Protection of Personal Information Act

For optimal readability, we highly recommend downloading the document PDF, which you can do below.

Document Information:


Act No. 4of2013
Protectio nOfPersona lInform ationAct ,201 3 1
P r o tection
of Perso n al
Inform a tion
A c t,2013
Ensurin gprotectio nofyou rpersona linformatio nandeffectiv eacces stoinformation

Act No. 4of2013
2 Protectio nOfPersona lInform ationAct ,2013
P r o tection
of Perso n al
Inform a tion
A c t,2013

Act No. 4of2013
GENERAL EXPLAN ATORYNOTE:
[ ] Wordsinbold type insqua rebracketsindi cateomissions from existing enactme nts. Wordsunderlinedwithasolidlineindicateinsertionsin existingenactments.
(English textsigned bythe Preside nt) (Asse ntedto19November 2013)
ACT Topromo tethe protection of personal inform ation processed bypublic and privat ebodies; tointroduce cer tain conditions so as toestablish minimum requi reme ntsfor the processing of personal inform ation; to provide for the establishme ntof an Inform ation Regul ator toexercise cer tain powersand toper form cer tain duties and functions interms of this Act and the Promotion ofAccess toInformationAct, 2000; toprovide forthe issuing ofcodes ofconduct; toprovide forthe rightsofpersons regarding unsolici ted elect ronic communi cations and autom ated decision making; to regul atethe flow of personal inform ation across the bordersofthe Republic; and toprovide formattersconnec tedthe rewith.
PREAMBLE PREAMBLE RECOGNISING THAT— •section14 ofthe Con stitutionofthe Republic ofSouth Afri ca,1996, provides thateveryone has the righttoprivacy; •the righttoprivacy includes arighttoprotectionagainstthe unl awful collection, retention, dissemin ation and use ofpersonal inform ation; •the Statemu strespect, protect, promo teand fulfilthe rightsinthe Bill ofRights;
AND BEARING INMIND THAT— •consona ntwith the constitutionalvalues ofdemoc racy and openness, the need foreconomic and social progress, within the fram ework ofthe
Protectio nOfPersona lInform ationAct ,201 3 3

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 4
inform ationsoci ety,requi resthe rem ovalofunnecessa ryimpedime nts tothe freeflowofinform ation, including personal inform ation;
AND INORDER TO— •regul ate,inharmo nywith intern ational standa rds, the processing of
personal inform ation bypublic and privatebodies inamanner that giveseffect tothe righttoprivacy subject tojustifiable limi tations that areaimed atprotecting other rightsand impor tantinterests,

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 5
13. Collectionforspeci ficpurpose 14. Retention and restriction ofrecords
Parliame ntofthe republic ofsouth africathe reforeanacts asfollows:-
1. Definitions 2. Purpose ofAct
CONTEN TSOF ACT CHAPTER 1 DEFINITIONS AND PURPOSE
CHAPTER 2 APPLIC ATION PROVISIONS 3. Appli cationand interp retationofAct 4. Lawful processing ofpersonal inform ation 5. Rightsofdata 6. Exclusions 7. Exclusion forjournali stic, literaryorarti sticpurposes
CHAPTER 3 CONDITIONS FOR LAWFULPROCESSINGOF PERSONALINFORMATION
Part A Pro cessing ofpersonal information ingeneral Condition 1 Accountability 8. Responsible party toensu reconditions forlawful processing
Condition 2 Processing limitation 9. Lawfulness ofprocessing 10. Minimality 11. Conse nt,justification and objection 12. Collection directly from datasubject
Condition 3 Purpose specification

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 6
Condition 4 Further processing limitation 15. Further processing tobe comp atible with purpose ofcollection
Condition 5
Inform ation quality 16. Quality ofinform ation
17. Docume ntation
Condition 6 Openness
18. Noti fication todatasubject when collecting personal inform ation
Condition 7 Security safeguards
19. Security measu reson integrity and confidentialityof personal inform ation 20. Inform ationprocessed byope ratororperson actingunder authority 21. Security measu resregarding inform ation processed byope rator 22. Notificationofsecurity comp romises
Condition 8 Datasubject participation
23. Access topersonal inform ation 24. Cor rection ofpersonal inform ation 25. Manner ofaccess
Part B Processing ofspecial personal information
26. Prohibition on processing ofspecial personal inform ation 27. Gene ralauthoris ation concerning special personal inform ation

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 7
28. Authoris ationconcerning datasubjec t’sreligious or philosophi calbeli efs 29. Authoris ation concerning datasubjec t’srace orethnic origin 30. Authoris ation concerning datasubjec t’strade union membe rship 31. Authoris ation concerning datasubjec t’spoliti calpersuasion 32. Authoris ation concerning datasubjec t’shealth orsexlife 33. Authoris ationconcerning datasubjec t’scriminal beh aviour or biom etric 25inform ation
Part C Processing ofpersonal inform ation ofchildren
34. Prohibition on processing personal inform ation ofchild ren 35. Gene ralauthoris ationconcerning personal inform ationof child ren 30
CHAPTER 4 EXEM PTION FROM CONDITIONS FOR PROCESSING OF PERSONAL INFORMATION
36. Gene ral 37. Regul atormayexem ptprocessing ofpersonal inform ation 35 38. Exem ption inrespect ofcer tain functions
CHAPTER 5 SUPERVISION
Part A Information Regula tor 40
39. Establishme ntofInform ation Regul ator 40. Powers,duties and functions ofRegul ator 41. Appoi ntme nt,term ofoffice and rem ovalofmembe rsofRegul ator 42. Vacancies 43. Powers,duties and functions ofChairpe rson and other membe rs

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 8
44. Regul atortohaveregardtocer tain matters 45. Conflictofinterest Remune ration,allo wances, ben efitsand privile gesofmembe rs 46. Staff 47. Powers,duties and functions ofchiefexecuti veofficer 48. Commit tees ofRegul ator 49. Establishme ntofEnforceme ntCommittee 50. Me etings ofRegul ator 51. Funds 52. Protection ofRegul ator 53. Duty ofconfidentiality
Information Officer Part B
54. Duties and responsibilities ofInform ation Officer 55. Design ation and dele gation ofdeputy inform ation office rs
CHAPTER 6 PRIOR AUTHORI SATION Prior Authorisation
56. Processing subject toprior authoris ation 57. Responsible party tonotifyRegul ator ifprocessing is subject toprior authoris ation 58. Failu retonotifyprocessing subject toprior authoris ation
CHAPTER 7 COD ESOF CONDUCT
59. Issuing ofcodes ofconduct 60. Process forissuing codes ofconduct 61. Notification,availability and commenceme ntofcode ofconduct 62. Procedu refordealing with complai nts 63. Amendme ntand revocation ofcodes ofconduct 64. Guidelines about codes ofconduct

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 9
65. Registerofapp rovedcodes ofconduct 66. Reviewofope rationofapp rovedcode ofconduct 67. Effect offailu retocomply with code ofconduct
CHAPTER 8
RIGH TSOF DATASUBJ ECTSREGARDING DIR ECTMARKETING BYMEANS OF UNSOLICITED ELECTRONIC COMMUNICATIONS, DIR ECTORI ESAND AUTOM ATED DECISION MAKING
68. Direct mar ketingbymeans ofunsolici ted elect ronic communi cations 69. Directories 70. Autom ated decision making
CHAPTER 9 TRANSBORDER INFORM ATION FLOWS
72. Transfersofpersonal inform ation outside Republic
CHAPTER 10 ENFORCEMENT 5
71. Interference with protectionofpersonal inform ationof datasubject 72. Complai nts 73. Mode ofcomplai ntstoRegul ator 74. Action on recei ptofcomplai nt 75. Regul atormaydecide totakeno actionon complai nt 76. Referralofcomplai nttoregul atorybody 77. Pre-investigation proceedings ofRegul ator 78. Settleme ntofcomplai nts 79. Investigation proceedings ofRegul ator 80. Issue ofwarrants 81. Requi reme ntsforissuing ofwarrant 82. Execution ofwarrants

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 10
83. Mattersexem ptfrom sea rchand seizure 84. Communi cation between legaladviser and clie ntexem pt 85. Objectiontosea rchand seizure 86. Return ofwarrants 87. Assessme nt 88. Inform ation notice 89. Parties tobe informed ofresult ofassessme nt 90. MattersreferredtoEnforceme ntCommittee FunctionsofEnforceme ntCommit tee 91. Partiestobe informed ofdevelopme ntsduring and result ofinvestigation 92. Enforceme ntnotice 93. Cancell ation ofenforceme ntnotice 94. Rightofappeal 95. Conside ration ofappeal 96. Civil remedies
CHAPTER 11 OFFENC ES,PENA LTIESAND ADMINI STRATIVE FINES
97. ObstructionofRegul ator Breach ofconfidentiality 98. Obstruction ofexecution ofwarrant
99. Failu retocomply with enforceme ntorinform ation notices 100. Offences bywitnesses 101. Unl awful acts byresponsible party inconnectionwith
accountnumber 102. Unl awful acts bythirdpartiesinconnectionwith account number
103. Penalties 104. Magi strate’sCourt jurisdiction toimpose penalties 105. Admini strativefines

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 11
106. Amendme ntoflaws 107. Fees 108. Regul ations
CHAPTER 12 GENERAL PROVISIONS
109. Procedu reformaking regul ations Transitionalarrangeme nts 110. Short title and commenceme nt 111. Fees 112. Regul ations 113. Procedu reformaking regul ations 114. Transitional arrangeme nts 115. Short title and commenceme nt

Act No. 4of2013
12 Protectio nOfPersona lInform ationAct ,2013
CHAPTER 1
DEFINITIONS AND
PURPOSE

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 13
Lawsamended bysection 110 SCHEDULE
Definitions
CHAPTER 1 DEFINITIONS AND PURPOSE
1.Inthis Act, unless the contextindi catesothe rwise —
‘‘biom etrics ’’means a technique of personal identification that is based on physical, physiologi cal or beh aviou ral cha racteris ation including blood typin g,fingerprinting, DNA anal ysis, retinal scanning and voice recognition;
‘‘child ’’means anaturalperson under the ageof18 yearswho isnot
legally 10 comp etent,without the assi stance of acomp etentperson, totakeanyaction ordecision inrespect ofanymatterconcerning him- orherself;
‘‘cod eofconduc t’’means acode ofconduct issued interms ofChap ter7;
‘‘comp etentperson ’’means anyperson who islegally comp etentto conse nttoanyaction or decision being taken inrespect ofanymatter concerning achild;
‘‘conse nt’’means anyvolu ntary,speci ficand informed expression ofwill
interms of which permission isgiven for the processing of personal inform ation;
‘‘Con stitution’’means the Con stitutionofthe Republic ofSouth Afri ca, 1996;
‘‘datasubjec t’’means the person towhom personal inform ation relates;
‘‘de-identify’’,inrelationtopersonal informationofadatasubject, means
todelete20anyinform ation that—
(a) identifiesthe datasubject;

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 14
(b) canbeused ormanipul atedbyareasonably foreseeable method to ide ntifythe datasubject; or
(c) can be linked byareasonably foreseeable method toother inform ation that25ide ntifiesthe datasubject,
and ‘‘de-ide ntified’’has acorresponding meaning;
‘‘direct marketing’’means toapp roach adatasubject, either inperson or bymail orelect ronic communi cation, forthe direct orindi rect purpose of—
(a) promotingoroffering tosuppl y,inthe ordina rycourseofbusiness, anygoods 30orservices tothe datasubject; or
(b) reque stingthe datasubject toma keadon ationofanykind forany reason;
‘‘elect ronic communi cation ’’means anytext, voice, sound or ima ge
messa gesentoveranelect ronic communicationsnetwork which isstored inthe network orinthe recipie nt’sterminal equipme ntuntilitiscollec ted
bythe recipie nt;35
‘‘enforceme ntnotice ’’means anotice issued interms ofsection 95;
‘‘filing system ’’means anystructu red setof personal inform ation, whether centralised, dece ntralised or dispe rsed on afunctional or geog raphi calbasis, which isaccessible according tospeci ficcriteria;
‘‘inform ation matching programme ’’means the comparison, whether
manually 40 or bymeans of anyelect ronic or other device, of any docume ntthatcontains personal inform ation about ten ormo redata
subjects with one ormo redocume nts
thatcontain personal inform ation often ormo redatasubjects, forthe purpose ofproducing orverifying inform ation thatmaybe used forthe purpose oftaking anyaction inregardtoan identifiable datasubject;45
‘‘inform ation officer ’’of,orinrelation to,a—
(a) public body means an inform ationofficerordeputy inform ation
officer ascontempl atedinterms ofsection 1or17; or
(b) privatebody means the head ofaprivatebody ascontempl ated in section 1,ofthe Promotion ofAccess toInform ation Act;50

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 15
‘‘Mini ster’’means the Cabin et member responsible for the admini stration ofjustice;
‘‘operator’’means aperson who processes personal inform ation for a
responsible party interms ofacontract or mand ate,without coming under the direct authority ofthatparty;
‘‘person ’’means anaturalperson orajuri sticperson;
‘‘personal inform ation ’’means inform ation relating toan ide ntifiable, livin g,naturalperson, and whe reitisappli cable, an identifiable, existing juri sticperson, includin g,but not limi ted to—
(a) inform ation relating tothe race, gende r,sex,pregnanc y,mari tal
status, national, ethnic or social origin, colou r,sexual orie ntation, age, physical or me ntal health, well-bein g,disabilit y,religion, conscience, beli ef,cultu re,langua geand birth ofthe person;
(b) inform ationrelatingtothe edu cationor the medi cal, financial, criminal orempl oyme nthistoryofthe person;
(c) anyidentifying numbe r,symbol, e-mail add ress, physicaladd ress, telephone numbe r,location inform ation, online ide ntifierorother particular assignme nttothe person;
(d) the biom etric inform ation ofthe person;
(e) the personal opinions, viewsorpreferences ofthe person;
(f) correspondence sentbythe person thatisimplicitly or explicitly ofaprivateorconfidential natureorfurther correspondence that would reveal the contentsofthe original correspondence;
(g) the viewsoropinions ofanother individual about the person; and
(h) the name ofthe person ifitappea rswith other personal inform ation relating tothe person orifthe disclosu reofthe name itself would reveal inform ation about the person;
‘‘prescribed ’’means prescribed byregul ation orbyacode ofconduct;
‘‘privat ebod y’’means —
(a) anatural person who carries or has carried on anytrade, business orprofession, but only insuch capacity;

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 16
(b) apartne rship which carries orhas carried on anytrade, business or profession; or
(c) anyformer orexisting juri sticperson, but excludes apublic body;
‘‘processin g’’means anyope rationoractivityoranysetofope rations, whether or
not byautom atic means, concerning personal inform ation, including —
(a) the collection,recei pt,recordin g,organis ation,collation,storage, upd ating ormodi fication, retrieval,alteration, consul tation oruse;
(b) dissemin ationbymeans of transmission, distributionor making available inanyother form; or
(c) me rging,linkin g,as well as restriction,deg radation,erasu reor destruction of inform ation;
‘‘professional legal adviser ’’means any legally quali fied person, whether inprivatepractice ornot, who lawfully provides aclie nt,athis orher oritsreque st,with independe nt,confidential legaladvice;
‘‘Promotion of Access toInform ation Act’’means the Promotion of
Access to InformationAct, 2000 (Act No. 2of2000);
‘‘public bod y’’means —
(a) anydepartme ntof stateor admini stration in the national or provincial sphe reof governme ntor anymunicipality inthe local sphe reofgovernme nt;or
(b) anyother functionaryorinstitutionwhen —
(i) exercising apower or per forming aduty in terms of the Con stitution oraprovincial constitution; or
(ii) exercising apublic powerorper forming apublic functionin
terms ofanylegisl ation;
‘‘public record’’means arecordthatisaccessible inthe public domain and which isinthe possession oforunder the controlofapublic bod y,
whether ornot itwascreated bythatpublic body;
‘‘record’’means anyrecorded inform ation —

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 17
(a) regardless ofform ormedium, including anyofthe following:
(i) Writingon anymaterial;
(ii) informationproduced,recorded orstoredbymeans ofanytape-
recorder,compu terequipme nt,whether hardwareorsoft ware orboth, orother device, and anymaterial subseque ntly deri ved from inform ation soproduced, recorded orstored;
(iii) label, marking orother writing thatidentifiesordescribes any thing of which itforms part, ortowhich itisattached byany means;
(iv) book, map, plan, graph ordrawing;
(v) pho tograph, film, negative,tape orother device inwhich one or
mo revisual ima gesareembodied soastobe capable, with or without the aid ofsome other equipme nt,ofbeing reproduced;
(b) inthe possession orunder the controlofaresponsible party;
(c) whether or not itwas created byaresponsible party; and
(d) regardless ofwhen itcame intoexistence;
‘‘Regulator’’means the Inform ationRegul atorestablished interms of section 39;
‘‘re-ide ntify’’,in relationtopersonal inform ationof adatasubject, means toresur rect anyinform ation thathas been de-ide ntified, that—
(a) ide ntifies the data subject;
(b) canbeused ormanipul atedbyareasonably foreseeable method to ide ntifythe datasubject; or
(c) can be linked byareasonably foreseeable method toother inform ationthatide ntifiesthe datasubject and
‘‘re-ide ntified’’has acorresponding meaning;
‘‘Republic ’’means the Republic ofSouth Afri ca;
‘‘responsible part y’’means apublic orprivatebody oranyother person which, alone or in conjunction with othe rs,determines the purpose of and means forprocessing personal inform ation;

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 18
‘‘restriction ’’means towithhold from circulation, use orpubli cation any personal 20 inform ation thatforms part ofafiling system, but not to deleteordestroysuch inform ation;
‘‘special personal inform ation’’means personal inform ation as referred toinsection 26;
‘‘this Act’’includes anyregul ation orcode ofconduct made under this Act; and
‘‘unique ide ntifier’’means anyidentifier thatisassigned toadata subject and isused byaresponsible party for the purposes of the
ope rations of thatresponsible party and thatuniquely ide ntifies that datasubject inrelation tothatresponsible part y.
Purpose ofAct
2.The purpose ofthis Act isto—
(a) giveeffect tothe constitutional righttoprivacy,bysafegua rding personal inform ation when processed byaresponsible part y, subject tojustifiable limi tations thatareaimed at—
(i) balancing the righttoprivacy againstother rights, particularlythe
rightofaccess toinform ation; and
(ii) protectingimpor tantinterests,including the freeflowofinform ation within the Republic and across intern ational borders;
(b) regul atethe manner in which personal inform ation maybe processed, byestablishing conditions, in harmo ny with intern ational standa rds, thatprescribe the minimum threshold requi reme ntsforthe lawful processing ofpersonal inform ation;
(c) provide persons with rightsand remedies toprotect their personal inform ation from processing thatisnot inaccordance with this Act; and
(d) establish volu ntary and compulso ry measu res, including the
establishme ntof an Inform ation Regul ator,toensu rerespect for and topromo te,enforceand fulfilthe rightsprotected bythis Act.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,201 3 19
CHAPTER 2
APPLICATION PROVISIONS

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 20
CHAPTER 2
APPLIC ATION PROVISIONS
Appli cation and interp retation ofAct 1.(1) This Act applies tothe processing ofpersonal inform ation —
(c) samesmelting,koppelin g,asook inperkin g,deg radasie, uitwissing of verni etiging vaninligting;
‘‘Regulee rder ’’die Inligtingsreguleerderingevolgearti kel39 ingestel;
‘‘rekord’’enigeopgetekende inligting —
(a) ongeag vorm of medium, metinbegrip van eni gevan die volgende:
(i) Skrif op eni gemateriaal;
(ii) inligting geprodusee r,opgeteken of gestoor bywyse van eni gebandopneme r,rekenaar toeru sting,hetsyhardewareof sagteware ofbeide, of ander toestel, en eni gemateriaal vervolgens verk ry uit die inligting aldus geprodusee r, opgetekenofgestoor;
(iii) etiket,merk, ofander skrif watenigevoorwerp waarvandit deel uitmaak, of waaraan dit op eni gewyse geheg is, ide ntifiseer ofbesk ryf;
(iv) boek, kaart, plan, grafiekoftekening;
(v) foto,film, negatief,band ofander toestelwaarin een ofmeer visuele beelde vervatissod atdit geskik is, metofsonder die hulp van ander toeru sting,vir reprodu ksie;
(b) indie besit ofonder die beheer van’nverantwoordeli keparty;
(c) hetsydit deur die verantwoordeli keparty geskep isaldan nie; en
(d) ongeag wanneer dit totstand gekom het;
‘‘Republiek ’’die Republiek vanSuid-Afri ka;
‘‘spesiale persoonli keinli gting’’persoonli keinligtingsoos byartikel26
bedoel;

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 21
‘‘toestemmin g’’enigevrywilli ge,bepaalde en ingeligtewilsui tdrukking ingevolgewaarvan verlof tot die prosessering van persoonli keinligting gegeeword;
‘‘unie keide ntifiseerder ’’enigeide ntifisee rder wataan ’ndatasubjek toegewysworden watdeur ’nverantwoordeli keparty vir doeleindes van die bed rywighede
van daa rdie verantwoordeli keparty gebruik word en waarmee daa rdie
verantwoordeli keparty die datasubjek op unie kewyseidentifiseer;
‘‘verantwoordeli kepart y’’’nopenba reofprivaatliggaam ofenigeander persoon wat,eiehandig of insam ewerking metande re,die oogmerk van en middele vanprosessering vanpersoonli keinligting bepaal;
‘‘voorgesk ryf’’voorgesk ryfbyregulasie ofby’ngedrags kode; en
‘‘Wetop Bevordering vanToegang totInli gting’’die Wetop Bevordering van
Toegang totInligting,2000 (WetNo. 2van 2000).
Oogmerk van Wet
2.Die oogmerk vanhierdie Wetisom —
(a) gevolg te gee aan die grond wetlike reg op privaatheid, deur persoonli ke inligting te bes kerm wanneer dit deur ’n verantwoordeli ke party geprosesseer word, onderh ewig aan regverdigba rebeperkings watgerig isop die —
(i) balansering van die regop privaatheid teenoor ander regte,in
besonder die regop toegang totinligting; en
(ii) bes kerming van belangri kebelan ge,metinbegrip van die vrye vloei van inligting binne die Republiek en oor internasionale grense;
(b) die wyse waarop persoonli keinligting geprosesseer mag word, tereguleer deur voorwaardes, in harmonie metinternasionale standaa rde, tevestig watdie minimum vereistes vir die regm atige prosessering van persoonli keinligting voorskryf;

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 22
(c) persone vanregteen remedies tevoorsien ten einde hul persoonli ke inligting teen prosessering watnie inooreen stemming methie rdie Wetisnie, tebes kerm; en
(d) vrywilli geen verpli gtema atreëls, metinbegrip van die instelling van ’nInligtings regulee rder,intestel, ten einde respek vir,en die bevorderin g,afdwinging en verwesenliking van, die regtewatin
hierdie Wetbes kerm word,teverseker.
HOO FSTUK 2
TOEPASSINGSBE PALINGS
Toepassing en uitleg van Wet
3.(1) Hie rdie Wetisvan toepassing op die prosessering van persoonli ke inligting —
(a) entered inarecordbyor for aresponsible party bymaking use of autom ated or non-au tom ated means: Provided thatwhen the
recorded personal informa- tion isprocessed bynon-au tom ated means, itforms part ofafiling system orisintended toform part the reof; and
(b) whe rethe responsible party is—
(i) domiciled inthe Republic; or
(ii) not domiciled in the Republic, but ma kes use of
autom ated or non-au tom ated means inthe Republic, unless those means areused only toforwardpersonal inform ation through the Republic.
(2) (a) This Act applies ,subject toparagraph (b), tothe exclusion ofany provision ofanyother legisl ation thatregul atesthe processing
ofpersonal inform ationand thatismaterially inconsi stentwith
an object, oraspeci ficprovision, ofthis Act.
(b) Ifanyother legisl ation provides for conditions for the lawful processing of personal inform ation thataremo reextensi ve
than those setout inCha pter3,the extensi veconditionsprevail.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 23
(3) This Act mu stbeinterp retedinamanner that—
(a) giveseffect tothe purpose ofthe Act setout insection 2;and
(b) does not preventanypublic or privatebody from exercising
orper forming its powers,duties and functions interms ofthe lawas faras such powers,duties and functions relatetothe processing of personal inform ation and such processing isin
accordance with this Act or anyother legisl ation, as referred toinsubsection (2), thatregul ates the processing ofpersonal inform ation.
(4) ‘‘Autom ated means ’’,forthe purposes ofthis section, means any
equipme ntcapable ofope rating autom atically inresponse toinstructions
given forthe purpose ofprocessing inform ation.
Lawful processing ofpersonal inform ation
4.(1) The conditionsforthe lawful processing ofpersonal inform ationby orforaresponsible party arethe following:
(a) ‘‘Accountabilit y’’,asreferred toinsection 8;
(b) ‘‘Processing limi tation ’’,asreferredtoinsections 9to12;
(c) ‘‘Purpose speci fication ’’,asreferred toinsections 13and 14; (d)
‘‘Further processing limi tation’’,asreferred toinsection15;
(e) ‘‘Inform ation qualit y’’,asreferredtoinsection 16;
(f)‘‘Openness ’’,asreferredtoinsections 17and 18;
(g) ‘‘Security safegua rds’’,asreferredtoinsections 19to22; and
(h) ‘‘Datasubject particip ation ’’,asreferredtoinsections 23to25.
(2) The conditions, as referred toinsubsection (1), arenot appli cable tothe processing ofpersonal inform ation tothe extentthatsuch processing is—
(a) excluded, interms ofsection 6or7,from the ope ration ofthis Act; or

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 24
(b) exem ptedinterms ofsection37or38, from one ormo reofthe conditions concerned inrelation tosuch processing.
(3) The processing ofthe special personal inform ationofadatasubject isprohibi tedinterms ofsection 26, unless the —
(a) provisions ofsections 27to33areappli cable; or
(b) Regul ator has granted an authoris ationinterms ofsection 27(2), inwhich case, subject tosection 37 or38, the conditions forthe lawful processing ofpersonal inform ation asreferred to inChap ter3mu stbecomplied with.
(4) The processing ofthe personal inform ationofachild isprohibi ted in terms ofsection 34, unless the —
(a) provisions ofsection 35(1) areappli cable; or
(b) Regul atorhas grantedanauthoris ation interms ofsection 35(2),
inwhich case, subject tosection 37, the conditions for the lawful processing of personal inform ation as referred toin
Cha pter3mu stbecomplied with.
(5) The processing of the special personal inform ation of achild is prohibi ted interms of sections 26 and 34 unless the provisions ofsections 27 and 35 areappli cable inwhich case, subject to section 37, the conditions for the lawful processing of personal inform ation asreferredtoinChap ter3mu stbecomplied with.
(6) The conditions forthe lawful processing ofpersonal inform ation by or for aresponsible party for the purpose ofdirect mar keting by
anymeans arereflected inCha pter3,read with section 69 inso far asthatsection relates todirect mar keting bymeans ofunsolici ted elect ronic communi cations.
(7) Sections 60 to68 provide for the developme nt,in app ropri ate circum stances, of codes of conduct for purposes of clari fying
howthe conditions referred toinsubsection (1), subject toany exem ptions which mayhavebeen granted interms ofsection 37, aretobe applied, or aretobe complied with within aparticular
sec tor.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 25
Rig htsofdatasubjects
5.Adatasubject has the righttohavehis, her orits personal inform ation processed inaccordance with the conditions for the lawful processing of
personal inform ation asreferredtoinCha pter3,including the right—
(a) tobenotifiedthat—
(i) personal inform ationabout him, her oritisbeing collec ted as provided forinterms ofsection 18; or
(ii) his, her or its personal inform ation has been accessed or acqui red byan unauthorised person asprovided forinterms of section 22;
(b) toestablish whether aresponsible party holds personal inform ation ofthatdatasubject and toreque staccess tohis, her oritspersonal inform ation asprovided forinterms ofsection 23;
(c) toreque st,whe renecessa ry,the correction, destruction ordeletion ofhis, her or its personal inform ation asprovided for interms of section 24;
(d) toobject, on reasonable grounds relating tohis, her oritsparticular
situ ation tothe processing ofhis, her oritspersonal inform ation as provided forinterms ofsection 11(3)(a);
(e) toobject tothe processing ofhis, her orits personal inform ation —
(i) atanytimeforpurposes ofdirect mar ketinginterms ofsection 11(3)(b); or
(ii) interms ofsection 69(3)(c);
(f) not tohavehis, her or its personal inform ation processed for
purposes of direct mar keting bymeans of unsolici ted elect ronic communi cations exceptasreferredtoinsection 69(1);
(g) not tobe subject, under cer tain circum stances, toadecision which is based solely on the basis ofthe autom ated processing ofhis, her or itspersonal inform ation intended toprovide aprofileofsuch person
asprovided forinterms ofsection 71;
(h) tosubmit acomplai nttothe Regul ator regarding the alle ged interference with the protectionofthe personal inform ationofany

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 26
datasubject ortosubmit acomplai nttothe Regul atorinrespect of adetermin ationofanadjudi catorasprovided forinterms ofsection 74; and
(i) toinstitu tecivil proceedings regarding the alle ged interference with
the protection ofhis, her oritspersonal inform ation asprovided for insection 99.
Exclusions
6.(1) This Act does not apply tothe processing ofpersonal inform ation —
(a) inthe courseofapurely personal orhousehold activity;
(b) thathas been de-ide ntified tothe extentthatitcannot be re- ide ntifiedagain;
(c) byoron behalf ofapublic body —
(i) which involves national securit y,including activities thatare aimed at assi sting inthe ide ntification of the financing of terroristand related activities, defence orpublic safety; or
(ii) the purpose ofwhich isthe prevention, detection, including assi stance inthe identification of the proceeds of unl awful activities and the comb ating ofmon eylaundering activities, investigation orproof ofoffences, the prosecution ofoffende rs or the execution of sentences or security measu res, tothe
extentthatadequ atesafegua rds havebeen established in legisl ation forthe protection ofsuch personal inform ation;
(d) bythe Cabin etand its committees orthe ExecutiveCouncil ofa province; or
(e) relatingtothe judicial functionsofacourt referredtoinsection166 ofthe Con stitution.
(2) ‘‘Terroristand related activities ’’,for purposes of subsection (1) (c),means those activities referred toinsection 4ofthe Protection ofCon stitutional Democ racy againstTerroristand Related Activities Act, 2004 (Act No. 33 of2004).

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 27
Exclusion forjournali stic, literaryorarti sticpurposes
7.(1) This Act does not apply tothe processing ofpersonal inform ation solely forthe purpose ofjournalistic,literaryorarti sticexpression to
the extentthatsuch anexclusion isnecessa rytoreconcile, asamatter ofpublic interest,the righttoprivacy with the righttofreedom of expression.
(2) Whe rearesponsible party who processes personal inform ation for exclusi vely journali stic purposes is,byvirtue ofoffice, empl oyme nt orprofession, subject toacode 20 ofethics thatprovides adequ ate safegua rds for the protection of personal inform ation, such code will apply tothe processing concerned tothe exclusion ofthis Act
and anyalle ged interference with the protection of the personal inform ation of adatasubject thatmayarise as aresult of such processing mu stbe adjudi cated as provided for interms of that code.
(3) Inthe eventthatadispu temayarise inrespect ofwhether adequ ate safegua rdshavebeen provided forinacode asrequi red interms of subsection (2) ornot, regardmaybehad to—
(a) the special impor tance of the public interestin freedom of expression;
(b) dome sticand intern ationalstanda rdsbalancing the —
(i) public interestinallowing forthe free flowofinform ation to
the public through the media inrecognition ofthe rightofthe public tobeinformed; and
(ii) public interestin safegua rding the protectionof personal inform ationofdatasubjects;
(c) the need tosecu rethe integrity ofpersonal inform ation;
(d) dome sticand intern ationalstanda rds ofprofessional integrity for
journali sts;and
(e) the natureand ambit of self-regul atoryforms of supe rvision provided bythe profession.

Act No. 4of2013
28 Protectio nOfPersona lInform ationAct ,2013
CHAPTER 2
CONDITIONS FOR LAWFUL
PROCESSING OF PERSONAL
INFORM ATION

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 29
CHAPTER 3 CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORM ATION
Part A Pro cessing ofpersonal information ingeneral
Condition 1 Accountability
Responsible party toensu reconditions forlawful processing
8.The responsible party mu stensu rethatthe conditions setout inthis Cha pter,and all the measu res thatgiveeffect tosuch conditions, are complied with atthe time of the determin ation of the purpose and means ofthe processing and during the processing itsel f.
Condition 2 Processing limitation
Lawfulness ofprocessing
9.Personal inform ation mu stbe processed —
(a) lawfully; and
(b) inareasonable manner thatdoes not infrin gethe privacy ofthe
datasubject.
Minimality
10. Personal inform ationmayonly be processed if,given the purpose for which itisprocessed, itisadequ ate,relevantand not excessi ve.
Conse nt,justification and objection
11.(1) Personal inform ation mayonly beprocessed if—
(a) the datasubject oracomp etentperson whe rethe datasubject
isachild conse ntstothe processing;

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 30
(b) processing isnecessa rytocarryout actionsforthe conclusion orper formance ofacontract towhich the datasubject isparty;
(c) processing complies with an obli gationimposed bylawon the responsible party;
(d) processing protects alegitim ateinterestofthe datasubject;
(e) processing isnecessa ryforthe proper per formance ofapublic lawduty byapublic body; or
(f) processing isnecessa ryfor pursuing the legitim ateinterests of the responsible party or of athirdparty towhom the inform ation issupplied.
(2) (a) The responsible party bea rsthe burden ofproof for the datasubjec t’sor comp etentperson ’sconse ntasreferredtoin subsection (1)(a). (b) The datasubject orcomp etentperson maywithd rawhis, her orits conse nt,asreferred toinsubsection (1)(a), atanytime: Provided thatthe lawfulness of the processing ofpersonal inform ation beforesuch withd rawalorthe processing ofpersonal inform ation in terms ofsubsection (1)(b) to(f)will not be affected. (3) Adatasubject mayobject, atanytime, tothe processing ofpersonal information— (a) interms ofsubsection (1)(d) to(f),inthe prescribed manne r,on reasonable grounds relating tohis, her orits particular situ ation, unless legisl ation provides forsuch processing; or (b) forpurposes ofdirect mar keting other than direct mar keting by
means of unsolici ted elect ronic communi cations asreferred toin section 69. (4) Ifadatasubject has objec tedtothe processing ofpersonal inform ation
interms ofsubsection (3), the responsible party mayno lon gerprocess the personal inform ation.
Collection directly from datasubject
12. (1) Personal inform ationmu stbe collec ted directly from the data subject, exceptasothe rwise provided forinsubsection (2).

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 31
(2) Itisnot necessa rytocomply with subsection (1) if—
(a) the inform ationiscontained inorderi vedfrom apublic record orhas delibe rately been made public bythe datasubject;
(b) the datasubject oracomp etentperson whe rethe datasubject isachild has conse nted tothe collection ofthe inform ation from another sou rce;
(c) collec tionofthe inform ationfrom another sou rce would not prejudice alegitim ateinterestofthe datasubject;
(d) collectionofthe inform ation from another sou rceisnecessa ry— (i) toavoid prejudice tothe mai ntenance of the law by anypublic bod y,including the prevention,detection, investigation, prosecution and punishme ntofoffences; (ii) tocomply with an obli gation imposed bylawortoenforce legisl ation concerning the collection ofrevenue as defined insection 1ofthe South Afri can Revenue Service Act, 1997 (Act No. 34 of1997); (iii) for the conduct of proceedings inanycourt or tribunal
thathave10commenced orarereasonably contempl ated; (iv) inthe interestsofnational security; or (v) tomai ntain the legitimateinterestsofthe responsible party
orofathirdparty towhom the inform ation issupplied;
(e) compliance would prejudice alawful purpose ofthe collection; or
(f)compliance isnot reasonably practicable inthe circum stances ofthe particular case.
Condition 3 Purpose specification
Collection forspeci ficpurpose
13. (1) Personal inform ation mu stbe collec ted for aspeci fic,explicitly defined and lawful purpose related toafunction or activity of the responsible part y.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 32
(2) Stepsmu stbe taken inaccordance with section 18(1) toensu rethat the datasubject isawareof the purpose of the collection of the inform ation unless the provisions ofsection 18(4) areappli cable.
Retention and restriction ofrecords
14. (1) Subject tosubsections (2) and (3), recordsofpersonal inform ation mu stnot beretained anylon gerthan isnecessa ryforachi eving the purpose for which the inform ation was collec ted or subseque ntly processed, unless —(a) retention ofthe recordisrequi redorauthorised bylaw; (b) the responsible party reasonably requi resthe recordforlawful purposes relatedtoitsfunctions oractivities; (c) retentionofthe recordisrequi red byacontract between the
parties the reto;or (d) the datasubject oracomp etentperson whe rethe datasubject is achild has conse ntedtothe retention ofthe record.
(2) Recordsofpersonal inform ation maybe retained forperiods inexcess of those contempl ated insubsection (1) for historical, statisticalor resea rchpurposes ifthe responsible party has established app ropri ate safegua rdsagainstthe recordsbeing used foranyother purposes. (3) Aresponsible party thathas used arecordofpersonal inform ationofa datasubject toma keadecision about the datasubject, mu st— (a) retain the recordforsuch period asmayberequi redorprescribed bylaworacode ofconduct; or (b) ifthe reisno laworcode ofconduct prescribing aretention period, retain the recordforaperiod which will affordthe datasubject a reasonable opportunit y,taking all conside rations relating tothe
use ofthe personal inform ation intoaccount,toreque staccess tothe record. (4) Aresponsible party mu stdestroyor deletearecordof personal
inform ation or de-ide ntifyitas soon as reasonably practi cable after the responsible party isno lon gerauthorised toretain the recordin terms ofsubsection (1) or(2).

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 33
(5) The destruction or deletion of arecordof personal inform ation in terms ofsubsection (4) mu stbe done inamanner thatpreventsits reconstruction inanintelligible form. (6) The responsible party mu strestrict processing ofpersonal inform ation if—(a) itsaccu racy iscontestedbythe datasubject, foraperiod enabling the responsible party toverifythe accu racy ofthe inform ation; (b) the responsible party no lon gerneeds the personal inform ation for achi eving the purpose forwhich the inform ation wascollec ted or subseque ntly processed, but ithas tobe mai ntained forpurposes ofproof; (c) the processing isunl awful and the datasubject opposes its
destruction or deletion and reque ststhe restriction of its use instead; or
(d) the datasubject reque ststotransmit the personal datainto another autom atedprocessing system. (7) Personal inform ation referred toin subsection (6) may,with the exception ofstorage,only be processed forpurposes ofproof,orwith the datasubjec t’sconse nt,or with the conse ntofacomp etentperson inrespect of achild, or for the protection of the rightsof another naturalorlegalperson orifsuch processing isinthe public interest. (8) Whe reprocessing of personal inform ation isrestric ted pursua ntto subsection (6), the responsible party mu stinform the datasubject beforelifting the restriction on processing.
Condition 4 Further processing limitation
Further processing tobe comp atible with purpose ofcollection
15. (1) Further processing of personal inform ation mu stbe in
accordance orcomp atible with the purpose forwhich itwascollec ted in terms ofsection 13. (2) Toassess whether further processing iscomp atiblewith the purpose of
collection, the responsible party mu sttakeaccountof—

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 34
(a) the relationship between the purpose of the intended further processing and the purpose for which the inform ation has been collec ted; (b) the natureofthe inform ation concerned; (c) the consequences ofthe intended further processing forthe data subject; (d) the manner inwhich the inform ation has been collec ted; and (e) anycontractual rightsand obli gations between the parties. (3) The further processing ofpersonal inform ationisnot incomp atiblewith the purpose ofcollection if— (a) the datasubject oracomp etentperson whe rethe datasubject is achild has conse ntedtothe further processing ofthe inform ation;
(b) the inform ationisavailable inor deri ved from apublic record or has delibe rately been made public bythe datasubject; (c) further processing isnecessa ry—
(i) toavoid prejudice tothe mai ntenance of the lawbyany public body including the prevention, detection, investigation, prosecutionand punishme ntofoffences; (ii) tocomply with an obli gation imposed bylawor toenforce legisl ation concerning the collection of revenue as defined in section1ofthe South Afri canRevenue Service Act, 1997 (Act No. 34of1997); (iii) for the conduct of proceedings in anycourt or tribunal thathavecommenced orarereasonably contempl ated; or (iv) inthe interestsofnational security; (d) the further processing ofthe inform ationisnecessa rytopreventor miti gateaserious and immine ntthreatto— (i) public health orpublic safety; or (ii) the lifeorhealth ofthe datasubject oranother individual;
(e) the inform ation is used for historical, statistical or resea rch purposes and the responsible party ensu res thatthe further processing iscarried out solely forsuch purposes and will not be
published inanidentifiable form; or (f)the further processing ofthe inform ationisinaccordance with an exem ption grantedunder section 37.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 35
Condition 5 Inform ation quality
Quality ofinform ation
16. (1) Aresponsible party mu sttakereasonably practi cable stepstoensu re thatthe personal inform ation iscompl ete,accu rate,not misleading and upd ated whe renecessa ry.
(2) Intaking the stepsreferred toinsubsection (1), the responsible party mu sthaveregardtothe purpose for which personal inform ation is collec ted orfurther processed.
Condition 6 Openness
Docume ntation
17. Aresponsible party mu stmai ntain the docume ntation ofallprocessing ope rations under itsresponsibility asreferred toinsection 14 or51 of the Promotion ofAccess toInform ation Act.
Noti fication todatasubject when collecting personal inform ation
18. (1) Ifpersonal inform ation iscollec ted, the responsible party mu sttake reasonably practi cable stepstoensu rethatthe datasubject isaware of—(a) the inform ation being collec ted and whe rethe inform ation is
not collec ted from the datasubject, the sou rce from which itis collec ted; (b) the name and add ress ofthe responsible party;
(c) the purpose forwhich the inform ation isbeing collec ted; (d) whether ornot the supply ofthe inform ationbythatdatasubject isvolu ntaryormand atory; (e) the consequences offailu retoprovide the inform ation; (f)anyparticularlawauthorising orrequiring the collectionofthe inform ation; (g) the fact that,whe reappli cable, the responsible party intends totransfer the inform ationtoathirdcountryor intern ational

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 36
organis ation and the level of protection afforded to the inform ation bythatthirdcountryorintern ational organis ation; (h) anyfurther inform ationsuch asthe — (i) recipie ntorcategoryofrecipie ntsofthe inform ation; (ii) natureorcategoryofthe inform ation; (iii) existence ofthe rightofaccess toand the righttorectifythe inform ation collec ted; (iv) existence ofthe righttoobject tothe processing ofpersonal inform ation asreferredtoinsection 11(3); and (v) righttolod geacomplai nttothe Inform ation Regul atorand the contact details of the Inform ation Regul ator,which is necessa ry,having regardtothe speci ficcircum stances in
which the inform ation isorisnot tobe processed, toenable processing inrespect ofthe datasubject tobereasonable. (2) The stepsreferredtoinsubsection (1) mu stbetaken—
(a) ifthe personal inform ation iscollec ted directly from the data subject, beforethe inform ation iscollec ted, unless the data subject isalready awareof the inform ation referred tointhat subsection; or (b) inanyother case, beforethe inform ationiscollec tedorassoon as reasonably practi cable afterithas been collec ted. (3) Aresponsible party thathas previously taken the stepsreferred to insubsection (1) complies with subsection (1) in relation tothe subseque ntcollection from the datasubject ofthe same inform ation orinform ation ofthe same kind ifthe purpose of collection of the inform ation remains the same. (4) Itisnot necessa ryforaresponsible party tocomply with subsection (1) if— (a) the datasubject oracomp etentperson whe rethe datasubject is
achild has provided conse ntforthe non- compliance; (b) non- compliance would not prejudice the legitimateinterestsof the datasubject assetout interms ofthis Act;
(c) non- compliance isnecessa ry— (i) toavoid prejudice tothe mai ntenance ofthe lawbyanypublic bod y,including the prevention, detection, investigation, prosecution and punishme ntofoffences;

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 37
(ii) tocomply with an obli gation imposed bylawor toenforce legisl ation concerning the collection ofrevenue as defined in section 1ofthe South Afri can Revenue Service Act, 1997 (Act No. 34of1997); (iii) forthe conduct ofproceedings inanycourt ortribunal that havebeen commenced orarereasonably contempl ated; or (iv) inthe interestsofnational security; (d) compliance would prejudice alawful purpose ofthe collection; (e) compliance isnot reasonably practi cable inthe circum stances of the particular case; or (f)the inform ation will — (i) not be used inaform inwhich the datasubject maybe
ide ntified; or (ii) beused forhistorical,statisticalorresea rchpurposes.
Condition 7 Security Safeguards
Security measu reson integrity and confidentialityofpersonal inform ation
19. (1) Aresponsible party mu stsecu rethe integrity and confidentiality of
personal inform ation inits possession or under its controlbytaking app ropri ate, reasonable techni cal and organis ational measu res to prevent— (a) loss of,dama getoorunauthorised destruction ofpersonal inform ation; and (b) unl awful access toorprocessing ofpersonal inform ation. (2) Inorder togiveeffect tosubsection(1), the responsible party mu sttake reasonable measu resto— (a) ide ntifyallreasonably foreseeable internal and external risksto personal inform ation initspossession orunder itscontrol; (b) establish and mai ntain app ropri atesafegua rds againstthe risks ide ntified; (c) regularly verifythatthe safegua rdsareeffectively impleme nted; and (d) ensu rethatthe safegua rdsarecontinuallyupd atedinresponse to
newrisksordeficiencies inpreviously impleme ntedsafegua rds.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 38
(3) The responsible party mu sthavedue regardtogene rally acce pted inform ation security practices and procedu res which mayapply toit gene rally orbe requi red interms ofspeci ficindu stryorprofessional rules and regul ations.
Inform ation processed byope ratororperson acting under authority
20. An ope ratororanyone processing personal inform ationon behalf ofa responsible party oranope rator,mu st— (a) process such inform ationonly with the knowled georauthoris ation ofthe responsible party; and (b) treatpersonal inform ation which comes totheir knowled geas confidential and mu stnot disclose it,unless requi red bylaworin the courseofthe proper per formance oftheir duties.
Security measu resregarding inform ation processed byope rator
21. (1) Aresponsible party mu st,interms of awrit ten contract between the responsible party and the ope rator,ensu rethatthe ope ratorwhich processes personal inform ation for the responsible party establishes and mai ntains the security measu resreferredtoinsection 19. (2) The ope rator mu stnoti fythe responsible party immedi ately whe re the rearereasonable grounds tobeli evethatthe personal inform ation ofadatasubject has been accessed oracqui red byanyunauthorised person.
Noti fication ofsecurity comp romises
22. (1) Whe rethe rearereasonable grounds tobeli evethatthe personal
inform ation of adatasubject has been accessed or acqui red byany unauthorisedperson,the responsible party mu stnoti fy—
(a) the Regul ator; and (b) subject tosubsection(3), the datasubject, unless the identityof such datasubject cannot beestablished. (2) The noti fication referred toinsubsection (1) mu stbe made assoon as reasonably possible afterthe discoveryofthe comp romise, taking into accountthe legitimateneeds oflawenforceme ntoranymeasu res

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 39
reasonably necessa rytodetermine the scope ofthe comp romise and torestorethe integrity ofthe responsible part y’sinform ation system. (3) The responsible party mayonly delaynotificationofthe datasubject if apublic body responsible forthe prevention, detection orinvestigation ofoffences orthe Regul atordetermines thatnoti fication will impede a criminal investigation bythe public 30body concerned. (4) The noti fication toadatasubject referred toinsubsection (1) mu stbe inwriting and communi cated tothe datasubject inatleastone ofthe following ways: (a) Mailed tothe datasubjec t’slastknown physicalorpostaladd ress; (b) sentbye-mail tothe datasubjec t’slastknown e-mail add ress;
(c) placed inapromine ntpositionon the websiteofthe responsible party; (d) published inthe newsmedia; or
(e) asmaybedirectedbythe Regul ator. (5) The noti fication referred toinsubsection (1) mu stprovide sufficie nt inform ation toallow the datasubject totakeprotecti vemeasu res againstthe potential consequences ofthe comp romise, including — (a) adescri ptionof the possible consequences of the security comp romise; (b) adescri ptionofthe measu resthatthe responsible party intends to takeorhas taken toadd ress the security comp romise; (c) arecommend ation with regardtothe measu restobe taken by the datasubject tomiti gatethe possible adverse effects of the security comp romise; and (d) ifknown tothe responsible part y,the ide ntity ofthe unauthorised person who mayhave accessed or acqui red the personal inform ation.
(6) The Regul ator may direct a responsible party to publicise, in anymanner speci fied, the fact of anycomp romise tothe integrity or confidentiality of personal inform ation, ifthe Regul ator has reasonable grounds tobeli evethatsuch publicity would protect adatasubject who maybe affectedbythe comp romise.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 40
Condition 8 Datasubject participation
Access topersonal inform ation 5
23. (1) Adatasubject, having provided adequ ateproof ofide ntity,has the rightto— (a) reque staresponsible party toconfirm, free ofcha rge,whether or not the responsible party holds personal inform ation about the
datasubject; and (b) reque stfrom aresponsible party the recordor adescri ption of the personal inform ation about the datasubject held bythe responsible part y,including inform ation about the ide ntity ofall thirdparties, orcategories ofthirdparties, who have,orhavehad, access tothe inform ation— (i) within areasonable time; (ii) ataprescribed fee, ifany; (iii) inareasonable manner and form at;and (iv) inaform thatisgene rally unde rstandable.
(2) If,in response toareque stin terms of subsection (1), personal inform ation iscommuni cated toadatasubject, the datasubject mu st be advised ofthe rightinterms ofsection 24 toreque stthe correction ofinform ation.
(3) Ifadatasubject isrequi red byaresponsible party topayafee for services provided tothe datasubject interms ofsubsection (1)(b) to enable the responsible party torespond toareque st,the responsible party — (a) mu stgivethe appli cantawritten estimateof the fee before providing the services; and (b) mayrequi rethe appli canttopayadeposit forallorpart ofthe fee.
(4) (a) Aresponsible party mayormu strefuse, asthe case maybe, to disclose anyinform ationreque stedinterms ofsubsection(1) towhich
the grounds forrefusal ofaccess torecords setout inthe appli cable sections ofCha pter4ofPart 2and Cha pter4ofPart 3ofthe Promotion
ofAccess toInform ation Act appl y.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 41
(b) The provisions ofsections 30 and 61 ofthe Promotion ofAccess toInform ation Act areappli cable inrespect ofaccess tohealth or other records.
(5) Ifareque stforaccess topersonal inform ation ismade toaresponsible party and part ofthatinform ation mayormu stbe refused interms of subsection (4)(a), everyother part mu stbedisclosed.
Cor rection ofpersonal inform ation
24. (1) Adatasubject may,inthe prescribed manne r,reque staresponsible party to— (a) correct or del etepersonal inform ation about the
datasubject inits possession or under its controlthatisinaccu rate, irrelevant,excessi ve,out ofdate,incompl ete,misleading orobtained unl awfully; or (b) destroyordel etearecordofpersonal inform ation about the data subject that 40 the responsible party isno lon gerauthorised to retain interms ofsection 14.
(2) On recei ptofareque stinterms ofsubsection(1) aresponsible party mu st,assoon asreasonably practi cable —
(a) correct the inform ation; (b) destroyordeletethe inform ation; (c) provide the datasubject, tohis orher satisfaction,with credible evidence insupport ofthe inform ation; or (d) whe reagreeme ntcannot be reached between the responsible party and the datasubject, and ifthe datasubject so reque sts, takesuch stepsasarereasonable inthe circum stances, toattach tothe inform ation insuch amanner thatitwill alwaysberead with the inform ation, an indi cation thatacorrection ofthe inform ation has been reque sted but has not been made.
(3) Ifthe responsible party has taken stepsunder subsection (2) thatresult
inachan getothe inform ation and the chan ged inform ation has an impact on decisions thathavebeen orwill be taken inrespect ofthe datasubject inque stion, the responsible party mu st,if reasonably practi cable, inform each person orbody orresponsible party towhom the personal inform ation has been disclosed ofthose steps.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 42
(4) The responsible party mu stnoti fyadatasubject, who has made a reque stinterms ofsubsection (1), ofthe action taken asaresult of the reque st.
Manner ofaccess
25. The provisions of sections 18 and 53 of the Promotion of Access to Inform ation Act apply toreque stsmade interms ofsection 23ofthis Act.
Part B Pro cessing ofspecial personal information
Prohibition on processing ofspecial personal inform ation
26. Aresponsible party may,subject tosection27, not process persona l inform ation concerning — (a) the religious orphilosophi calbeli efs,race orethnic origin, trade union membe rship, politi cal persuasion, health or sexlifeor biom etric inform ation ofadatasubject; or (b) the criminal beh aviour ofadatasubject tothe extentthatsuch
inform ation relatesto— (i) the alle ged commission byadatasubject ofanyoffence; or (ii) anyproceedings inrespect ofanyoffence alle gedly committed
byadatasubject orthe disposal ofsuch proceedings.
Gene ralauthoris ation concerning special personal inform ation
27. (1) The prohibitionon processing personal inform ation,asreferred toin section
26, does not apply ifthe — (a) processing iscarried out with the conse ntofadatasubject referred toinsection 26; (b) processing isnecessa ryforthe establishme nt,exercise ordefence ofarightorobli gation inlaw; (c) processing is necessa ryto comply with an obli gation of intern ational public law; (d) processing isforhistorical,statisticalorresea rchpurposes tothe extentthat—

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 43
(i) the purpose servesapublic interestand the processing is necessa ryforthe purpose concerned; or (ii) itappea rstobeimpossible orwould involveadisp roportion ate effort toask for conse nt,and sufficie ntgua rantees are provided fortoensu rethatthe processing does not adversely affect the individual privacy of the datasubject to a disp roportion ateextent; (e) inform ationhas delibe rately been made public bythe data subject; or (f)provisions ofsections28 to33 are,asthe case maybe, complied with.
(2) The Regul ator may,subject tosubsection (3), upon appli cation bya responsible party and bynotice inthe Gazette,authorise aresponsibl e party toprocess special personal inform ation ifsuch processing is in the public interestand app ropri atesafegua rdshavebeen put inplac e toprotect the personal inform ation ofthe datasubject. (3) The Regul ator mayimpose reasonable conditions inrespect ofanyauthoris ation granted
under subsection (2).
Authoris ation concerning datasubjec t’sreligious orphilosophi calbeli efs
28. (1) The prohibition on processing personal inform ation concerning adata subjec t’sreligious or philosophi calbeli efs,asreferred toinsection 26, does not apply ifthe processing iscarried out by— (a) spiritual or religious organis ations,orindepende ntsections of those organis ationsif— (i) the inform ationconcerns datasubjects belonging tothose organis ations; or (ii) itisnecessa rytoachi evetheir aims and principles; (b) institutions founded on religious or philosophi cal principles with respect totheir membe rsor empl oyees or other persons belonging tothe institution, ifitisnecessa rytoachi evetheir aims and principles; or (c) other institutions: Provided thatthe processing isnecessa ryto
protect the spiritual welfareofthe datasubjects, unless theyhave indi catedthattheyobject tothe processing.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 44
(2) Inthe cases referred toinsubsection (1)(a), the prohibition does not apply to processing ofpersonal inform ation concerning the religion or philosop hyoflifeoffamily membe rsofthe datasubjects, if— (a) the associ ationconcerned mai ntains regular contact with those family membe rsinconnection with itsaims; and (b) the family membe rshavenot objec tedinwriting tothe processing. (3) Inthe cases referred toinsubsections (1) and (2), personal inform ation concerning adatasubjec t’sreligious orphilosophi calbeli efsmaynot be supplied tothirdparties without the conse ntofthe datasubject.
Authoris ation concerning datasubjec t’srace orethnic origin
29. The prohibition on processing personal inform ation concerning adata subjec t’srace orethnic origin, asreferredtoinsection 26, does not appl y ifthe processing iscarried out to— (a) identifydatasubjects and only when this isesse ntialfor that purpose; and (b) comply with lawsand other measu res designed toprotect or advance persons, or categories of persons, disad vantaged by unfair discrimin ation.
Authoris ation concerning datasubjec t’strade union membe rship
30. (1) The prohibition on processing personal inform ation concerning a
datasubjec t’strade union membe rship, asreferred toinsection 26, doe s not apply tothe processing bythe trade union towhich the datasubjec t belongs orthe trade union fede ration towhich thattrade union belongs , ifsuch processing isnecessa rytoachi eve40the aims ofthe trade unio n ortrade union fede ration.
(2) Inthe cases referredtounder subsection(1), nopersonal inform ationmay besupplied tothirdparties without theconse ntofthe datasubject.
Authoris ation concerning datasubjec t’spoliti calpersuasion
31. (1) The prohibition on processing personal inform ation concerning a data subjec t’spoliti calpersuasion, asreferred toinsection 26, does not apply toprocessing byorforaninstitution, founded on politi calprinciples , ofthe personal inform ation of—

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 45
(a) its membe rsor empl oyees or other persons belonging tothe institution, ifsuch processing isnecessa rytoachi evethe aims or principles ofthe institution; or (b) adatasubject ifsuch processing isnecessa ryforthe purposes of— (i) forming apoliti calparty; (ii) particip ating inthe activities of,orengaging inthe recruitme nt of membe rsfor or canvassing suppor tersor votersfor,a politi calparty with the viewto— (aa) an election ofthe National Assembly orthe provincial legisl atureas regul ated interms of the Elec toralAct, 1998 (Act No. 73of1998); (bb) municipal elections as regul ated interms of the Local
Governme nt:Municipal Elec toralAct, 2000 (Act No. 27 of2000); or
(cc) areferendum asregul ated interms ofthe Referendums Act, 1983 (Act No. 108 of1983); or (iii) campaigning forapoliti calparty orcause.
(2) Inthe cases referredtounder subsection(1), nopersonal inform ationmay besupplied tothirdparties without theconse ntofthe datasubject.
Authoris ation concerning datasubjec t’shealth orsexlife
32. (1) The prohibition on processing personal inform ation concerning a datasubjec t’shealth orsexlife,asreferredtoinsection26, does not appl y tothe processing by—
(a) medi calprofessionals, health careinstitutions orfacilities orsocial services, ifsuch processing isnecessa ryforthe proper treatme nt
and careof the datasubject, or for the admini stration of the institution orprofessional practice concerned; (b) insu rance companies, medi cal schemes, medi cal scheme admini stratorsand mana ged health careorganis ations, ifsuch processing isnecessa ryfor— (i) assessing the risk tobe insu red bythe insu rance compa nyor covered bythe medi cal scheme and the datasubject has not objec ted tothe processing;

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 46
(ii) the per formance of an insu rance or medi cal scheme agreeme nt;or (iii) the enforceme ntofanycontractual rightsand obli gations; (c) schools, ifsuch processing isnecessa rytoprovide special support forpupils ormaking special arrangeme ntsinconnection with their health orsexlife; (d) anypublic orprivatebody managing the careofachild ifsuch processing isnecessa ryforthe per formance oftheir lawful duties; (e) anypublic bod y,ifsuch processing isnecessa ryinconnection with the impleme ntationofprison sentences ordetentionmeasu res; or (f)admini strativebodies, pension funds, empl oyersor institutions
working for them, ifsuch processing isnecessa ryfor— (i) the impleme ntation of the provisions of laws, pension regul ations or collecti veagreeme nts which createrights
depende nton the health orsexlifeofthe datasubject; or (ii) the reintegrationoforsupport forworkersorpersons entitled toben efitinconnection with sickness orwork incapacit y.
(2) Inthe cases referredtounder subsection (1), the inform ation mayonly be processed byresponsible parties subject toanobli gation ofconfidentialit y byvirtue of office, empl oyme nt,profession or legal provision, or established byawrit ten agreeme ntbetween the responsible party and the datasubject.
(3) Aresponsible party thatispermittedtoprocess inform ation concerning a datasubjec t’shealth orsexlifeinterms ofthis section and isnot subjec t toan obli gation ofconfidentiality byvirtue of office, profession or
legal provision, mu sttreatthe inform ation asconfidential, unless the responsible party isrequi red bylaworinconnection with their dutie s
tocommuni catethe inform ation toother parties who areauthorised to process such inform ation inaccordance with subsection (1).
(4) The prohibition on processing anyof the categories of persona l inform ation referred toinsection 26, does not apply ifitisnecessa ryto suppleme ntthe processing of personal inform ation concerning adata subjec t’shealth, as referred tounder subsection(1)(a), with aviewto

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 47
the proper treatme ntorcareofthe datasubject.
(5) Personal inform ation concerning inheri ted cha racteristics maynot be processed in respect of adatasubject from whom the inform ation
concerne dhasbee nobtained ,unless — (a) aserious medi calinterestprevails; or (b) the processing isnecessa ryforhistorical, statisticalorresea rch activit y.
(6) Mo redetailed rules maybe prescribed concerning the appli cationof subsection (1)(b) and (f).
Authoris ation concerning datasubjec t’scriminal beh aviour orbiom etric inform ation
33. (1) The prohibition on processing personal inform ation concerning adata subjec t’scriminal beh aviour or biom etric inform ation, as referred to insection 26, does not apply ifthe processing iscarried out bybodie s cha rged bylawwith applying criminal laworbyresponsible parties who haveobtained thatinform ation inaccordanc ewith the law.
(2) The processing ofinform ation concerning personnel inthe service ofthe
responsibl epart ymu sttakeplac einaccordanc ewiththerule sestablish ed incompliance with labour legisl ation.
(3) The prohibition on processing anyofthe categories ofpersonal inform ation referred toinsection 26 does not apply ifsuch processing isnecessa ry tosuppleme ntthe processing ofinform ation on criminal beh aviour or biom etric inform ation permit tedbythis section.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 48
Part C Pro cessing ofpersonal information ofchildren
Prohibition on processing personal inform ation ofchild ren
34. Aresponsible party may,subject tosection35, not process persona l inform ation concerning achild.
Gene ralauthoris ation concerning personal inform ation ofchild ren
35. (1) The prohibitionon processing personal inform ationofchild ren, as referredtoinsection 34, does not apply ifthe processing is— (a) carried out with the prior conse ntofacomp etentperson; (b) necessa ryforthe establishme nt,exercise ordefence ofarightor obli gation inlaw; (c) necessa rytocomply with anobli gation ofintern ational public law; (d) forhistorical,statisticalorresea rchpurposes tothe extentthat— (i) the purpose serves apublic interestand the processing is necessa ryforthe purpose concerned; or (ii) itappea rstobeimpossible orwould involveadisp roportionate
effort toask for conse nt,and sufficie ntgua rantees are provided fortoensu rethatthe processing does not adversely affect the individual privacy ofthe child toadisp roportion ate
extent;or (e) ofpersonal inform ationwhich has delibe rately been made public bythe child with the conse ntofacomp etentperson.
(2) The Regul atormay,notwith standing the prohibitionreferred toinsection 34, but subject tosubsection (3), upon appli cation byaresponsible part y and bynotice inthe Gazette,authorise aresponsible party toprocess the personal inform ation ofchild ren ifthe processing isinthe public interest and app ropri atesafegua rdshavebeen put inplace toprotect the persona l inform ationofthe child.
(3) The Regul ator mayimpose reasonable conditions in respect of any authoris ation granted under subsection (2), including conditions with
regardtohowaresponsible party mu st—

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 49
(a) upon reque stofacomp etentperson provide areasonable means forthatperson to— (i) reviewthe personal inform ation processed; and (ii) refuse topermit itsfurther processing; (b) provide notice — (i) regarding the natureofthe personal inform ationofchild ren thatisprocessed; (ii) how such inform ation isprocessed; and (iii) regarding anyfurther processing practices; (c) refrain from anyaction thatisintended toencourageorpersuade achild to 10 disclose mo repersonal inform ation about him- or herself than isreasonably necessa rygiven the purpose forwhich
itisintended; and (d) establish and mai ntain reasonable procedu res toprotect the integrity and confidentiality ofthe personal inform ation collec ted
from child ren.

Act No. 4of2013
50 Protectio nOfPersona lInform ationAct ,2013
CHAPTER 4
EXEMPTION FROM CONDITIONS
FOR PROCESSING OF PERSONAL
INFORM ATION

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 51
CHAPTER 4 EXEM PTION FROM CONDITIONS FOR PROCESSING OF PERSONAL INFORMATION
Gene ral
36. Processing ofpersonal inform ationisnot inbreach ofaconditionforthe processing ofsuch inform ationifthe — (a) Regul atorgrantsanexem ption interms ofsection 37; or
(b) processing isinaccordance with section 38.
Regul atormayexem ptprocessing ofpersonal inform ation
37. (1) The Regul atormay,bynotice inthe Gazette,grantan exem ption toa responsible party toprocess personal inform ation, even ifthatprocessin g isinbreach of acondition forthe processing ofsuch inform ation, orany measu rethatgiveseffect tosuch condition, ifthe Regul atorissatisfied that,inthecircum stance softhecase — (a) the public interestinthe processing out weighs, toasubstantial
deg ree, anyinterference with the privacy ofthe datasubject that could result from such processing; or (b) the processing involvesaclear ben efittothe datasubject orathird party thatout weighs, toasubstantial deg ree, anyinterference with the privacy ofthe datasubject orthirdparty thatcould result from such processing.
(2) The pub licinterestreferredtoinsubsection (1) includ es—
(a) the interestsofnational security; (b) the prevention, detection and prosecution ofoffences; (c) impor tanteconomic and financial interestsofapublic body; (d) fostering compliance with legalprovisions established inthe interestsreferredtounder paragraphs (b) and (c); (e) historical,statisticalorresea rchactivity; or (f)the special impor tance ofthe interestinfreedom ofexpression. (3) The Regul ator mayimpose reasonable conditionsinrespect of any exem ption grantedunder subsection (1).

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 52
Exem ption inrespect ofcer tain functions
38. (1) Personal inform ation processed for the purpose of discha rging a relevantfunction isexem ptfrom sections 11(3) and (4), 12, 15 and 18 in
anycase tothe extenttowhich the appli cation ofthose provisions tothe personal inform ation would be likely toprejudice the proper discha rgeof thatfunction.
(2) ‘‘Relevantfunction ’’forpurposes ofsubsection (1),means anyfunction — (a) ofapublic body; or (b) conferred on anyperson interms ofthe law,which isper formed with the viewtoprotecting membe rsofthe public against— (i) financial loss due todishone sty,malp ractice orother seriously imp roper conduct by,or the unfitness or incomp etence of,
persons concerned in the provision of bankin g,insu rance, investme ntorother financial services orin the mana geme nt ofbodies corpo rate;or (ii) dishone sty,malp ractice or other seriously imp roper conduct by,or the unfitness or incomp etence of,persons authorised tocarryon anyprofession orother activit y.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,201 3 53
CHAPTER 5
SUPERVISION

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 54
CHAPTER 5 SUPERVISION Part AInformation Regulator
Establishme ntofInform ation Regul ator
39. The reisherebyestablished ajuri sticperson tobeknown asthe Inform ation
Regul ator,which — (a) has jurisdiction throughout the Republic;
(b) isindepende ntand issubject only tothe Con stitution and tothe
lawand mu stbe impartial and per form its functions and exercise itspowerswithout fear,favour orprejudice; (c) mu stexercise itspowersand per form itsfunctionsinaccordance with this Act and the Promotion ofAccess toInform ation Act; and (d) isaccountable tothe National Assembl y.
Powers,duties and functions ofRegul ator
40. (1) The powers,dutiesand functionsofthe Regul atorinterms ofthis Act are— (a) toprovide edu cation by—
(i) promotinganunde rstanding and acce ptance ofthe conditions forthe lawful processing ofpersonal inform ation and ofthe objects ofthose conditions; (ii) under taking edu cational programmes, for the purpose of promoting the protection of personal inform ation, on the Regul ator’sown behalf orinco-ope ration with other persons orauthorities acting on behalf ofthe Regul ator; (iii) making public stateme nts in relation to any matter affecting the protection ofthe personal inform ation ofadata subject orofanyclass of datasubjects;
(iv) giving advice todatasubjects inthe exercise oftheir rights; and (v) providing advice, upon reque storon its own initi ative,toa
Mini sterorapublic orprivatebody on their obli gations under the provisions, and gene rally on anymatterrelevanttothe ope ration, ofthis Act;

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 55
(b) tomoni torand enforcecompliance by— (i) public and privatebodies with the provisions ofthis Act; (ii) under taking resea rch into,and moni toring developme nts in, inform ation processing and compu ter technology to ensu rethatanyadverseeffects ofsuch developme ntson the protection ofthe personal inform ation ofdata subjects are minimised, and reporting tothe Mini sterthe results ofsuch resea rchand moni toring; (iii) examining anyproposed legisl ation, including subo rdin ate legisl ation, or proposed policy of the Governme ntthatthe Regul atorconside rsmayaffect the protection ofthe personal
inform ation of datasubjects, and reporting tothe Mini ster the results ofthatexamin ation; (iv) reporting upon reque stor on its own accord,toParliame nt
from time totime on any policy matter affecting the protection of the personal inform ation ofadatasubject, including the need for,or desi rability of,taking legisl ative, admini strative,or other action togiveprotection or better protection tothe personal inform ation ofadatasubject; (v) submitting areport toParliame nt,within fivemo nths ofthe end ofitsfinancial year,on allitsactivities interms ofthis Act during thatfinancial year; (vi) conducting an assessme nt,on its own initi ativeor when reque sted todo so,of apublic or privatebod y,inrespect
of the processing of personal inform ation bythatbody for the purpose ofascer taining whether or not the inform ation is processed according tothe conditions for the lawful
processing ofpersonal inform ation; (vii) moni toring the use of unique identifiersof datasubjects, and reporting toParliame ntfrom time totime on the results of thatmoni torin g,including anyrecommend ation relating tothe need of,or desi rability of takin g,legisl ative, admini strative,or other action togiveprotection, or better protection, tothe personal inform ation ofadatasubject; (viii) mai ntainin g,publishing and making available and providing copies ofsuch registersasareprescribed inthis Act; and

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 56
(ix) examining anyproposed legisl ationthatma kesprovision for the — (aa) colle ctionof personal inform ationbyanypublic or privatebody; or (bb) disclosu reof personal inform ation byone public or privatebody toanyother public or privatebod y, or both, tohaveparticular regard, in the course of thatexamin ation,tothe matterssetout in section 44(2), in any case whe re the Regul atorconside rs thatthe inform ation mig htbe used forthe purposes of an inform ation matching programme, and reporting tothe Mini ster and Parliame ntthe results of that
examin ation; (c) toconsult with interestedparties by— (i) receiving and inviting represe ntations from membe rsofthe
public on anymatteraffecting the personal inform ation of adatasubject; (ii) co-ope rating on anational and intern ational basis with other persons and bodies concerned with the protection of personal inform ation; and (iii) acting asmedi atorbetween opposing parties on anymatter thatconcerns the need for,or the desi rability of,action by aresponsible party inthe interestsofthe protection ofthe personal inform ation ofadatasubject; (d) tohandle complai ntsby—
(i) receiving and investigating complai nts about alle ged viol ations ofthe protection of personal inform ation of data subjects and reporting tocomplaina ntsin respect of such
complai nts; (ii) gathering such inform ation asinthe Regul ator’sopinion will assi stthe Regul atorindischa rging the duties and carrying out the Regul ator’sfunctions under this Act; (iii) attem pting to resol vecomplai nts bymeans of dispu te resolution mechanisms such as medi ation and concili ation; and

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 57
(iv) serving anynotices interms ofthis Act and further promoting the resolution ofdispu tes inaccordance with the prescri pts ofthis Act; (e) toconduct resea rchand toreport toParliame nt— (i) from time totime on the desi rability ofthe acce ptance, by South Afri ca,ofanyintern ational instrume ntrelating tothe protection ofthe personal inform ation ofadatasubject; and (ii) on anyother matter,including necessa rylegisl ative amendme nts, relating toprotection of personal inform ation that, in the Regul ator’sopinion, should be drawn to Parliame nt’sattention;
(f)inrespect ofcodes ofconduct to— (i) issue, from timetotime,codes ofconduct, amend codes and torevokecodes ofconduct;
(ii) ma keguidelines toassi stbodies todevelop codes ofconduct ortoapply codes ofconduct; and (iii) consider afresh, upon appli cation,determin ations by adjudi catorsunder app roved codes ofconduct; (g) tofacili tatecross-bo rder coope ration in the enforceme ntof privacy lawsbyparticip ating inanyiniti ativethatisaimed atsuch coope ration; and (h) ingene ralto— (i) doanything incide ntalorconduci vetothe per formance ofany ofthe preceding functions; (ii) exercise and per form such other functions, powers,and duties asareconferred orimposed on the Regul atorbyorunder this Act oranyother legisl ation; (iii) requi rethe responsible party todisclose toanyperson affected byacomp romise tothe integrity orconfidentiality of
personal inform ation, such comp romise inaccordance with section22; and (iv) exercise the powersconferred upon the Regul atorbythis Act inmattersrelating tothe access ofinform ation asprovided by the Promotion ofAccess toInform ation Act.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 58
(2) The Regul ator may,from time totime, inthe public interestor inthe legitim ateinterestsofanyperson or body ofpersons, publish report s relating gene rally tothe exercise ofthe Regul ator’sfunctions under this Act ortoanycase orcases investigated bythe Regul ator,whether ornot the matterstobedealt with inanysuch report havebeen the subject ofa repor ttotheMini ster.
(3) The provisions ofsections3and 4ofthe Commissions Act, 1947 (Act No. 8of1947), will appl y,with the necessa rychan ges, tothe Regul ator. (4) The powersand duties ofthe Regul atorinterms ofthe Promotion of
Access toInform ation Act aresetout inParts 4and 5ofthatAct.
Appoi ntme nt,term ofoffice and remo valofmembe rsofRegul ator 41. (1) (a) The Regul atorconsi stsofthe following membe rs: (i) AChairpe rson; and (ii) four other persons, asordina rymembe rsofthe Regul ator. (b) Membe rsof the Regul ator mu stbe app ropri ately quali fied, fit and proper persons — (i) atleastone of whom mu stbe appoi nted on accountof
experience asapractising advocateorattorn eyoraprofessor oflawatauni versity; and (ii) the remainder ofwhom mu stbe appoi nted on accountofany
other quali fications, expertise and experience relating tothe objects ofthe Regul ator. (c) The Chairpe rson ofthe Regul atormu stbe appoi nted inafull-time capacity and may,subject tosubsection (4), not per form or under taketoper form anyother remune rativework during the period inwhich heorshe holds office asChairpe rson. (d) The ordina rymembe rsof the Regul ator mu stbe appoi nted as follows: (i) Twoordina rymembe rsinafull-time capacity; and (ii) twoordina rymembe rsinafull-time orpar t-time capacit y. (e) The membe rsreferred toinparagraph (d) who areappoi nted in
afull-time capacit y,may,subject tosubsection (4), not per form orunder taketoper form anyother remune rativework during the period inwhich theyhold office.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 59
(f)The Chairpe rson mu stdirect the work ofthe Regul atorand the staff ofthe Regul ator. (g)Aperson maynot be appoi nted asamember ofthe Regul atorif heorshe — (i) isnot acitizenofthe Republic; (ii) isapublic servant; (iii) isamember ofParliame nt,anyprovincial legisl atureorany municipal council; (iv) isanoffice-bearerorempl oyeeofanypoliticalparty; (v) isan unrehabili tated insol vent; (vi) has been decla redbyacourt tobeme ntally illorunfit;or (vii) has atanytimebeen convicted, whether inthe Republic or elsewhe re,ofanyoffence involving dishone sty.
(2) (a) The Chairpe rson and the membe rsof the Regul ator referred to in subsection (1)(a) mu stbe appoi nted bythe Preside nton the recommend ation ofthe National Assembl y,which recommend ation mu st also indi catewhich ordina rymembe rsmu stbe appoi ntedinafull-time or par t-time capacit y.
(b) The National Assembly mu strecommend persons — (i) nomin ated byacommittee of the Assembly composed of membe rsofparties represe nted inthe Assembly; and
(ii) app roved bythe Assembly byaresolution ado pted with a supporting voteof amajority ofthe membe rsofthe Assembl y.
(3) The membe rsofthe Regul atorwill beappoi ntedforaperiod ofnot mo re than fiveyearsand will, atthe expiration ofsuch period, be eligible for reappoi ntme nt.
(4) The Chairpe rson ofthe Regul atororamember who has been appoi ntedin afull-time capacity may,notwith standing the provisions ofsubsection (1) (c) or(e), only per form orunder taketoper form anyother remune rative work during the period thathe or she holds office as Chairpe rson or member with the prior writ tenconse ntofthe Mini ster.
(5) Aperson appoi nted asamember ofthe Regul atormay,upon written noticetothe Preside nt,resign from office.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 60
(6) (a)Amember mayberem ovedfrom office only on— (i) the ground ofmis conduct, incapacity orincomp etence; (ii) afinding tothateffect byacommit tee of the National Assembly; and (iii) the ado ptionbythe NationalAssembly ofaresolutioncalling forthatperson ’srem ovalfrom office. (b) Aresolution of the National Assembly concerning the rem oval from office ofamember ofthe Regul atormu stbe ado pted with asupporting voteofamajority ofthe membe rsofthe Assembl y. (c)The Preside nt— (i) maysuspend amember from office atanytime after the start of the proceedings ofacommit teeofthe National
Assembly forthe rem ovalofthatmember; and (ii) mu strem oveamember from office upon ado ption bythe Assembly ofthe resolution calling forthatmembe r’srem oval.
Vacancies
42. (1) Avacancy inthe Regul atoroccu rsifamember — (a) becomes subject toadisquali fication referred toinsection 41(1) (g); (b) tende rshis orher resign ationascontempl ated insection41(5) and the resign ation takeseffect; (c) isrem ovedfrom office interms ofsection 41(6); (d) dies; or (e) becomes permane ntlyincapable ofdoing his orher work.
(2) (a) Whe reavacancy has arisen ascontempl ated insubsection(1), the procedu recontempl atedinsection 41(2) applies. (b) Anymember appoi nted under this subsection holds office forthe restof the period of the predecesso r’sterm of office, unless the Preside nt,upon recommend ation bythe National Assembl y, appoi ntsthatmember foralon gerperiod which maynot exceed fiveyears.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 61
Powers,duties and functions ofChairpe rson and other membe rs
43. (1) The Chairpe rson — (a) mu stexercise the powersand per form the duties and functions
conferred on orassigned tohim orher bythe Regul atorinterms ofthis Act and the Promotion ofAccess toInform ation Act; and (b) is,forthe purposes ofexercising the powersand per forming the duties and functions conferred on or assigned tohim or her by the Regul atorinterms ofthis Act and the Promotion ofAccess to Inform ation Act, accountable tothe Regul ator.
(2) (a) The membe rsreferred toinsection41(1)(d)(i) mu stexercise thei r powersand per form their duties and functions asfollows: (i) One member interms ofthis Act; and
(ii) one member in terms of the Promotion of Access to Inform ation Act. (b) The membe rsreferred toinsection 41(1)(d)(ii) mu stexercise their powersand per form their duties and functions either interms of this Act orthe Promotion ofAccess toInform ation Act, orboth. (c) The membe rs,referred toinparagraphs (a) and (b), are,for the purposes ofexercising their powersand per forming their duties and functions, accountable tothe Chairpe rson.
Regul atortohaveregardtocer tain matters
44. (1) Inthe per formance ofitsfunctions,and the exercise ofitspowers,
under this Act the Regul atormu st— (a) havedue regardtothe conditionsfor the lawful processing of personal inform ation asreferred toinChap ter3; (b) havedue regardfor the protection of all human rights and
social intereststhatcomp etewith privacy,including the gene ral desi rability ofafreeflowofinform ation and the recognition ofthe legitim ateinterestsofpublic and privatebodies inachi eving their objecti vesinanefficie ntway; (c) takeaccountofintern ationalobli gationsacce ptedbySouth Afri ca; and (d) consider anydeveloping gene ralintern ationalguidelines relevant tothe better protection ofindividual privacy.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 62
(2) Inper forming itsfunctions interms ofsection 40(1)(b)(ix)(bb) with regard toinform ation matching programmes, the Regul atormu sthaveparticula r regardtowhether ornot the — (a) objectiveof the programme relates toamatter of signi ficant public impor tance; (b) use of the programme toachi evethatobjecti vewill result in mon etarysavings thatareboth signi ficantand qua ntifiable orin other compa rable ben efitstosoci ety; (c) use ofanaltern ativemeans ofachi eving thatobjectivewould give either ofthe results referredtoinparagraph (b); (d) public interestinallowing the programme toproceed out weighs the public interestinadhering tothe conditions for the lawful
processing of personal inform ation thatthe programme would othe rwise contravene; and
(e) programme involves inform ationmatching on ascale thatis excessi ve,having regardto— (i) the number ofresponsible partiesorope ratorsthatwill be involvedinthe programme; and (ii) the amou ntofdetailabout adatasubject thatwill bematched under the programme.
(3) In determining whether the processing of personal inform ation for
exclusi vely journali stic purposes byaresponsible party who is,byvirtu e ofoffice, empl oyme ntorprofession, not subject toacode ofethics as referred toinsection 7(1), constitu tesaninterference with the protectio n ofthe personal inform ation ofthe datasubject interms
ofsection73, the Regul atormu sthaveparticularregardtothe factorsreferred
toinsection 7(3)(a) to(d).
Conflictofinterest
45. (1) Ifanymember of the Regul ator or anyperson appoi nted bythe
Regul atorinterms ofthis Act has amaterial interestinanymatterwhic h could conflictwith the proper per formance ofhis orher duties interms of this Act orthe Promotion ofAccess

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 63
toInform ationAct, heorshe mu stdisclose thatinterest,asprescribed, assoo n aspracti cable afterthe relevantfacts came tohis orher knowled ge.
(2) (a)Ifamember ofthe Regul atororperson referredtoinsubsection (1)— (i) isprese ntatame eting ofthe Regul atororcommit teereferred
toinsection 49 or 50 atwhich amatter contempl ated in thatsubsection istobe conside red, the member or person concerned mu stdisclose the natureofhis orher interestto the me eting beforethe matterisconside red; or (ii) fails toma keadisclosu reasrequi red bythis subsection and isprese ntatame eting of the Regul ator or commit tee, as the case maybe, orinanyother manner particip atesinthe proceedings, such proceedings in relation tothe relevant mattermu st,assoon asthe non-disclosu reisdiscovered, be reviewed and be varied orsetaside bythe Regul atororthe
commit tee, asthe case may be, without the particip ation ofthe member orperson concerned. (b) Amember ofthe Regul atororperson referred toinsubsection (1)
who isobli ged toma keadisclosu reinterms ofthis subsection maynot be prese ntduring anydelibe ration,ortakepart inany decision, inrelationtothe matterinque stion.
(c) Anydisclosu remade interms ofthis subsectionmu stbe noted inthe minu tesofthe relevantme eting ofthe Regul atororcommit tee.
(3)Amember ofthe Regul atororperson referredtoinsubsection(1) who has
disclosed aconflictofinterestinterms ofsubsection (1)— (a) mayper form all dutiesrelatingtothe matterinque stionifa decision has been takenthatthe interestistrivial orirrelevant;or
(b) mu stbe relieved ofall duties relating tothe matterinque stion and such duties mu stbe per formed byanother member ofthe Regul atororbyanother person referred toinsubsection(1), as the case maybe, who has no such conflictofinterest.
Remune ration, allowances, ben efitsand privile gesofmembe rs
46. (1)Amember ofthe Regul atororaperson referredtoinsection49(1)(b) or

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 64
50(1)(b) who isnot subject tothe provisions ofthe Public Service Act , 1994 (Proclam ation No. 103 of1994), orwho isnot ajudgeofthe Hig h Court ofSouth Afri caoramagi stratewill beentitled tosuch remune ration , allowances, including allowances for reimbu rseme ntoftravelling and subsistenc eexpense sincur redbyhimorherintheper formanc eofhisor her functions under this Act and the Promotion ofAccess toInform ation Act, ben efitsand privile ges as the Mini ster inconsul tation with the Mini sterofFinanc emaydetermine .
(2) The remune ration,allowances, ben efitsorprivile gesofdifferentmembe rs
ofthe Regul atormaydifferaccording tothe different— (a) positions held bythem inthe Regul ator; or (b) functions per formed, whether inapar t-timeorfull-timecapacit y, bythem from time totime.
Staff
47. (1) The Regul atormu stestablish itsown admini stration toassi stitinthe
per formance ofitsfunctions and tothis end the Regul atormu stappoi nt, orsecu rethe secondme ntinterms ofsubsection (6) of—
(a) asuitably quali fied and experienced person aschiefexecuti ve officer ofthe Regul atorforthe purpose ofassi sting the Regul ator, subject tothe Regul ator’sdirection and supe rvision, in the per formance ofallfinancial and admini stra- tivefunctions interms of this Act and the Promotion of Access to Inform ation Act, work arising from the admini strationofthis Act and the Promotion of Access toInform ationAct and toexercise anypowerdele gated by the Regul atortohim orher; and (b) such other member ofstaffasthe Regul atormaydeem necessa ry
toassi stthe Regul atorand the chiefexecuti veoffice r,asthe case maybe, with allsuch work asmayarise through the per formance ofitsfunctions.
(2) (a) The chiefexecuti veofficer mayappoi ntasenior member of staff as acting chiefexecuti veofficer toper form the functions of the chief executi veofficer inhis orher absence.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 65
(b) Amember ofthe Regul atormaynot be appoi nted asactingchief executi veoffice r. (c)Inthe eventthatavacancy occu rsinthe office ofthe chiefexecuti ve officer the Regul ator mu stappoi ntan acting chiefexecuti ve office r.
(3) The Regul atormu st,inthe appoi ntme ntofthe staffofthe Regul ator—
(a) provide for the advanceme ntof persons disad vantaged by unfair discrimina- tion, with the aim thatits staff,when viewed collecti vely,represe ntsabroad cross-section ofthe popul ation of
the Republic; and (b) subject toparagraph (a), apply equal opportunity empl oyme nt practices.
(4) The Regul atormaypaytothe persons initsempl oysuch remune ration and allowance sandprovidethe mwithsuc hpensio nandothe rempl oyme nt ben efitsasareconsi stentwith thatpaid inthe public sector.
(5) Inexercising itspowersinterms ofsubsections(1) and (4), the Regul ator mu stconsul twiththeMini sterofFinance .
(6) The Regul atormay,inthe per formance ofthe functions contempl ated in subsection (1), atitsreque st,be assi sted byofficials inthe Public Service seconded tothe service ofthe Regul atorinterms ofanylawregul ating such secondme nt:Provided thatthe secondme ntofan official tothe service ofthe Regul atormaynot exceed 12 mo nths and thatthe initia l perio dofsecondme ntmayonlybeextende donc eforasubseque nt period not exceeding 12mo nths.
(7) The Regul ator may,inconsul tation with the Mini ster ofFinance, on a tempo rarybasis orforaparticular matterwhich isbeing investigated by it,empl oyanyperson with special knowled geofanymatterrelating to the work ofthe Regul ator,orobtain the 30 co-ope ration ofanybod y,to advise orassi stthe Regul atorinthe per formance ofitsfunctions unde r this Act and the Promotion ofAccess toInform ation Act, and fixthe remune ration, including reimbu rseme ntfor travellin g,subsistence and othe rexpenses ,ofsuc hpersonorbod y.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 66
Powers,duties and functions ofchiefexecuti veofficer
48. The chiefexecuti veofficer — (a) isthe head ofadmini strationand the accountingofficer,asreferred toinsection 52(3), ofthe Regul ator;
(b) mayappoi ntasenior member ofstaffasactingchiefexecutive officer asreferredtoinsection 47(2); (c) isresponsible forthe — (i) mana geme ntofthe affairsand ope rations ofthe Regul ator; (ii) form ation and developme ntofanefficie ntadmini stration; (iii) organis ationand mana geme ntof,and admini strativecontrol over,allthe membe rsofstaffappoi nted interms ofsection 47(1)(b) and allthe 45persons seconded interms ofsection 47(6); (iv) mai ntenance ofdiscipline inrespect ofthe membe rsofstaff; and (v) execution ofthe decisions ofthe Regul ator,and isforthose purposes accountable tothe Regul ator and mu streport the reon tothe Regul atorasoften asmaybe requi red bythe Regul ator; and
(d) mu stexercise the powersand per form the dutiesand functions which the Regul atormayfrom timetotimeconferupon orassign tohim orher
inorder toachi evethe objects ofthe Regul ator,and isfor those purposes accountable tothe Regul ator.
Commit tees ofRegul ator
49. (1) The Regul ator may,ifitconside rsitnecessa ryfor the prope r per formance ofits functions establish one ormo recommit tees, whic h
mu stconsi stof— (a) such membe rsofthe Regul atorasthe Regul atormaydesign ate;or
(b) such membe rsofthe Regul atorasthe Regul atormaydesign ate and other persons appoi nted bythe Regul ator,asreferred toin section 47(7), forthe period determined bythe Regul ator.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 67
(2) The Regul ator mayatanytime extend the period of an appoi ntme nt referred toin subsection (1)(b) or,ifinits opinion good reasons exist the refor,revokeanysuc happoi ntme nt.
(3) The Regul atormu stdesign atethe chairpe rson and, ifthe Regul atordeem s itnecessa ry,the vice-chairpe rson of acommit tee established unde r subsection (1).
(4) (a) Acommitteereferredtoinsubsection (1) mu st,subject tothe direction s ofthe Regul ator,per form those functions ofthe Regul atorassigned toit bythe Regul ator. (b) Anyfunction so per formed byacommit tee referred toin subsection (1) will be deemed tohavebeen per formed bythe Regul ator.
(5) The Regul atormayatanytime dissol veanycommit teeestablished bythe Regul ator.
(6) The provisions ofsections40(4) and 51 will appl y,with the necessa ry chan ges, toacommit teeofthe Regul ator.
Establishme ntofEnforceme ntCommit tee
50. (1) The Regul atormu stestablish anEnforceme ntCommitteewhich mu st consi stof— (a) atleastone member ofthe Regul ator; and (b) such other persons appoi nted bythe Regul ator,asreferred toin section 47(7), forthe period determined bythe Regul ator.
(2) The Regul atormu st— (a) inconsul tationwith theChi efJusticeand Mini ster,appoi nta—
(i) jud geofthe High Court ofSouth Afri ca,whether inactive
service ornot; or (ii) magi stratewith atleast10 years’app ropri ateexperience,
whether inacti veservice ornot; or (b) appoi ntanadvocateorattorn eywith atleast10years’app ropri ate experience, asChairpe rson ofthe Enforceme ntCommittee.
(3) The Chairpe rson ofthe Enforceme ntCommitteemu stmana gethe work ofand preside athearings ofthe Enforceme ntCommit tee.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 68
(4) (a) Amember referred toinsubsection (1)(a) maynot particip ate in anyproceedings of the Regul ator in terms of which adecision is taken with regardtoa recommend ation bythe Enforceme ntCommit tee asreferred toinsection 93. (b) Aperson referred toinsubsection(1)(b) mu stbe afitand proper person and mu stcomply with the criteria, referred toinsection 41(1) (g),forappoi ntme ntasamember ofthe Regul ator.
Me etings ofRegul ator
51. (1) Me etingsofthe Regul ator mu stbe held atthe timesand place s determined bythe Chairpe rson ofthe Regul ator.
(2) Threemembe rsofthe Regul atorconstitu teaquorum forame eting.
(3) (a)The Chairpe rson mayregul atethe proceedings atme etingsasheorshe
maythink fitand mu stkeep minu tesofthe proceedings. (b) Ifthe Chairpe rson isabsentfrom ame etingthe membe rsprese nt shall elect one oftheir number topreside atthatme eting.
(4) (a) Subject tosubsection (2), adecision of the Regul ator istaken by resolution agreed tobythe majority ofmembe rsatanyme eting ofthe Regul ator.
(b) In the eventof an equality of votes regarding anymatter the Chairpe rson has acasting voteinaddition tohis orher delibe rative vote.
Funds
52. (1) Funds ofthe Regul atorconsi stof— (a) such sums ofmon eythatParliame ntapp ropri atesannuall y,forthe use ofthe Regul atorasmaybe necessa ryforthe proper exercise, per formance and discha rge,bythe Regul ator,ofitspowers,duties and functions under this Actand the Promotion of Access to Inform ation Act; and (b) fees asmaybeprescribed interms ofsection 111(1).
(2) The financial year ofthe Regul atoristhe period from 1April inanyyear to 31Ma rchinthe following year,exceptthatthe firstfinancial year ofthe

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 69
Regul atorbegins on the datethatthis Cha ptercomes intoope ration,and ends on31Ma rchnextfollowing thatdate.
(3) The chiefexecuti veofficer ofthe Regul atorisforpurposes ofthe Publi c
Finance Mana geme ntAct, 1999 (Act No. 1of1999), the accounting office r and mu stexecu tehis orher duties inaccordance with thatAct.
(4) Within sixmo nths afterthe end ofeach financial year,the Regul atormu st prepa refinancial stat eme ntsinaccordance with established accounting practice, principles and 20procedu res, comprising — (a) astateme ntreflectin g,with suitable and sufficie ntparticula rs,the income and expenditu reof the Regul ator during the preceding financial year; and
(b) abalance she etshowing the stateofits ass ets, liabilitiesand financial position asatthe end ofthatfinancial year.
(5) The Audi tor-Gene ralmu staudit the Regul ator’sfinancial recordseach year.
Protection ofRegul ator
53. Anyperson acting on behalf orunder the direction ofthe Regul ator,isnot civilly orcriminally liable foranything done ingood faith inthe exercise or per formanc eorpurpor tedexerciseorper formanc eofanypower,dut yor function ofthe Regul atorin terms ofthis Act orthe Promotion ofAcces s toInform ation Act.
Duty ofconfidentiality
54. Aperson acting on behalf orunder the direction ofthe Regul ator,mu st, both during or after his or her term of office or empl oyme nt,treat
as confidential the personal inform ation which comes tohis or her knowled geinthe courseofthe per formance ofhis 35 orher officia l duties, exceptifthe communi cation ofsuch inform ation isrequi redbylaw orinthe proper per formance ofhis orher duties.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 70
Part BInformation Officer
Duties and responsibilities ofInform ation Officer
55. (1) An inform ation office r’sresponsibilities include — (a) the encourageme ntofcompliance, bythe bod y,with the conditions forthe lawful processing ofpersonal inform ation; (b) dealing with reque stsmade tothe body pursua nttothis Act; (c) working with the Regul atorinrelationtoinvestigationsconduc ted pursua nttoChap ter6inrelation tothe body; (d) othe rwise ensuring compliance bythe body with the provisions ofthis Act; and (e) asmaybeprescribed.
(2) Officersmu sttakeup their dutiesinterms ofthis Act only afterthe responsible party has registeredthem with the Regul ator. 5
Design ation and dele gation ofdeputy inform ation officers
56. Eachpubli candprivatebod ymu stmakeprovision ,inthemanne r prescribed insection 17 ofthe Promotion ofAccess toInform ation Act , with the necessa rychan ges, forthe design ation of— (a) such anumber ofpersons, ifany,asdeputy inform ation office rsas isnecessa ry 10 toper form the duties and responsibilities asset out insection 55(1) ofthis Act; and (b) anypowerorduty conferred orimposed on an inform ation officer bythis Act toadeputy inform ation officer ofthatpublic orprivate bod y.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,201 3 71
CHAPTER 6
PRIOR AUTHORISATION

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 72
CHAPTER 6 PRIOR AUTHORISATION Prior authorisation
Processing subject toprior authoris ation
57. (1) The responsible party mu stobtain prior authoris ation from the Regul ator,interms ofsection58, prior toanyprocessing ifthatresponsibl e
part yplan sto— (a) process anyunique ide ntifiersofdatasubjects — (i) forapurpose other than the one forwhich the identifierwas speci fically intended atcollection; and (ii) with the aim of linking the inform ationtogether with inform ation processed byother responsible parties; (b) process inform ationon criminal beh aviour or on unl awful or objectionable conduct on behalf ofthirdparties; (c) process inform ation forthe purposes ofcredit reporting; or (d) transferspecial personal inform ation,asreferred toinsection26, orthe personal inform ationofchild ren asreferred toinsection 34, toathirdparty in aforeign countrythatdoes not provide an adequ atelevelof protection for the processing of personal inform ation asreferred toinsection 72.
(2) The provisions of subsection (1) maybe applied bythe Regul ator to other types of inform ation processing bylaw or regul ation ifsuc h processing carries aparticular risk forthe legitim ateinterestsofthe data subject.
(3) This section and section 58arenot appli cable ifacode ofconduct has bee n issuedand has come intoforceinterms ofCha pter7inaspeci ficsec toror sectorsofsoci ety.
(4) Aresponsible party mu stobtain prior authoris ation as referred toin subsection (1) only once and not each time thatpersonal inform ation isrecei ved or processed, exceptwhe rethe processing departs from thatwhic hhasbee nauthorise dinaccordanc ewith theprovision sof subsection (1).

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 73
Responsible party tonoti fyRegul ator ifprocessing issubject toprior authoris ation
58. (1) Inform ationprocessing as contempl ated insection57(1) mu stbe noti fiedassuch bythe responsible party tothe Regul ator.
(2) Responsible parties maynot carryout inform ation processing that has been noti fied tothe Regul atorinterms ofsubsection (1) untilthe Regul ator has compl eted its investigation or untiltheyhaverecei ved notice thatamo redetailed investigation will not beconduc ted.
(3) Inthe case ofthe notificationofinform ationprocessing towhich section
57(1) isappli cable, the Regul ator mu stinform the responsible party in writing within four weeksofthe noti fication astowhether ornot itwill conduct amo redetailed investigation.
(4) Inthe eventthatthe Regul ator decides toconduct amo redetaile d investigation, itmu stindi catethe period within which itplans toconduc t
this investigation, which period mu stnot exceed 13weeks.
(5) On conclusion ofthe mo redetailed investigation referredtoinsubsectio n (4) the Regul atormu stissue astat eme ntconcerning the lawfulness ofthe inform ation processing.
(6) Astat eme ntbythe Regul atorinterms ofsubsection (5), tothe extentthat
the inform ation processing isnot lawful, isdeemed tobeanenforceme nt notice servedinterms ofsection 95ofthis Act.
(7) Aresponsible party thathas suspended its processing as requi red by subsection (2), and which has not recei ved the Regul ator’sdecisio n within the time limits speci fied insubsections (3) and (4), maypresume a decision initsfavour and continue with its processing.
Failu retonoti fyprocessing subject toprior authoris ation
59. Ifsection58(1) or(2) iscontravened, the responsible party isguilty ofan offence and liable toapenalty assetout insection 107.

Act No. 4of2013
74 Protectio nOfPersona lInform ationAct ,2013
CHAPTER 7
CODESOF CONDUCT

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 75
CHAPTER 7 COD ESOF CONDU CT
Issuing ofcodes ofconduct
60. (1)The Regul atormayfrom timetotimeissue codes ofconduct. (2)Acode ofconduc tmu st— (a) incorpo rateallthe conditions forthe lawful processing ofpersonal inform ation or setout obli gations thatprovide afunctional
equi valentofallthe obli gations setout inthose conditions; and (b) prescribe howthe conditions forthe lawful processing ofpersonal informa- tion aretobe applied, oraretobe complied with, given the particular features ofthe sec tororsec torsofsoci etyinwhich the relevantresponsible parties areope rating.
(3)Acode ofconduct mayapply inrelation toanyone ormo reofthe following: (a) Anyspeci fied inform ation orclass ofinform ation; (b) anyspeci fiedbody orclass ofbodies; (c) anyspeci fiedactivity orclass ofactivities; or (d) anyspeci fied indu stry,profession, or vocationor class of indu stries, professions, orvocations.
(4)Acodeofconduc tmu stalso — (a) speci fyapp ropri atemeasu res— (i) for inform ationmatching programmes ifsuch programmes areused within aspeci ficsec tor; or (ii) for protecting the legitim ateinterests of datasubjects inso far as autom ated decision makin g,as referred toin section 71, isconcerned; (b) provide forthe reviewofthe code bythe Regul ator; and (c) provide forthe expiryofthe code.
Process forissuing codes ofconduct
61. (1) The Regul atormayissue acode ofconduct under section 60— (a) on the Regul ator’sown initiative, but after consul tationwith affectedstakeholde rsorabody represe nting such stakeholde rs;or

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 76
(b) on the appli cation, inthe prescribed form, byabody which is, in the opinion of the Regul ator,sufficie ntly represe ntativeof anyclass ofbodies, orofanyindu stry,profession, orvocation as defined inthe code inrespect ofsuch class ofbodies or ofany such indu stry,profession orvocation.
(2) The Regul atormu stgivenotice inthe Gazettethatthe issuing ofacode
ofconduct isbeing conside red, which notice mu stcontain astat eme nt that—
(a) the details ofthe code ofconduct being conside red, including a draftofthe proposed code, maybe obtained from the Regul ator; and (b) submissions on the proposed code maybe made inwriting tothe Regul atorwithin such period asisspeci fiedinthe notice.
(3) The Regul atormaynot issue acode ofconduct unless ithas conside redthe submissions made tothe Regul atorinterms ofsubsection (2)(b), ifany, and issatisfiedthatallpersons affectedbythe proposed code havehad a
reasonabl eopportunit ytobehea rd.
(4) The decision astowhether an appli cation forthe issuing ofacode has bee nsucces sfulmu stbemad ewithi nareasonabl eperio dwhic hmu stnot excee d13weeks.
Noti fication, availability and commenceme ntofcode ofconduct
62. (1) Ifacode ofconduct isissued under section60 the Regul atormu st ensu rethat— (a) the reispublished inthe Gazette,assoon asreasonably practicable afterthe code isissued, anotice indi cating —
(i) thatthe code has been issued; and (ii) whe recopies ofthe code areavailable forinspectionfree of cha rgeand forpurchase; and
(b) as long as the code remains in force, copies of itare available — (i) on the Regul ator’swebsite; (ii) forinspection bymembe rsofthe public freeofcha rgeatthe Regul ator’soffices; and

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 77
(iii) for purchase or copying bymembe rsof the public ata reasonable price atthe Regul ator’soffices. (2) Acode ofconduct issued under section 60 comes intoforce on the 28th dayafterthe dateofitsnoti fication inthe Gazette oron such laterdateasmaybe speci fied inthe code and is binding on everyclass orclasses ofbod y,indu stry,profession orvocation referredtothe rein.
Procedu refordealing with complai nts
63. (1) Acode ofconduct mayprescribe procedu resformaking and dealin g with complai ntsalleging abreach ofthe code, but no such provision may limit orrestrict anyprovision ofCha pter10.
(2) Ifthe code setsout procedu resformaking and dealing with complai nts, the Regul atormu stbesatisfiedthat— (a) the procedu resme etthe — (i) prescribed standa rds; and (ii) guidelines issued bythe Regul ator interms ofsection65, relating tothe making ofand dealing with complai nts; (b) the code provides for the appoi ntme ntof an independe nt adjudi catortowhom complai ntsmaybemade; (c) the code provides that,in exercising his or her powersand
per forming his or her functions, under the code, an adjudi cator forthe code mu sthavedue regardtothe matterslisted insection 44;
(d) the code requi resthe adjudi catortoprepa reand submit areport, inaform satisfactorytothe Regul ator,tothe Regul atorwithin fivemo nths ofthe end of afinancial year ofthe Regul atoron the ope ration ofthe code during thatfinancial year; and (e) the code requi resthe report prepa red foreach year tospeci fythe number and natureofcomplai ntsmade toan adjudi catorunder the code during the relevantfinancial year.
(3) Aresponsible party ordatasubject who isaggrieved byadetermin ation ,
including anydecla ration, order or direction thatisincluded in the determin ation, made byan adjudi cator after having investigated a complai ntrelatingtothe protectionofpersonal inform ationunder an

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 78
app roved code ofconduct, maysubmit acomplai ntinterms ofsection 74(2) with the Regul atoragainstthe determin ationupon payme ntofa prescribe dfee.
(4) The adjudi cator’sdetermin ation continues tohaveeffect unless and until
the Regul atormakes adetermin ation under Cha pter10 relating tothe complai ntorunless the Regul atordetermines othe rwise .
Amendme ntand revocation ofcodes ofconduct
64. (1) The Regul atormayamend orrevokeacode ofconduct issued unde r section 60.
(2) The provisions ofsections60to63apply inrespect ofanyamendme ntor revocation ofacode ofconduct.
Guidelines about codes ofconduct
65. (1) The Regul atormayprovide writ tenguideline s—
(a) toassi stbodies todevelop codes ofconduct ortoapply app roved codes ofconduct; (b) relatingtomaking and dealing with complai ntsunder app roved
codes ofconduct; and (c) about mattersthe Regul ator mayconsider indeciding whether toapp roveacode ofconduct oravariation or revocation ofan app roved code ofconduct.
(2) The Regul atormu sthaveregardtothe guidelines assetout insection 7(3) (a) to(d) when considering the app rovalofacode ofconduct forthe processing ofpersonal inform ation for exclusi vely journali stic purpose s whe rethe responsible party isnot subject toacode ofethics asreferred
toinsection 7(1).
(3) Beforeproviding guidelines for the purposes of subsection (1)(b), the Regul ator mu stgiveeveryone the Regul ator conside rshas areal and substantial legitim ateinterestinthe matterscovered bythe propose d guidelines anopportunity tocomme ntonthem.
(4) The Regul atormu stpublish guidelines provided under subsection(1) in the Gazette.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 79
Registerofapp rovedcodes ofconduct
66. (1) The Regul atormu stkeep aregisterofapp rovedcodes ofconduct.
(2) The Regul atormaydecide the form ofthe registerand howitistobekept.
(3) The Regul atormu stmakethe registeravailable tothe public inthe way thatthe Regul atordetermines.
(4) The Regul atormaycha rgereasonable fees for— (a) making the registeravailable tothe public; or (b) providing copies of,orextracts from, the register.
Reviewofope ration ofapp roved code ofconduct
67. (1) The Regul atormay,on itsown initiative,reviewthe ope rationofan app rovedcodeofconduct.
(2) The Regul atormaydoone ormo reofthe following forthe purposes ofthe review: (a) Consider the process under the code formaking and dealing with complai nts; (b) inspect the recordsofanadjudi catorforthe code; (c) consider the outcome ofcomplai ntsdealt with under the code;
(d) interviewanadjudi catorforthe code; and (e) appoi ntexperts toreviewthose provisions ofthe code thatthe Regul atorbeli evesrequi reexpert evaluation.
(3) The reviewmayinform adecision bythe Regul atorunder section 64 to revokethe app rovedcode ofconduct with immedi ateeffect oratafutu re datetobedetermined bythe Regul ator.
Effect offailu retocomply with code ofconduct
68. Ifacode issued under section 60 isinforce, failu retocomply with the code isdeemed tobe abreach of the conditions for the lawfu l processing of personal inform ation referred toinCha pter3and isdeal t with interms ofCha pter10.

Act No. 4of2013
80 Protectio nOfPersona lInform ationAct ,2013
CHAPTER 8
RIGHTSOF DATA SUBJECTS
REGARDING DIRECT M ARKETING
BYMEANSOF UNSOLICITED
ELECTRONIC COM M UNICATIONS,
DIRECTORIESAND AUTOM ATED
DECISION M AKING

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 81
CHAPTER 8 RIGH TSOF DATASUBJ ECTSREGARDING DIR ECTMARKETING BYMEANS OF UNSOLICITED ELECTRONIC COMMUNIC ATIONS, DIR ECTORI ESAND AUTOM ATED DECISION MAKING
Direct mar keting bymeans ofunsolici tedelect ronic communi cations
69. (1) The processing ofpersonal inform ation ofadatasubject forthe purpos e ofdirect mar keting bymeans ofanyform ofelect ronic communi cation , including autom aticcalling machines, facsimile machines, SMSs ore-mai l isprohibi tedunless the datasubject — (a) has given his, her oritsconse nttothe processing; or (b) is,subject tosubsection (3), acustomer ofthe responsible part y.
(2) (a)Aresponsible party mayapp roach adatasubject — (i) whose conse ntisrequi redinterms ofsubsection (1)(a);and
(ii) who has not previously withheld such conse nt, only once inorder toreque stthe conse ntofthatdatasubject. (b) The datasubjec t’sconse ntmu stbe reque sted inthe prescribed manner and form.
(3) Aresponsible party mayonly process the personal inform ation of a datasubjec twho isacustomer ofthe responsible party interms of
subsection (1)(b)— (a) ifthe responsible party has obtained the contact details ofthe datasubject inthe contextofthe sale ofaproduct orservice; (b) forthe purpose ofdirect mar ketingofthe responsible part y’sown similar products orservices; and (c) ifthe datasubject has been given areasonable opportunity toobject, free of cha rgeand inamanner free ofunnecessa ry formalit y,tosuch use ofhis, her oritselect ronic details — (i) atthe time when the inform ation wascollec ted; and (ii) on the occasion ofeach communi cation with the datasubject for the purpose of mar keting ifthe datasubject has not
initiallyrefused such use.
(4) Anycommuni cation forthe purpose ofdirect mar keting mu stcontain— (a) details ofthe identityofthe sender orthe person onwhose behalf the communi cation has been sent;and

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 82
(b) an add ress orother contact details towhich the recipie ntmay send areque stthatsuch communi cations cease. (5) ‘‘Automaticcalling machine ’’,forpurposes ofsubsection(1), means amachine thatisable todo autom ated calls without human intervention.
Directories
70. (1) Adatasubject who isasubscriber toaprintedorelect ronic directoryof subscribe rsavailable tothe public orobtainable through directoryenqui ry services, in which his, her orits personal inform ation isincluded, mu st be informed, freeofcha rgeand beforethe inform ation isincluded inthe directory— (a) about the purpose ofthe directory;and
(b) about anyfurther uses towhich the directorymaypossibly be put, based on sea rchfunctions embedded inelect ronic versions ofthe directory.
(2) Adatasubject mu stbe given areasonable opportunity toobject, freeof cha rgeand inamanner freeofunnecessa ryformalit y,tosuch use ofhis, her oritspersonal inform ation ortoreque stverification, confirmation or withd rawalofsuch inform ation if 5the datasubject has not initially refused such use.
(3) Subsections (1) and (2) do not apply toeditions ofdirectories thatwere produced inprintedoroff-lineelect ronic form prior tothe commenceme nt ofthis section.
(4) Ifthe personal inform ation of datasubjects who aresubscribe rsto fixed or mobile public voice telepho nyservices havebeen included in
apublic subscriber directoryinconformity with the conditions for the lawful processing ofpersonal inform ation prior tothe commenceme nt ofthis section, the personal inform ation ofsuch subscribe rsmayremai n included inthis public directoryinitsprinted orelect ronic versions, after having recei vedthe inform ation requi redbysubsection (1).
(5) ‘‘Subscribe r’’,for purposes of this section, means anyperson who is part ytoacontractwiththeprovide rofpublicl yavailabl eelect ronic communi cations services forthe supply ofsuch services.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 83
Autom ateddecision making
71. (1) Subject tosubsection(2), adatasubject maynot besubject toadecisio n which results inlegalconsequences forhim, her orit,orwhich affects him ,
her orittoa20substantial deg ree, which isbased solely on the basis of the autom ated processing ofpersonal inform ation intended toprovide a profileofsuch person including his orher per formance atwork, orhis, her oritscredit worthiness, reliabilit y,location, health, personal preference s orconduct. (2) The provisions ofsubsection (1) do not apply ifthe decision — (a) has been taken inconnectionwith the conclusion orexecutionof acontract, and — (i) the reque stofthe datasubject interms ofthe contract has been met;or (ii) app ropri atemeasu reshavebeen taken toprotect the data subjec t’slegitim ateinterests;or (b) isgoverned byalaworcode ofconduct inwhich app ropri ate measu res arespeci fied for protecting the legitim ateinterestsof datasubjects.
(3) The app ropri atemeasu res, referredtoinsubsection (2)(a)(ii), mu st— (a) provide anopportunity foradatasubject toma kereprese ntations about adecision referredtoinsubsection (1); and
(b) requi rearesponsible party toprovide adatasubject with sufficie ntinform ation about the underlying logic ofthe autom ated processing ofthe inform ation relating tohim orher toenable him orher toma kereprese ntations interms ofparagraph (a).

Act No. 4of2013
84 Protectio nOfPersona lInform ationAct ,2013
CHAPTER 9
TRANSBORDER
INFORM ATION FLOW S

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 85
CHAPTER 9 TRANSBORDER INFORM ATION FLOWS
Transfersofpersonal inform ation outside Republic
72. (1) Aresponsible party in the Republic maynot transfer persona l inform ation about adatasubject toathirdparty who isinaforeign countryunless —
(a) the thirdparty who isthe recipie ntofthe inform ation issubject to alaw,binding corpo raterules orbinding agreeme ntwhich provide anadequ atelevelofprotection that— (i) effecti vely upholds principles for reasonable processing of the informa- tion thatare substantially similar to the conditions for the lawful processing ofpersonal inform ation relating toadatasubject who isa 50 naturalperson and, whe reappli cable, ajuri sticperson; and (ii) includes provisions, thataresubstantiallysimilar tothis section, relating tothe further transferofpersonal inform ation from the recipie nttothirdparties who areinaforeign country; (b) the datasubject conse ntstothe transfer; (c) the transfer is necessa ryfor the per formance of acontract between the datasubject and the responsible part y,or for the
impleme ntation ofpre-contractual measu restaken inresponse to the datasubjec t’sreque st; (d) the transferisnecessa ryforthe conclusion orper formance ofa contract concluded inthe interestofthe datasubject between the responsible party and athirdparty; or (e) the transferisforthe ben efitofthe datasubject, and — (i) itisnot reasonably practicable toobtain the conse ntofthe datasubject tothattransfer; and (ii) ifitwerereasonably practicable toobtain such conse nt,the datasubject would belikely togiveit.
(2)Forthe purpose ofthis section — (a) ‘‘binding corpo raterules ’’means personal inform ationprocessing
policies, within agroup ofunder takings, which areadhe redtobya

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 86
responsible party orope rator within thatgroup of under takings when transferring personal inform ation toaresponsible party or ope rator within thatsame group of 20 under takings ina foreign country;and (b) ‘‘group ofunder takings ’’means acontrolling under taking and its controlled under takings.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,201 3 87
CHAPTER 10
ENFORCEM ENT

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 88
CHAPTER 10 ENFORCEMENT
Interference with protection ofpersonal inform ation ofdatasubject
73. Forthe purposes ofthis Cha pter,interference with the protection ofthe personal inform ation ofadatasubject consi sts, inrelation tothatdata subject, of—
(a) anybreach ofthe conditionsforthe lawful processing ofpersonal inform ation asreferredtoinChap ter3; (b) non- compliance with section 22, 54, 69, 70, 71or72; or (c) abreach ofthe provisions ofacode ofconduct issued interms of section 60.
Complai nts
74. (1) Anyperson maysubmit acomplai nttothe Regul atorinthe prescribe d manner and form alleging interference with the protection ofthe persona l inform ation ofadatasubject.
(2) Aresponsible party ordatasubject may,interms ofsection 63(3), submi t acomplai nttothe Regul atorinthe prescribed manner and form ifhe, she oritisaggrievedbythe determin ation ofanadjudi cator.
Mode ofcomplai ntstoRegul ator
75. (1) Acomplai nttothe Regul atormu stbemade inwriting.
(2) The Regul atormu stgivesuch reasonable assi stance asisnecessa ryinthe circum stance stoenabl eaperson ,whowishe stomakeacomplai nttothe Regul ator,toput the complai ntinwriting. Action on recei ptofcomplai nt
76. (1) On receiving acomplai ntinterms ofsection 74, the Regul atormay— (a) conduct apre-investigation asreferredtoinsection 79; (b) act, atanytime during the investigation and whe reapp ropri ate, as concili ator inrelation toanyinterference with the protection of the personal inform ation of adatasubject inthe prescribed
manner;

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 89
(c) decide, inaccordance with section 77, totakeno action on the complai ntor,as the case maybe, requi reno further action in respect ofthe complai nt; (d) conduct afull investigation ofthe complai nt; (e) referthe complai nt,interms ofsection 92, tothe Enforceme nt Commit tee; or (f)takesuch further action asiscontempl ated bythis Chap ter.
(2) The Regul ator mu st,as soon as isreasonably practi cable, advise the complaina ntandtheresponsibl epart ytowho mthecomplai ntrelates ofthe course ofaction thatthe Regul ator proposes toado ptunde r subsection (1).
(3) The Regul atormay,on its own initi ative,commence an investigation into the interference with the protection ofthe personal inform ation ofadata subject asreferredtoinsection 73.
Regul atormaydecide totakeno action on complai nt
77. (1)The Regul ator,afterinvestigating acomplai ntrecei ved interms of section 73, maydecide totakenoaction or,asthe case maybe, requi reno further action inrespect ofthe complai ntif,inthe Regul ator’sopinion — (a) the len gthoftimethathas elapsed between the datewhen the subject matter of the complai ntarose and the datewhen the complai ntwasmade issuch thatan investigation ofthe complai nt isno lon gerpracti cable ordesi rable;
(b) the subject matterofthe complai ntistrivial; (c) the complai ntisfrivolous orvexatious orisnot made ingood faith; (d) the complaina ntdoes not desi rethatactionbe taken or,asthe
case maybe, continued; (e) the complaina ntdoes not haveasufficientpersonal interestinthe subject matterofthe complai nt;or (f) incases whe rethe complai ntrelates toamatterinrespect of which acode ofconduct isinforceand the code ofconduct ma kes provision foracomplai ntsprocedu re,the complaina nthas failed topursue, or topursue full y,an avenue of redress available under thatcomplai nts procedu rethatitwould be reasonable forthe complaina nttopursue.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 90
(2) Notwith standing anything insubsection (1), the Regul ator mayinits disc retion decide not totakeanyfurther action on acomplai ntif,inthe courseofthe investigation ofthe complai nt,itappea rstothe Regul ator that,having regardtoallthe circum stances ofthe case, anyfurther actio n isunnecessa ryorinapp ropri ate.
(3) Inanycase whe rethe Regul atordecides totakeno action, orno furthe r
action, on acomplai nt,the Regul atormu stinform the complaina ntofthat decisio nandthereason sforit.
Referralofcomplai nttoregul atorybody
78. (1) If,on receiving acomplai ntinterms of section 74, the Regul ator conside rsthatthe complai ntrelates, inwhole or inpart, toamatter thatismo reproperly within the jurisdiction ofanother regul atorybod y established interms ofanylaw,the Regul atormu stforthwith determin e whethe rthecomplai ntshoul dbedeal twith ,inwhol eorinpart ,under this Act afterconsul tationwith the body concerned.
(2) Ifthe Regul atordetermines thatthe complai ntshould be dealt with by
another bod y,the Regul atormu stforthwith referthe complai nttothat body tobedealt with accordingly and mu stnoti fythe complaina ntofthe referral.
Pre-investigation proceedings ofRegul ator
79. Beforeproceeding toinvestigateanymatterinterms ofthis Cha pter, the Regul atormu st,inthe prescribed manne r,inform — (a) the complaina nt,the datasubject towhom the investigation relates (if not the complaina nt)and anyperson alle ged tobe aggrieved (ifnot the complaina nt),ofthe Regul ator’sintention to conduct the investigation; and (b) the responsible party towhom the investigation relatesofthe — (i) details ofthe complai ntor,asthe case maybe, the subject
matterofthe investigation; and (ii) rightof thatresponsible party tosubmit tothe Regul ator, within areasonable period, awrit ten response inrelation to
the complai ntor,as the case maybe, the subjec t-matterof the investigation.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 91
Settlementofcomplai nts 10
80. Ifitappea rsfrom acomplai nt,oranywrit tenresponse made inrelation toacomplai ntunder section 79(b)(ii), thatitmaybepossible tosecu re—
(a) asettleme ntbetween anyofthe parties concerned; and (b) ifapp ropri ate,asatisfactoryassu rance againstthe repetition of anyaction thatisthe subject matterofthe complai ntorthe doing offurther actions ofasimilar kind bythe person concerned, the Regul atormay,without investigating the complai ntor,asthe case maybe, investigating the complai ntfurthe r,in the prescribed manne r,use its bestende avourstosecu resuch asettleme ntand assu rance.
Investigation proceedings ofRegul ator
81. Forthe purposes ofthe investigation ofacomplai nttheRegul atormay— (a) summon and enforce the appea rance of persons beforethe
Regul ator and compel them togiveoralor writ ten evidence on oath and toproduce anyrecords and things thatthe Regul ator conside rsnecessa rytoinvestigatethe complai nt,in the same
manner and tothe same extentasthe High Court; (b) admini steroaths; (c) recei veand acce ptanyevidence and other inform ation, whether on oath, byaffid avit or othe rwise, thatthe Regul ator sees fit, whether ornot itisorwould beadmissible inacourt oflaw; (d) atanyreasonable time,subject tosection81, enterand sea rchany premises occupied byaresponsible party; (e) conduct aprivateinterviewwith anyperson inanypremises enteredunder section 84subject tosection 82; and (f)othe rwise carryout inthose premises anyinquiries thatthe Regul atorsees fitinterms ofsection 82.
Issue ofwarrants
82. (1) Ajudgeofthe High Court, aregional magi strateoramagi strate,if satisfied byinform ation on oathsupplied bythe Regul atorthatthe reare reasonable grounds forsuspecting that—

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 92
(a) aresponsible party isinterfering with the protectionof the personal inform ation ofadatasubject; or (b) anoffence under this Act has been orisbeing commit ted, and thatevidence ofthe contravention or ofthe commission ofthe offenceistobefound on anypremises speci fiedinthe inform ation, thatarewithin the jurisdiction ofthatjud geormagi strate,may, subject tosubsection (2), grantawarranttoenterand sea rchsuch premises.
(2) Awarrantissued under subsection (1) authorises anyofthe Regul ator’s
membe rsor staffmembe rs,subject tosection 84, atanytime withi n seven daysofthe dateofthe warranttoenterthe premises asidentified inthewarrant,tosea rchthem ,toinspect ,examine ,ope rateandtestany equipme ntfoun dthe rewhic hisuse dorintende dtobe use dforthe processing ofpersonal inform ation and toinspect and seizeanyrecord, othe rmateria lorequipme ntfoun dthe rewhic hmaybesuc hevidenc eas isme ntioned inthatsubsection.
Requi reme ntsforissuing ofwarrant
83. (1)Ajudgeormagi stratemu stnot issue awarrantunder section82unles s satisfiedthat— (a) the Regul ator has given seven days’notice inwriting tothe
occupier of the premises inque stion demanding access tothe premises; (b) either —
(i) access was demanded atareasonable hour and was unreasonably refused; or (ii) although entrytothe premises was granted, the occupier unreasonably refused tocomply with areque stbyanyofthe Regul ator’smembe rsorstafftopermit the membe rsor the membe rsofstafftodo anyofthe things referredtoinsection 82(2); and (c) thatthe occupie r,has, after the refusal, been noti fied bythe Regul ator of the appli cation for the warrantand has had an opportunity ofbeing hea rdon the que stion whether the warrant should beissued.

Act No. 4of2013
Protectio nOfPersona lInform ationAct ,2013 93
(2) Subsection (1) does not apply ifthe judgeormagi strateissatisfied that the case isone ofurgency orthatc