Page 55 - Q&A
P. 55

Consent and POPIA: what you should know


            September 2020
            “In my business I receive and store personal information of my clientele. I have
            a sign-up form for my new clients and was wondering whether I would be
            compliant with POPIA if I include a consent to process their information once-off
            in this form. Will this be sufficient for POPIA?”
            The Protection of Personal Information  Act 4 of 2013 (“POPIA”) is aimed at
            ensuring confidentiality by regulating the way in which personal information is   Commercial
            processed by persons or organisations that obtain such information.
            Obtaining consent is one of the stipulated grounds for the lawful processing
            of personal information in terms of POPIA. By obtaining consent, data subjects
            agree to the processing of their personal information and by understanding
            what they are consenting to it helps avoid disputes when their data is processed
            or transferred to third parties in accordance with the consent provided.

            But what if customers don’t understand what they are signing, or don’t really
            grasp the extent of the consent granted to businesses? Will a blanket consent
            be sufficient  and  valid  and not  merely  an administrative exercise  used by
            businesses to tick off the consent box as part of being POPIA compliant?

            A blanket consent form signed by a data subject may seem like an easy way
            to prove your compliance with the provisions of POPIA, but it must be noted
            that not just any consent will be good enough. A business must understand
            what is really required when it asks its clients for consent to process their
            personal information.
            POPIA defines “consent” to be “any voluntary, specific and informed expression
            of will in terms of which permission is given for the processing of personal
            information”. Take note of the words “voluntary”, “specific” and “informed”. Should
            you wish to rely on consent given by your clients for the lawful processing of their
            information, such consent will have to comply with these three requirements.

            “Voluntary” implies a choice as whether to consent or not. Where consent is
            made conditional on using a product or service, such consent, will probably not
            be deemed to have been given voluntary. In some cases, however, it may be
            practically impossible to provide the product or service without such consent,
            for example if you order a product online but refuse to consent to the supplier
            providing your contact details to the shipping agent for delivery purposes.
            In such cases, consent may be implied, but it is a grey area that must be
            carefully considered.
            The consent must relate to a specific purpose, such as to contact a business
            about vehicle insurance or printing services for example, and cannot be vague,
            undetermined or ambiguous. The objectives for processing must accordingly




                                                                        48
   50   51   52   53   54   55   56   57   58   59   60