Reproduced by Sabinet Online in terms of Government Printer’s Copyright Authority No. 10505 dated 02 February 1998
68
No. 37067
GOVERNMENT GAZETTE, 26 November 2013
Act No. 4 of 2013
Protection of Personal Information Act, 2013
68
(3) In the case of the notification of information processing to which section 57(1) is
applicable, the Regulator must inform the responsible party in writing within four weeks
of the notification as to whether or not it will conduct a more detailed investigation.
(4) In the event that the Regulator decides to conduct a more detailed investigation, it
must indicate the period within which it plans to conduct this investigation, which 5
period must not exceed 13 weeks.
(5) On conclusion of the more detailed investigation referred to in subsection (4) the
Regulator must issue a statement concerning the lawfulness of the information
processing.
(6) A statement by the Regulator in terms of subsection (5), to the extent that the 10
information processing is not lawful, is deemed to be an enforcement notice served in
terms of section 95 of this Act.
(7) A responsible party that has suspended its processing as required by subsection
(2), and which has not received the Regulator’s decision within the time limits specified
in subsections (3) and (4), may presume a decision in its favour and continue with its 15
processing.
Failure to notify processing subject to prior authorisation
59. If section 58(1) or (2) is contravened, the responsible party is guilty of an offence
and liable to a penalty as set out in section 107.
CHAPTER 7
20
CODES OF CONDUCT
Issuing of codes of conduct
60. (1) The Regulator may from time to time issue codes of conduct.
(2) A code of conduct must—
(a) incorporate all the conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the
obligations set out in those conditions; and
(b) prescribe how the conditions for the lawful processing of personal information are to be applied, or are to be complied with, given the particular features
of the sector or sectors of society in which the relevant responsible parties are
operating.
(3) A code of conduct may apply in relation to any one or more of the following:
(a) Any specified information or class of information;
(b) any specified body or class of bodies;
(c) any specified activity or class of activities; or
(d) any specified industry, profession, or vocation or class of industries,
professions, or vocations.
(4) A code of conduct must also—
(a) specify appropriate measures—
(i) for information matching programmes if such programmes are used
within a specific sector; or
(ii) for protecting the legitimate interests of data subjects insofar as
automated decision making, as referred to in section 71, is concerned;
(b) provide for the review of the code by the Regulator; and
(c) provide for the expiry of the code.
Process for issuing codes of conduct
61. (1) The Regulator may issue a code of conduct under section 60—
(a) on the Regulator’s own initiative, but after consultation with affected
stakeholders or a body representing such stakeholders; or
25
30
35
40
45