Page 42 - Q&A
P. 42
Consent in terms of POPIA – is it ‘yes till death
do us part’?
May 2020
“I understand that POPIA requires me to give consent for the use of my personal
information and that a business cannot use my information without such
permission. Although I am in favour of this approach, I was just wondering if I
Commercial but then it stays in place for ever? I don’t want to be bombarded with requests
will now have to give consent every time or will I be asked to give consent once,
but at the same time I don’t want to be held to a consent I can hardly even
remember giving. How is this going to work?”
The rule of thumb is that the Protection of Personal Information Act 4 of 2013
(“POPIA”) requires that responsible parties, namely the business or entity
handling your personal information, must lawfully process your personal
information, which can most easily be done with the consent of a data subject
to whom the personal information relates.
Giving consent every time someone needs to use your personal information
can seem like a massive undertaking, especially when you consider the
broad definition of everything that could potentially constitute “personal
information” in terms of POPIA, which can include anything from contact
information to personal opinions, views or preferences.
POPIA, contrary to popular belief, does not always require that consent be
obtained from data subjects prior to personal information being processed.
For example, it may be possible for a business to use your personal information
if there is a contractually legitimate reason to use such information, even
without your specific consent. This is not open-ended, but definitely possible
where justified.
It is therefore very important to determine when it is necessary to obtain consent
and when not, as the purpose of POPIA is neither to overburden persons
with constant requests for consent nor to ignore the protection that such a
requirement would provide.
Under POPIA, consent will generally not be necessary in the following scenarios:
• Where processing is necessary to carry out actions for the conclusion or
performance of a contract to which the data subject is party.
• Where processing complies with an obligation imposed by law on the
responsible party.
• Where processing protects a legitimate interest of the data subject.
• Where processing is necessary for the proper performance of a public law
duty by a public body.
35