Reproduced by Sabinet Online in terms of Government Printer’s Copyright Authority No. 10505 dated 02 February 1998
76
No. 37067
GOVERNMENT GAZETTE, 26 November 2013
Act No. 4 of 2013
Protection of Personal Information Act, 2013
76
(b) about any further uses to which the directory may possibly be put, based on
search functions embedded in electronic versions of the directory.
(2) A data subject must be given a reasonable opportunity to object, free of charge and
in a manner free of unnecessary formality, to such use of his, her or its personal
information or to request verification, confirmation or withdrawal of such information if 5
the data subject has not initially refused such use.
(3) Subsections (1) and (2) do not apply to editions of directories that were produced
in printed or off-line electronic form prior to the commencement of this section.
(4) If the personal information of data subjects who are subscribers to fixed or mobile
public voice telephony services have been included in a public subscriber directory in 10
conformity with the conditions for the lawful processing of personal information prior
to the commencement of this section, the personal information of such subscribers may
remain included in this public directory in its printed or electronic versions, after having
received the information required by subsection (1).
(5) ‘‘Subscriber’’, for purposes of this section, means any person who is party to a 15
contract with the provider of publicly available electronic communications services for
the supply of such services.
Automated decision making
71. (1) Subject to subsection (2), a data subject may not be subject to a decision which
results in legal consequences for him, her or it, or which affects him, her or it to a
substantial degree, which is based solely on the basis of the automated processing of
personal information intended to provide a profile of such person including his or her
performance at work, or his, her or its credit worthiness, reliability, location, health,
personal preferences or conduct.
(2) The provisions of subsection (1) do not apply if the decision—
(a) has been taken in connection with the conclusion or execution of a contract,
and—
(i) the request of the data subject in terms of the contract has been met; or
(ii) appropriate measures have been taken to protect the data subject’s
legitimate interests; or
(b) is governed by a law or code of conduct in which appropriate measures are
specified for protecting the legitimate interests of data subjects.
(3) The appropriate measures, referred to in subsection (2)(a)(ii), must—
(a) provide an opportunity for a data subject to make representations about a
decision referred to in subsection (1); and
(b) require a responsible party to provide a data subject with sufficient
information about the underlying logic of the automated processing of the
information relating to him or her to enable him or her to make representations
in terms of paragraph (a).
CHAPTER 9
20
25
30
35
40
TRANSBORDER INFORMATION FLOWS
Transfers of personal information outside Republic
72. (1) A responsible party in the Republic may not transfer personal information
about a data subject to a third party who is in a foreign country unless—
(a) the third party who is the recipient of the information is subject to a law, 45
binding corporate rules or binding agreement which provide an adequate level
of protection that—
(i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful
processing of personal information relating to a data subject who is a 50
natural person and, where applicable, a juristic person; and