Page 36 - Q&A Book.indd
P. 36

POPI and the transfer of personal information
            outside of South Africa

            Damian Viviers
            June 2017

            “I operate a local travel agency that primarily books overseas
            vacations and travel arrangements for clients. This process
      Commercial  involves making arrangements with overseas businesses, such
            as restaurants and hotels. Am I correct when I say that POPI will
            have an impact on my ability to transfer personal information
            of my clients to other countries? What will my obligations be
            in this regard?”

            One should note that although the Protection of Personal Information
            Act 4 of 2013 (“POPI”) was signed into law on 19 November 2013, it has to
            date, not yet fully come into effect. It is already law, but we are still awaiting
            the final date for the commencement of mandatory compliance with
            its provisions. POPI protects persons from suffering damage and harm
            by requiring entities and persons who receive personal information to
            protect such information and to keep it private and confidential.
            POPI places an important responsibility on parties who collect, store, use
            and destroy personal information and also provides rights and remedies
            to persons whose rights have been infringed in terms of the provisions
            of POPI. The entities and persons who carry this responsibility are termed
            “responsible parties”.

            POPI does not aim to stop the flow or sharing of personal information,
            but  rather  aims  to  establish  and  set  guidelines  and  rules  in  line  with
            international standards, for how this must be done, in order to protect the
            privacy of the persons whose personal information is being processed.
            In order for POPI to apply to any processing activity, such activity must
            take place in South Africa and the responsible party processing the
            information must have a place of business in South Africa. However the
            person whose information is processed does not have to be a South
            African.

            In circumstances where personal information is transferred outside the
            borders of South Africa, the responsible party must notify all persons
            who will be affected, that it intends to transfer their personal information
            to another country. The responsible party must also inform the persons
            whose personal information is being transferred abroad of the level of
            protection that their information will be afforded in such foreign country.




            31
   31   32   33   34   35   36   37   38   39   40   41