Page 32 - PHG_Q&A_Eng.indd
P. 32

POPI places an important responsibility on parties who collect, store, use and
            destroy  personal  information  (“responsible  parties”) and  also  provides  rights
            and remedies to persons whose personal information is being processed
            (“data subjects”).
            POPI authorises data subjects to request access to the personal information
            held by a responsible party, as well as the amendment and deletion of such
            information under certain circumstances. Responsible parties are obliged, if so
            requested, to provide confirmation free of charge to data subjects that they hold
      Commercial  in question and to confirm the identity of all third parties or the categories of
            their personal information, to provide a description of the personal information
            third parties who have received their personal information.
            Any such request from a data subject must be complied with –

            •  within a reasonable time;
            •  at a prescribed fee (may be levied before the actual record or description
               of the personal information is made available to the data subject);
            •  in a reasonable manner and format; and
            •  in a form that is generally understandable.
            Should a responsible party not wish to provide personal information to a data
            subject such refusal must be based on the same grounds for refusal as allowed
            under the Promotion of Access to Information Act 2 of 2000.
            Data subjects may, in terms of POPI, also request that their personal information
            be corrected or deleted in circumstances where such information has become
            outdated, is not accurate, is incomplete, misleading, or excessive, if it has not
            been obtained by lawful means, or if the responsible party is no longer entitled
            to retain the information.

            In terms of POPI responsible parties are obliged to provide access to personal
            information of a data subject only to that data subject, unless the data subject
            consents otherwise, and may require adequate proof of the identity of the data
            subject prior to them receiving access to their personal information. Responsible
            parties should comply with such a request within a reasonably practicable
            timeframe and tender proof that the request had been complied with.
            As POPI will apply to your business, it is correct that you provided access to the
            personal information. This does not mean that such access should be blanket,
            and our advice would be to consider having a clear data privacy and access
            policy drafted for your business in terms of which you can in future deal with
            such requests for information.











            27
   27   28   29   30   31   32   33   34   35   36   37