Page 55 - Q&A
P. 55

undetermined or ambiguous. The objectives for processing must accordingly
            be stated upfront and be agreed to by the client. Section 13 of POPIA supports
            this by stating that  “personal information must be collected for a specific,
            explicitly defined and lawful purpose related to a function or activity of the
            responsible party”.
            Consent must be “informed”. This means you must provide your clients with
            sufficient information to enable them to make an informed decision as to
            whether or not they want to consent to your business processing their personal
      Commercial  your clients of specific information as required by Section 18 of POPIA. These
            information. This obligation is accompanied by the requirement that you notify
            include, but are not limited to the following –
                The information being collected and where the information is not collected
            •
                from the data subject, the source from which it is collected;
            •   The name and address of the responsible party;
            •   The purpose for which the information is being collected;
            •   Whether  or not the supply  of the information  by that  data subject is
                voluntary or mandatory;
            •   The consequences of a failure to provide the information;
            •   Any particular law authorising or requiring the collection of the
                information; and
            •   The fact that, where applicable, the responsible party intends to transfer
                the information to a third country or international organisation and the
                level of protection afforded to the information by that third country or
                international organisation.
            The data subject’s consent  must  be expressed  in  some form  or  another,
            although the specific format in which such expression is communicated may
            differ as required by the relevant circumstances. How this consent will be
            expressed, such as by a signature or the press of a button on a website etc. will
            have to be determined in each case.

            It does stand to be remembered that obtaining consent is only one of the
            grounds for lawful processing and that POPIA also provides other grounds for
            lawful processing even where consent was not obtained.

            In general, though, obtaining consent is a safe and effective route to ensuring
            that you are processing information lawfully. However, a general and blanket
            consent  that  requires  a  client  to  consent  to  all  processing  of  information
            that your business may need to do, will probably not cut it. You will need to
            customize your consent to address the aspects of “voluntary”, “specific” and
            “informed”. Should any aspect of your processing change from the basis set
            out in your original consent, you may need to obtain consent again, unless your
            consent was worded wide enough to accommodate such further processing.




            49
   50   51   52   53   54   55   56   57   58   59   60