The Protection of Personal Information Act, 2013 (“POPIA”) has come into full effect on 1 July 2021. POPIA largely imposes obligations, duties, and liabilities on the responsible party.
A responsible party is defined in POPIA as ‘a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information’. It is ultimately the responsible party who is accountable to the Information Regulator and customers (data subjects) and who is liable for ensuring that personal data is processed lawfully.
27four Platform Services “27four Platform” (Being 27four Life Limited and 27four Collective Investment (RF) (Pty) Ltd) is classified as a responsible party in terms of POPIA. 27four Platform is the product provider in the provision of financial products to its customers. To do this effectively, we determine what information (including personal information) we require from our customers and how the required information should be processed to deliver our products effectively.
In the process of delivering our products to customers, 27four Platform makes use of operators, defined as ‘a person/entity who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party’. These operator appointments are in the roles of our appointed, white-labelled managers, our outsourced administrator, and our binder holders.
Although POPIA makes allowance for the existence of joint responsibility for the processing of personal information between responsible parties and operators, this joint responsibility is not clearly defined and guidelines to clear up these scenarios are yet to be published by the Information Regulator. It is therefore paramount that our operators have taken measures to ensure POPIA compliance in their organisations.
27four Platform has ensured that both the basic requirements of the Act and the operational considerations from the Act have been considered and catered for in our organisation. These include, among other steps:
- Appointment and registration of an Information Officer.
- Approval and implementation of a POPIA Policy and Privacy Notice.
- Staff awareness and training.
- Critical amendments to our customer, provider and operator agreements.
- Establishing processes for the management and reporting of breaches.
- Ensuring we only request, process and share information in line with consent and lawful purpose.
Should you be uncertain of our role and responsibilities as a responsible party and need guidance on POPIA, please contact us on firstname.lastname@example.org.