Page 56 - Q&A
P. 56

be stated upfront and be agreed to by the client. Section 13 of POPIA supports
            this by stating that  “personal information must be collected for a specific,
            explicitly defined and lawful purpose related to a function or activity of the
            responsible party”.
            Consent must be “informed”. This means you must provide your clients with
            sufficient information to enable them to make an informed decision as to
            whether or not they want to consent to your business processing their personal
            information. This obligation is accompanied by the requirement that you notify
      Commercial  include, but are not limited to the following –
            your clients of specific information as required by Section 18 of POPIA. These

                The information being collected and where the information is not collected
            •
                The name and address of the responsible party;
            •   from the data subject, the source from which it is collected;
            •   The purpose for which the information is being collected;
            •   Whether  or not the supply  of the information  by that  data subject is
                voluntary or mandatory;
            •   The consequences of a failure to provide the information;
            •   Any particular law authorising or requiring the collection of the
                information; and
            •   The fact that, where applicable, the responsible party intends to transfer
                the information to a third country or international organisation and the
                level of protection afforded to the information by that third country or
                international organisation.
            The data subject’s consent  must  be expressed  in  some form  or  another,
            although the specific format in which such expression is communicated may
            differ as required by the relevant circumstances. How this consent will be
            expressed, such as by a signature or the press of a button on a website etc. will
            have to be determined in each case.

            It does stand to be remembered that obtaining consent is only one of the
            grounds for lawful processing and that POPIA also provides other grounds for
            lawful processing even where consent was not obtained.

            In general, though, obtaining consent is a safe and effective route to ensuring
            that you are processing information lawfully. However, a general and blanket
            consent  that  requires  a  client  to  consent  to  all  processing  of  information
            that your business may need to do, will probably not cut it. You will need to
            customize your consent to address the aspects of “voluntary”, “specific” and
            “informed”. Should any aspect of your processing change from the basis set
            out in your original consent, you may need to obtain consent again, unless your
            consent was worded wide enough to accommodate such further processing.
            This  makes  the  formulation  of  your  consent  very  important  to  cover  all  your
            current and potential future bases without becoming generic and unspecific.



            49
   51   52   53   54   55   56   57   58   59   60   61