Protection of Personal Information Act, 2013 (Act No. 4 of 2013)

Notices

Information Regulator

Notice in terms of Section 37(1) of the Act (POPIA) Exemption

Bidvest Protea Coin (Pty) Ltd

Notice No. 3923 of 2023
Purchase cart Previous page Return to chapter overview Next page

 

Notice No. 3923

29 September 2023

GG 49379

 

National Treasury

 

N3923 information regulator logo

 

1. In terms of the provisions of section 37(1) of POPIA, the Information Regulator (Regulator) gives notice that the Regulator grants exemptions to Bidvest Protea Coin (Pty)(Ltd) (responsible party), from compliance with section 11(3)(a) of POPIA. The exemption authorises the responsible party to process personal information in breach only of the relevant provision in one (1) of the eight conditions for lawful processing of personal information and under the circumstances outlined hereunder.

 

2. The responsible party is a private body whose business is to render private security services in South Africa. The responsible party provides security services of its clients on their properties and in accordance with individual contracts. This may entail guarding services, providing security services at mines, essential infrastructure, such as mobile phone service providers, banks, security estate, shopping malls and many other private entities. The responsible party conducts official investigations to assist the South African Police Services (SAPS), and National Prosecuting Authorities (NPA).

 

3. The Regulator found that the processing of personal information of data subjects by the responsible party is in breach of—
3.1. Section 11(3)(a) to the extent that the responsible party may not allow data subjects to object to the processing that is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied (the latter being SAPS and NPA).
3.2. The exemption from compliance applies in terms of this section only.

 

4. Grounds for granting of exemption by the Regulator—
4.1. The grounds for exemption from compliance in terms of section 37(1)(a) and section 37(2)(b) apply.
4.2. The Regulator is satisfied that, in the circumstances of the case, the public interest in the processing, which includes ‘the prevention, detection and prosecution of offences’; outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from such processing.

 

5. The effect of the exemption is:
5.1. To exempt the responsible party from compliance with section 11(3)(a) of POPIA (objection to processing) during the prevention, detection, investigation, and prosecution of offences when processing personal information in terms of POPIA.

 

6. Where appropriate, agreements ensuring that personal information is processed in compliance with POPIA which cover the terms of sections 20 and 21 of POPIA may need to be concluded between the responsible party and the relevant law enforcement agencies.

 

7. The Regulator grants the exemption to the responsible party on the following conditions imposed in terms of section 37(3):
7.1. The responsible party must secure and protect the personal information of data subjects in compliance with section 19 of POPIA and
7.2. The responsible party remains bound by any other conditions for the lawful processing on personal information that may apply in terms of a Guidance Note to be issued by the Information Regulator on surveillance by CCTV camera.

 

8. A copy of this exemption notice will be made available on the Regulator’s website, alternatively, a request for a copy can be made by addressing correspondence to email address: [email protected].