantial degree...
A data subject who is a subscriber to a printed or electronic directory of subscribers available to the public or obtainable through directory enquiry services...
The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication...
If a code issued under section 60 is in force, failure to comply with the code is deemed to be a breach of the conditions for the lawful processing of personal information...
The Regulator may, on its own initiative, review the operation of an approved code of conduct...
The Regulator must keep a register of approved codes of conduct...
The Regulator may provide written guidelines to assist bodies to develop codes of conduct or to apply approved codes of conduct...
The Regulator may amend or revoke a code of conduct issued under section 60...
A code of conduct may prescribe procedures for making and dealing with complaints alleging a breach of the code, but no such provision may limit or restrict any provision of Chapter 10...
If a code of conduct is issued under section 60 the Regulator must ensure that there is published in the Gazette...
The Regulator may issue a code of conduct under section 60...
The Regulator may from time to time issue codes of conduct...
If section 58(1) or (2) is contravened, the responsible party is guilty of an offence and liable to a penalty as set out in section 107...
Information processing as contemplated in section 57(1) must be notified as such by the responsible party to the Regulator...
The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to...
Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of...
An information officer’s responsibilities include the encouragement of compliance...
A person acting on behalf or under the direction of the Regulator, must, both during or after his or her term of office or employment...
Any person acting on behalf or under the direction of the Regulator, is not civilly or criminally liable for anything done in good faith in the exercise or performance...
Funds of the Regulator consist of such sums of money that Parliament appropriates annually...
Meetings of the Regulator must be held at the times and places determined by the Chairperson of the Regulator...
The Regulator must establish an Enforcement Committee which must consist of...
The Regulator may, if it considers it necessary for the proper performance of its functions establish one or more committees, which must consist of...
The chief executive officer is the head of administration and the accounting officer...
The Regulator must establish its own administration to assist it in the performance of its functions and to this end the Regulator must appoint, or secure the secondment in terms of subsection (6) of...
A member of the Regulator or a person referred to in section 49(1)(b) or 50(1)(b) who is not subject to the provisions of the Public Service Act...
If any member of the Regulator or any person appointed by the Regulator in terms of this Act has a material interest in any matter which could conflict with the proper performance...
In the performance of its functions, and the exercise of its powers, under this Act the Regulator must...
The Chairperson must exercise the powers and perform the duties...
A vacancy in the Regulator occurs if a member...
The Regulator consists of the following members...
The powers, duties and functions of the Regulator in terms of this Act are...
There is hereby established a juristic person to be known as the Information Regulator, which...
Personal information processed for the purpose of discharging a relevant function is exempt...
The Regulator may, by notice in the Gazette, grant an exemption to a responsible party to process personal information...
Processing of personal information is not in breach of a condition for the processing of such information if the...
The prohibition on processing personal information of children, as referred to in section 34, does not apply if the processing is...
A responsible party may, subject to section 35, not process personal information concerning a child...
The prohibition on processing personal information concerning a data subject’s criminal behaviour or biometric information...
The prohibition on processing personal information concerning a data subject’s health or sex life, as referred to in section 26, does not apply to the processing by...
The prohibition on processing personal information concerning a data subject’s political persuasion...
The prohibition on processing personal information concerning a data subject’s trade union membership...
The prohibition on processing personal information concerning a data subject’s race or ethnic origin, as referred to in section 26, does not apply if the processing is carried out to...
The prohibition on processing personal information concerning a data subject’s religious or philosophical beliefs, as referred to in section 26, does not apply if the processing is carried out by...
The prohibition on processing personal information, as referred to in section 26, does not apply if the...
A responsible party may, subject to section 27, not process personal information concerning...
The provisions of sections 18 and 53 of the Promotion of Access to Information Act apply to requests made in terms of section 23 of this Act...
A data subject may, in the prescribed manner, request a responsible party to...
A data subject, having provided adequate proof of identity, has the right to...
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify...
A responsible party must, in terms of a written contract between the responsible party and the operator...
An operator or anyone processing personal information on behalf of a responsible party or an operator, must...
A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent...
If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of...
A responsible party must maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act...
A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary...
Further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of section 13...
Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected...
Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party...
Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2)...
Personal information may only be processed if...
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive...
Personal information must be processed...
The responsible party must ensure that the conditions set out in this Chapter...
This Act does not apply to the processing of personal information solely for the purpose of journalistic...
This Act does not apply to the processing of personal information...
A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right...
The conditions for the lawful processing of personal information by or for a responsible party are the following...
This Act applies to the processing of personal data information...
The purpose of this Act is to...
This Act applies to the processing of personal information...
The purpose of this Act is to...
In this Act, unless the context indicates otherwise...