Intellectual Property Law: Where to Place Your Privacy Policy

The Protection of Personal Information Act (POPI Act, the Act) was introduced to, amongst other things, promote the protection of personal information by public and private bodies, and to introduce conditions as minimum requirements for the processing of personal information. As a result of this and the recent announcement that parties who process personal information (known as the responsible party) on their websites must ensure compliance with the Act, many website owners have been forced to take note of the implications of not adhering to the rules when they collect and process the personal information of clients (known as the data subject).

The Act has provided 8 conditions which must be fulfilled for the lawful processing of personal information. They are:

  • Accountability
  • Processing limitation
  • Purpose specification
  • Further processing limitation
  • Information quality
  • Openness
  • Security safeguards
  • Data subject participation

These conditions are mainly to give effect to the rights of data subjects to have their personal information processed lawfully. Each condition will have to be addressed in a Privacy Policy.

The Privacy Policy will highlight:-

  • how the data subject’s personal information will be processed within the parameters set by the 8 conditions,
  • inform the data subject of the right to be notified of the collection of personal information or that personal information has been accessed or acquired by a party authorised to do so.

The Privacy Policy is further used to inform the data subject:-

  • What personal information of the data subject the responsible party will process,
  • Why the personal information is processed;
  • That the data subject may request the correction, destruction or deletion of personal information under control of the responsible party,
  • That the data subject has a choice whether to accept direct marketing by way of electronic communications (i.e. opt-in);
  • How to submit queries or request to the responsible party or how to lodge a complaint with the Information Regulator.

It is important to note that the presentation of the Privacy Policy to a data subject is just as important as the content of the Privacy Policy, and one must ensure that the data subject notices the Privacy Policy. For this purpose the same principle as per article 11(3) of the Electronic Communications and Transactions Act 25 of 2002, which is the basis of incorporating Information into an agreement that is not in the public domain, can be used, i.e. “information must be referred to in a way in which a reasonable person would have noticed the reference thereto and incorporation thereof; and accessible in a form in which it may be read, stored and retrieved by the other party, whether electronically or as a computer printout as long as such information is reasonably capable of being reduced to electronic form by the party incorporating it”. In short, the Privacy Policy will be of no value if it is presented on a website in a place that a reasonable user will not be able to notice or if noticed, not able to read, store or retrieve at a later stage.

Further guidance can be taken from the Europe’s General Data Protection Regulation (GDPR 2016/679 (EU)), that states that the Privacy Policy must be easily accessible and written in a way that is “concise, transparent, and intelligible… using clear and plain language”. This principle would serve well for all website owners, even if they don’t have European users/ clients.

It is imperative to take note that the above is not only applicable in terms of websites. The same will apply where personal information is processed through other electronic communications, such as email. For purposes of the latter one should incorporate the Privacy Policy into the organisation’s email legal notice by way of hyperlink to ensure that the data subject that may make personal information available via email to the organisation, knows exactly what the organisation’s privacy policy is.

Written by Mario Grobbler

Mario Grobler is a Candidate Attorney in the IT/IP law department at our Tyger Valley branch. Contact him at mgrobbler@dkvg.co.za.

This article is for general information purposes and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us At DKVG Attorneys for specific and detailed advice.