POPIA, newsletters and social media groups

Jul 10, 2021


South Africa 'woke up' to POPIA (the Protection of Personal Information Act) in a big way on 1 July 2021 - mostly because of the many, many emails and social media messages that did the rounds that day, claiming that this new law requires consent for direct marketing or to be part of a WhatsApp / Facebook group, and that a failure to unsubscribe will imply that such consent has been given going forward.

Well, not quite. POPIA is quite specific and strict when it comes to the issue of consent (in general) and consent for direct marketing (specifically). Whilst the Act does not apply retrospectively, the continuous processing of personal information obtained historically, is subject to the Act and its enforcement provisions as from 1 July 2021.

However, POPIA does not apply to all activities and communications involving personal information. 

  • There are some exclusions, such as using personal information in the context of purely personal /household...
Continue Reading...

Flaunting Covid-19 protocols can get you dismissed

May 08, 2021

The Labour Court, in a recent case, has confirmed that dismissing an employee who came to work knowing that he had been exposed to the virus, was fair in the circumstances of this case. 

The facts in Eskort Limited v Stuurman Mogotsi and Others (JR1644/20) [2021] ZALCJHB 53, were that the employee (Mogotsi) was an assistant manager and a member of the in-house “Coronavirus Site Committee” at work - which, amongst other things, was tasked with informing employees about the risks of COVID-19, what symptoms to look out for and what to do in the event of exposure.

Mogotsi usually travelled to and from work with a colleague. The colleague started feeling unwell, was booked off from work and subsequently tested positive for COVID-19. Mogotsi also started experiencing symptoms associated with COVID-19. Despite him being booked off and his employer advising him to stay at home, he however persisted in coming to work. During the period when he was awaiting the...

Continue Reading...

Data breaches and security compromises - be prepared

Apr 23, 2021


Although data breaches are nothing new, this topic has received more focus recently with stricter data protection laws and regulations. It is more important than ever that organisations prepare for such an occurrence and have formal procedures and protocols in place to deal with the fallout. Here are some pointers and reminders of aspects to think about.


What is a data breach or security compromise?

In terms of the Protection of Personal Information Act (POPIA), this is not defined. Under the new Cyber Crimes Bill, there are descriptions of types of actions that would constitute criminal offences. However, for the purposes of being prepared, this could entail any type of data breach or security compromise (digital or physical) that would expose the organisation to potential risk.

Apart from the obvious things around cyber security such as hacking, malware, ransomware attacks, etc. we also need to consider other vulnerabilities in the protection of the (personal)...

Continue Reading...

POPIA: Processing employees' personal information and consent

Jan 17, 2021
Employers who have been thinking about updating the consent clauses in their employment contracts for the purposes of POPIA, should consider this carefully. It might be that your new clause ends up being invalid, if corresponding principles from the GDPR are applied similarly in South Africa.  
Processing of personal information is only lawful if it complies with the eight conditions specified in POPIA.          
In terms of the condition of "processing limitation", the following applies:

The processing of personal information must take place in a 'reasonable manner that does not unnecessarily infringe on the privacy of the data subject (s9).

Minimality - only the minimum amount of personal information that is necessary ('adequate, relevant and not excessive') for the purpose for which the information is needed, should be collected and processed (s10) 

Section 11 – Personal information may only be processed on one...
Continue Reading...

Breaching company procedures and dishonesty in the workplace

Dec 17, 2020


The Labour appeal Court confirmed a number of important principles around misconduct and workplace discipline in the case of Pick ’n Pay Retailers (Pty) Ltd v JAMAFO obo Maluleke and others (2020) 29 LAC.  

The employee was a trainer of cashiers. She and a colleague were gifted boxes of chocolates by a customer of the store, which she did not declare and then attempted to exchange for cash. In doing so, she breached a number of company protocols and policies (which she had been well aware of as the trainer) and when she could not succeed, tried to reverse the transactions to try and cover up her activities - involving names and passwords of other employees. She was dismissed by the company on the basis of breaching company policies and attempted fraud, despite her service of 24 years and clean disciplinary record.

The employee did not deny what she had done, but tried to justify her actions by saying that she had not wanted to siphon money from the store, but just...

Continue Reading...

Managing Workplace Discipline - do so timeously

Nov 18, 2020


An employee is pushing the boundaries. You get complaints about performance and client service. You call him/her in, express your discontent and tell them to do better. This happens a few times, but you just do not get around to formalising these little chats (who has the time, and who needs the conflict?). Then something happens that gets the attention of senior management / the Board / social media..........and all eyes are on you to address this issue once and for all. What do you do?

Famously, in our experience, a disciplinary hearing is called. This latest incident is taken and dissected to see how many of the boxes in the company's disciplinary code can be ticked in order to formulate as many charges as possible from this one incident - because this was now the last straw and the pressure is on to dismiss the employee.

So, the bulked-up disciplinary charges for the hearing include added charges like dereliction of duties; bringing the company's name into disrepute; and...

Continue Reading...

POPIA and collecting personal information during the recruitment process

Oct 26, 2020


Employers and recruitment agencies as a general practice ask for a job applicant’s current (or past) payslip when they apply for a new position. This has always been a contentious issue, but most job applicants disclose it if a prospective employer insists upon it, for fear of been side-lined if they challenge this request.

With the advent of POPIA, it seems that the shoe will be on the other foot, since such information constitutes personal information and at a minimum, the eight conditions for lawful processing must be complied with by the employer as the responsible party if it wishes to collect and use this information of a job applicant as the data subject.

The eight processing principles / conditions include –

  • minimality or processing limitation (only processing what is really necessary and relevant) and based on one or more of six lawful grounds;
  • for a stated purpose (purpose specification) that is based on and relevant to the legitimate activities of the...
Continue Reading...

POPIA and the Information Officer

Oct 18, 2020


In South Africa, the Information Officer (IO) is the person within an organisation (as the responsible party) who is responsible for compliance with PAIA (Promotion of Access to Information Act) and now also POPIA.

Who is the Information Officer?

This position is automatically assigned to the head of the organisation (such as the CEO, or a partner, or a sole proprietor in the private sector), who will be the Information Officer by default. There is however provision for designating and officially appointing someone in this position and for the appointment of Deputy Information officers to whom such powers and responsibilities can be delegated. The accountability however will remain with the Head of the organisation, regardless of a delegation of responsibilities.

It is also interesting to note that, different from the GDPR, POPIA does not make provision for the outsourcing of this position – i.e. appointing or contracting an external Information Officer. The position of...

Continue Reading...

POPIA - The Responsible Party and the Operator

Oct 14, 2020


Many organisations use agencies / consultants / service providers for a range of activities – which in all likelihood include the processing of personal information and/or special personal information. Think about recruitment agencies, IT service providers, security providers, payroll management, marketing agencies, external auditors – to name just a few. These would, for the purposes of POPIA, be regarded as third-party operators and YOU have to ensure that they comply with the Act when they process personal information on your behalf.

The Responsible Party under POPIA is a public or private body or any other person who, alone or in conjunction with others, determines the purpose of and means for the processing of personal information in their possession.

An Operator is the person (or entity) doing the actual processing.

The responsibilities, rights and obligations of operators are not the same as those of responsible parties. However, the distinction...

Continue Reading...

When employees refuse to attend meetings

Oct 04, 2020


There is a disturbing trend that seems to be raising its head in workplaces these days – employees who are called to meetings by their managers (or HR) and then simply….. well…… refuse to attend. Or demanding a detailed agenda for the meeting before considering whether to attend. Or objecting to other attendees to the meeting. Or…….

Not to put too fine a point on it, but this would typically be justified by some perceived infringement of their rights, should they attend said meeting – and hence pre-empting and avoiding the expected unfair treatment by not attending. This especially happens when the subject matter pertains to matters about the employee personally – such as performance or conduct issues.

A recent example of such a scenario was the matter of Gold One Limited v Madalani and Others (JR 1109/15) [2020] ZALCJHB 180 (9 September 2020), where the employee went so far as to resign and claim constructive dismissal,...

Continue Reading...
1 2 3 4

50% Complete

Sign up for our mailing list

Be the first to know about new developments, training, news and special offers