“I operate a local travel agency that primarily books overseas vacations and travel arrangements for clients. This process involves making arrangements with overseas businesses, such as restaurants and hotels. Am I correct when is say that POPI will have an impact on my ability to transfer personal information of my clients to other countries? What will my obligations be in this regard?”
One should note that although the Protection of Personal Information Act 4 of 2013 (“POPI”) was signed into law on 19 November 2013, it has to date, not yet fully come into effect. It is already law, but we are still awaiting the final date for the commencement of mandatory compliance with its provisions.
POPI protects persons from suffering damage and harm by requiring entities and persons who receive personal information to protect such information and to keep it private and confidential. POPI places an important responsibility on parties who collect, store, use and destroy personal information and also provides rights and remedies to persons whose rights have been infringed in terms of the provisions of POPI. The entities and persons who carry this responsibility are termed “responsible parties”.
POPI does not aim to stop the flow or sharing of personal information, but rather aims to establish and set guidelines and rules in line with international standards, for how this must be done, in order to protect the privacy of the persons whose personal information is being processed.
In order for POPI to apply to any processing activity, such activity must take place in South Africa and the responsible party processing the information must have a place of business in South Africa. However the person whose information is processed does not have to be a South African.
In circumstances where personal information is transferred outside the borders of South Africa, the responsible party must notify all persons who will be affected, that it intends to transfer their personal information to another country. The responsible party must also inform the persons whose personal information is being transferred abroad of the level of protection that their information will be afforded in such foreign country. These considerations are based on the underlying intention of POPI that personal information should remain protected and secure even after it has been transferred to another country where POPI does not apply.
In addition to the above, POPI also requires that personal information can only be transferred to another country if one of the following primary circumstances is present:
• The country to which the information will be sent affords an adequate and similar level of protection to the personal information as that afforded by POPI, as well as other countries to which the personal information may be subsequently transferred.
• The recipient of the personal information in the foreign country agrees to treat the personal information in accordance with the provisions of POPI.
• The person whose personal information is being transferred abroad consents to the transfer.
• The transfer is necessary for the performance of a contract between the person whose personal information is being transferred and the responsible party.
• The transfer is necessary for the conclusion of a contract between the responsible party and the third party in the other country.
Your travel agency, as a responsible party that processes the personal information of its clients, will be bound to comply with POPI. The most effective way to ensure that a cross border transfer of personal information is POPI compliant, will be to obtain the consent of the relevant persons whose personal information is being transferred abroad. This will require that you have POPI compliant consent forms and agreements which should be signed by your clients. It may not always be possible to obtain this consent beforehand, and it will therefore be advisable to seek the help of an attorney to help advise you on how to utilise your consent forms or other methods to ensure your POPI compliance, should obtaining consent upfront not be possible.