Page 42 - Q&A
P. 42

Consent in terms of POPIA – is it ‘yes till death
            do us part’?


            May 2020
            “I understand that POPIA requires me to give consent for the use of my personal
            information and that a business cannot use my information without such
            permission. Although I am in favour of this approach, I was just wondering if I
      Commercial  but then it stays in place for ever? I don’t want to be bombarded with requests
            will now have to give consent every time or will I be asked to give consent once,
            but at the same time I don’t want to be held to a consent I can hardly even
            remember giving. How is this going to work?”

            The rule of thumb is that the Protection of Personal Information Act 4 of 2013
            (“POPIA”) requires that responsible parties, namely the business or entity
            handling your personal information, must lawfully process your personal
            information, which can most easily be done with the consent of a data subject
            to whom the personal information relates.
            Giving consent every time someone needs to use your personal information
            can seem like a massive undertaking, especially when you consider the
            broad definition of everything that could potentially constitute  “personal
            information” in terms of POPIA, which can include anything from contact
            information to personal opinions, views or preferences.

            POPIA, contrary to popular belief, does not always require that consent be
            obtained from data subjects prior to personal information being processed.
            For example, it may be possible for a business to use your personal information
            if there is a contractually legitimate reason to use such information, even
            without your specific consent. This is not open-ended, but definitely possible
            where justified.
            It is therefore very important to determine when it is necessary to obtain consent
            and when not, as the purpose of POPIA is neither to overburden persons
            with constant requests for consent nor to ignore the protection that such a
            requirement would provide.

            Under POPIA, consent will generally not be necessary in the following scenarios:
            •   Where processing is necessary to carry out actions for the conclusion or
                performance of a contract to which the data subject is party.
            •   Where processing complies with an obligation imposed by law on the
                responsible party.
            •   Where processing protects a legitimate interest of the data subject.
            •   Where processing is necessary for the proper performance of a public law
                duty by a public body.



            35
   37   38   39   40   41   42   43   44   45   46   47