Consent plays a vital role in the motivation for processing of personal information of a data subject in terms of the Protection of Personal Information Act (hereinafter referred to as the POPI Act). In this article, we will touch on the significance of consent being provided by a data subject when their personal information is being processed:
In terms of Section 11 of the POPI Act, the personal information of a data subject may only be processed in minimal circumstances. One of the specific situations relates to the consent of a data subject being obtained. In this regard, it provides a general justification for the processing of personal information, which can be used if none of the other specific motivations is not applicable.
Consent also plays a role as a significant justification relating to another Section of the POPI Act, for instance:
Section 14 of the Act relates to the time period records may be held by a company. This Section provides that a record containing personal information of a data subject may be held for an indefinite period of time by a responsible person if consent for keeping such record for an unlimited time period has been provided.
Section 15 of the Act states that personal information may not be used for a secondary purpose that doesn’t relate to the original purpose. For instance, if the personal information had been given to enter into an agreement, it may not be used for marketing at a later time period unless the two purposes of processing the personal information relates to each other. Consent in this regard yet again place a pivotal role as it is listed as one of the specific situations where personal information may be processed for a purpose that doesn’t relate to the original purpose. For instance, if personal information is requested to enter into an agreement and the company endeavour to use such personal information for marketing purposes later the responsible person may use such personal information for such a different purpose (marketing) if consent had been provided by the data subject.
Section 18 of the Act provides that upon requesting personal information from a data subject, a responsible person should ensure that certain important personal information is reasonably within the data subjects knowledge for instance the purpose of collecting the personal information, the consequences if not providing the personal information, etc. This requirement doesn’t have to be complied with if consent had been provided for in the circumstances.
Section 69 of the Act provides that a person may only be contacted regarding direct marketing if it is an existing client of the business who is requested to enter into a similar agreement or a new client. The client has given consent in the circumstances. Unless a responsible person either have consented that they may contact a data subject, or it relates to a similar agreement entered into with the data subject previously, they may not contact a data subject
Practically it is important that consent must always be provided in writing so that proof of consent can be shown. The consent provided can also be withdrawn at any time.
We would suggest that a responsible person should prepare a consent form, which should be signed by a data subject in the event that they anticipate using the personal information of a data subject at a later time for direct marketing (clients), human resources (employees) or any other secondary purpose.
Should you require more information or assistance, please contact your SEESA Consumer Protection and POPI legal advisor, alternatively, “SMS” the word “SEESA” to 45776 and we will contact you.
About the Author:
Jano Fourie started his career at SEESA in 2011 and is currently a Consumer Protection & POPI Legal Advisor at SEESA’s Pretoria office. He obtained his BA Law and LLB degrees from the University of Stellenbosch. He also obtained a Masters Degree in Tax Law from UNISA.
Resources:
The Protection of Personal Information Act 4 of 2013