Codes of Conduct:

Specific Codes of Conduct may be developed in order to clarify how the 8 conditions for the lawful processing of personal information are to be applied within a particular sector.

These codes may be developed either by the IR itself, or by the stakeholder/s within that particular sector, who would then make an application to the IR to issue and approve the codes.

These sectors include specific industries, professions, vocations or specific bodies or class of bodies.

These sectors will then be governed by these codes in terms of the lawful processing of personal information of Data Subjects within their sphere of operation.

The IR may also issue Codes of Conduct in relation to specific types of information to be processed.

To recap, the IR may either issue a code for a particular sector on its own initiative (after first consulting with affected stakeholders), or it may issue and approve them after receiving an application from affected stakeholders (as long as the IR believes that such applicants are sufficiently representative of the industry, profession, vocation or class of bodies applying for the Codes of Conduct).

The process that then takes place is that a notice will be placed in the Government Gazette by the IR that the issuing of a Code of Conduct is being considered. This notice must set out the details of the particular code being considered and that a draft of the proposed code can be obtained from the IR by any interested party. There is then a period of time for the public (affected parties) to make submissions in writing relating to that code, these submissions must be considered by the IR. As long as the code remains in force, copies of it are available on the IR’s website and at the IR’s offices. The IR must keep a register of all the approved Codes of Conduct.

The IR may also provide written guidelines to assist bodies to develop their own Codes of Conduct, and also on how to apply them.

  • In regard to the journalistic profession, where there is no Code of Ethics governing a Responsible Party, the IR must have regard to the principles set out below, when considering the approval of a Code of Conduct for the processing of any personal information for exclusively journalistic purposes:
  • The special importance of the public interest in freedom of expression
  • Domestic and international standards balancing the free flow of information in recognition of the right of the public to be informed
  • Domestic and international standards balancing the public interest in the safeguarding of personal information of data subjects
  • The need to secure the integrity of personal information

Failure to comply with a Code of Conduct that has been approved and issued by the IR is deemed to be a breach of the conditions for the lawful processing of personal information and may be subject to the enforcement procedures set out in Chapter 10 of the Act – for example, a Data Subject will have the right to institute civil proceedings against a Responsible Party – regarding the alleged interference with the protection of his personal information.

Direct Marketing by means of unsolicited electronic communications:

In order for the processing of personal information of a Data Subject to be lawful when a Responsible Party undertakes Direct Marketing, the Data Subject must first:

Has given his express consent to the processing 

The consent must be expressly given, through a clear, specific and affirmative act. The Data Subject may withdraw his or her consent at any time. A Responsible Party may approach a Data Subject in order to obtain his specific consent only for a specific processing purpose, provided that Data Subject has not previously withheld such consent. The Responsible Party can only do this once. It must be requested in the prescribed manner and form (although the Act does not set out what this should look like). Consent can be managed by:

  • Having an unsubscribe function, so that Data Subjects are able to withdraw their consent at any time (without being penalised)
  • Having a process in place to update consents regularly
  • Removing Data Subjects from contact lists when they unsubscribe.

Must be an existing customer of the Responsible party 

Only where the Responsible Party has:

  • obtained the contact details of the Data Subject in the context of the sale of a product or service,
  • for the purpose of Direct Marketing of the Responsible Party’s own similar products or services
  • if the Data Subject has been given a reasonable opportunity to object, free of charge, to the use of his electronic details at the time when the information was collected and on the occasion of each communication with the Data Subject for the purpose of marketing if the Data Subject has not initially refused such use.

What should a Direct Marketing Communication look like in order to be lawful?

  1. It must have the details of the identity of the sender or the person on whose behalf the communication was sent, as well as the contact details of any third party that the Responsible Party will share the information with.
  2. It must have an address or other contact details to which the recipient may send a request that such communications cease.

A Data Subject has the right to:

  • Object to the processing of his personal information if it is for the purposes of Direct marketing

Other legislation relating to Electronic Marketing:

The Consumer Protection Act deals with the consumer’s right to restrict unwanted direct marketing, while the Electronic Communications and Transactions Act regulates unsolicited electronic communications.

The Consumer Protection Act 68 of 2008 protects consumers in regard to direct marketing. Section 32 states that a person who directly markets goods or services to a consumer and who concludes a transaction or agreement with the consumer, must inform the consumer of the right to rescind that agreement in terms of the cooling-off period of 5 business days from the date of the transaction, as set out in Section 16.

Electronic Communications and Transactions Act 25 of 2002

This Act applies to any form of communication by email, the internet, SMS’s etc. except possibly for voice communications between 2 people. Provision is made for consumer protection in Chapter VII of the Electronic Communications and Transactions Act here after referred to as ECTA – whereby suppliers of goods or services must provide consumers with a minimum set of information, including the price of the product or service, the name, contact details, a brief description of the business, and the right to withdraw from an electronic communication before its completion. The consumer is protected in that they are also afforded a cooling-off period (7 days) within which they may cancel certain types of transactions concluded electronically – without incurring a penalty. In addition, the ECTA specifically requires that each electronic message be accompanied by an option to cancel (opt-out) of a subscription to a mailing list.

Section 45 of the ECTA also provides some protection against SPAM communications. The sender of such unsolicited communications, who continues to send them, even although the consumer has advised that he does not welcome the communications, will be committing an offence.

The ECTA also regulates the electronic collection of personal information, although compliance with these provisions is voluntary. The provisions of the ECTA pertaining to the protection of personal information will, however, be repealed on 30 June 2021.


A Data Subject who is a subscriber* to a printed or electronic directory of subscribers available to the public or obtainable through directory enquiry services, in which his personal information is included, must be informed, free of charge and before the information is included in the directory about the purpose of the directory, and about any further uses to which the directory may possibly be put, based on search functions embedded in electronic versions of the directory. He must be given a reasonable opportunity to object, free of charge to the use of his personal information or to request withdrawal of such information if he did not initially refuse such use.

This will not apply to editions of directories that were produced in printed or off-line electronic form prior to the commencement of this section in the Act.

*For the purposes of this Section, subscriber means any person who is a party to a contract with the provider of publicly available electronic communications services, for the supply of such services

What is automated decision making?

A Data Subject has the right:

  • Not to be subject to a decision which is based solely on the basis of automated processing of his personal information intended to provide a profile  of such person, including his performance at work, or his credit worthiness, reliability, location, health, personal preferences or conduct.

The above does not apply however, where the decision is taken in connection with the conclusion of a contract and the request of the Data Subject in terms of the contract has been met or appropriate measures have been taken to protect the interests of the Data Subject. It will also not apply where the decision is governed by a law or Code of Conduct.

Trans-Border Information Flows:

In the context of Section 14 of the Constitution, which encompasses the right to privacy, balanced against principle of free flow of information within South Africa and across international borders, Section 72 of the Act deals with the transfer of personal information about a Data Subject to a third party who is in a foreign country.

This can only be done lawfully by a Responsible Party, if the requirements of Section 72 are met. These requirements are as follows:


  • The third party is subject to a law, binding corporate rules or a binding agreement which provides an adequate level of protection that:
    • upholds principles that are substantially similar to the conditions of lawful processing in SA
    • includes similar provisions re the transfer of such information from the recipient to a third party in another foreign country


  • the Data Subject consents to the transfer


  • the transfer is necessary for the performance of a contract between the Data Subject and the Responsible Party

Interest of the Data Subject 

  • the transfer is necessary for the performance of a contract concluded in the interest of the Data Subject between the Responsible Party and a third party


  • the transfer is for the benefit of the Data Subject, and
  • it is not reasonably practicable to obtain the consent of the Data Subject to that transfer, and
  • if it were reasonably practicable to obtain such consent, the Data Subject would be likely to give it

In a nutshell, in order to lawfully transfer personal information outside South Africa to a foreign country, you will need to check that it will be protected in that foreign country.

The Digital World and Information Governance:

Social media and online communication particularly in the context of the Covid-19 pandemic, has accelerated the adoption of the digital world in our everyday lives. This provides that the protection of data in the digital world has become of increasing importance.

Access to information is the new way of being part the digital age, however, with this comes an increase in data breaches, phishing scams and cyber-crime. POPIA provides that a Responsible Party appoint an Information Officer, who is responsible for compliance with POPIA within the organisation, in order to ensure that their Data Subjects’ personal information is stored and shared safely, and to prevent data breaches.

Information Governance, however, doesn’t just relate to the personal information of Data Subjects. It relates to an organisation’s intellectual property, financial information, policies and procedures, emails, employees and suppliers. It involves records management, information security, risk management, compliance management, and IT governance.

In order to keep this information secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction and disclosure, the Responsible Party will need to review and assess its policies and procedures relating to Information Governance and Cybersecurity within the organisation. In addition, th        ere is a duty to provide Data Subjects, and the IR with notification should there be any data breaches.

Cybersecurity incorporates network security, cloud security, identity and access management and intrusion detection systems.


*in this topic, words importing the masculine in reference to a Data Subject shall include a reference to the feminine and to a juristic person.