white_paper_on_data_protection_in_india_171127_final_v2
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
scope of the process<strong>in</strong>g activity, as well as the risks posed to the <strong>in</strong>dividual by process<strong>in</strong>g her<br />
pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong>. 681 Risks could <strong>in</strong>clude physical, material, or n<strong>on</strong>-material damage.<br />
N<strong>on</strong>-material damage could <strong>in</strong>clude: discrim<strong>in</strong>ati<strong>on</strong>, fraud, and reputati<strong>on</strong>al damage.<br />
In order to dem<strong>on</strong>strate that a <strong>data</strong> c<strong>on</strong>troller has complied with its obligati<strong>on</strong>s under the EU<br />
GDPR, it could implement <strong>in</strong>ternal <strong>data</strong> protecti<strong>on</strong> policies; ma<strong>in</strong>ta<strong>in</strong> relevant documentati<strong>on</strong><br />
of process<strong>in</strong>g activities; and use <strong>data</strong> protecti<strong>on</strong> impact assessments where appropriate. 682<br />
South Africa<br />
The POPI Act sets out that a ―resp<strong>on</strong>sible party‖ must ensure that certa<strong>in</strong> c<strong>on</strong>diti<strong>on</strong>s for<br />
lawful process<strong>in</strong>g of pers<strong>on</strong>al <strong>data</strong> are satisfied at the time of process<strong>in</strong>g. 683 The c<strong>on</strong>diti<strong>on</strong>s<br />
for lawful process<strong>in</strong>g of pers<strong>on</strong>al <strong>data</strong> are: accountability 684 , process<strong>in</strong>g limitati<strong>on</strong> 685 , purpose<br />
specificati<strong>on</strong> 686 , further process<strong>in</strong>g limitati<strong>on</strong>, 687 <strong>in</strong>formati<strong>on</strong> quality, 688 openness, 689 security<br />
safeguards, 690 and <strong>data</strong> subject participati<strong>on</strong>. 691<br />
As part of the accountability pr<strong>in</strong>ciple, a resp<strong>on</strong>sible party must ensure that it secures the<br />
<strong>in</strong>tegrity and c<strong>on</strong>fidentiality of pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong> <strong>in</strong> its possessi<strong>on</strong> by tak<strong>in</strong>g appropriate<br />
and reas<strong>on</strong>able technical and organisati<strong>on</strong>al measures <strong>in</strong> order to prevent loss, damage, or<br />
unauthorised destructi<strong>on</strong> of pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong>. The resp<strong>on</strong>sible party must also prevent<br />
unlawful access to, and unlawful process<strong>in</strong>g of pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong>. 692<br />
In order to ensure this, the POPI Act provides that a resp<strong>on</strong>sible party must take reas<strong>on</strong>able<br />
measures to identify all reas<strong>on</strong>ably foreseeable <strong>in</strong>ternal and external risks to the pers<strong>on</strong>al<br />
<strong>in</strong>formati<strong>on</strong> <strong>in</strong> its c<strong>on</strong>trol, establish and ma<strong>in</strong>ta<strong>in</strong> appropriate safeguards aga<strong>in</strong>st these<br />
identified risks, verify that these safeguards are implemented and also to ensure that the<br />
safeguards are updated <strong>in</strong> order to resp<strong>on</strong>d to any new risks or to plug-<strong>in</strong> deficiencies found <strong>in</strong><br />
the previous safeguard measures. 693<br />
The POPI Act has an additi<strong>on</strong>al obligati<strong>on</strong> <strong>on</strong> third parties that process pers<strong>on</strong>al <strong>data</strong> <strong>on</strong><br />
behalf of a resp<strong>on</strong>sible party. It provides that such third parties may process pers<strong>on</strong>al <strong>data</strong><br />
<strong>on</strong>ly with the knowledge or authorisati<strong>on</strong> of the resp<strong>on</strong>sible party and must treat pers<strong>on</strong>al<br />
<strong>in</strong>formati<strong>on</strong> as c<strong>on</strong>fidential. 694 Additi<strong>on</strong>ally, the POPI Act provides that where an operator (a<br />
681 Article 25, EU GDPR, read with Recitals 74 and 75 of the EU GDPR.<br />
682 ICO, ‗Accountability and Governance‘, available at: https://ico.org.uk/for-organisati<strong>on</strong>s/<strong>data</strong>-protecti<strong>on</strong>reform/overview-of-the-gdpr/accountability-and-governance/,<br />
(last accessed 20 November 2017).<br />
683 Secti<strong>on</strong> 8, POPI Act.<br />
684 Secti<strong>on</strong> 8, POPI Act.<br />
685 Secti<strong>on</strong>s 9, 10, 11 and 12, POPI Act.<br />
686 Secti<strong>on</strong>s 13 and 14, POPI Act.<br />
687 Secti<strong>on</strong> 15, POPI Act.<br />
688 Secti<strong>on</strong> 16, POPI Act.<br />
689 Secti<strong>on</strong>s 17 and 18, POPI Act.<br />
690 Secti<strong>on</strong>s 19, 20, 21 and 22, POPI Act.<br />
691 Secti<strong>on</strong>s 23, 24 and 25, POPI Act.<br />
692 Secti<strong>on</strong>s 19(1)(a) and (b), POPI Act.<br />
693 Secti<strong>on</strong> 19(2), POPI Act.<br />
694 Secti<strong>on</strong> 20, POPI Act.<br />
152