For many readers, the acronyms POPI and POPIA have become familiar due to the prolific news items following on the recent announcement by President Cyril Ramaphosa that the Protection of Personal Information Act is operational and that businesses must gear up their practice and to be compliant next year, 1 July 2021.
From the point of view of a property seller/purchaser, landlord or tenant
In transacting for the sale or purchase of a property, or when premises are leased, a substantial amount of very private information changes hands. It is likely that an identity document must be provided, together with proof of residential address, employer detail, proof of income (tenant), contact numbers and email addresses. In a lease there is sometimes also details of a third party required who may be contacted should you default.
Is this no longer allowed? The answer is yes and no. Let us explain.
Your estate agent and POPIA
POPIA’s principal impact on businesses will generally lie in its customer interaction, human resources (processing of employee information), marketing and advertising; procurement (processing of supplier information), information management, finance (debtors and creditors information), and cross-border transfers of personal information (if applicable). In its barest essence, POPIA establishes a framework to give flesh to one’s right to privacy, whilst at the same time balancing the legitimate needs of businesses to collect and use personal data for legitimate purposes. Non-compliance comes with the threat of reputational and financial risk (with fines of up to R10 million).
POPIA does not prohibit businesses from continuing with their legitimate business operations. Consent from data subjects (the clients) need not be obtained in all instances to process (use, apply, collect, store, delete) their personal information. The emphasis is rather that, when personal information is obtained from clients and used for an identified and legitimate purpose, the collection, storage and ultimate deletion of the data must be done responsibly. (There are exceptions of course where consent or other additional considerations is required such as where the business wants to use the data for electronic marketing; processing the personal information of a child, and so forth.)
The default position is set out in section 11 of POPIA which makes provision for justification grounds, in other words, even though there is no consent, the business can “justify” why it is processing the personal information through other means. These grounds include, for example, if the processing is necessary for concluding a contract to which the individual is a party or it is necessary to perform under such contract, such as where a sale or lease of immovable property is concerned. Or, where the processing complies with an obligation imposed by law on the responsible party (an example might be processing for purposes of complying with legislation such as RICA or FICA).
From this it is clear that as seller, purchaser, landlord or tenant, you may be asked to provide certain personal information necessary for the transaction. Where this information falls within the specific exclusions, is used for other purposes not aligned to the reason why it was obtained in the first place, is leaked to the general public, POPIA questions will arise. However, if the information is processed for the transaction in a safe, secure fashion and within the limitations imposed by POPIA, the use thereof is not contrary to POPIA.