Condition 2 – Processing Limitation – Section 9 – Section 12

Section 9

Lawfulness of processing

  1. Personal information must be processed—
    1. lawfully; and
    2. in a reasonable manner that does not infringe the privacy of the data subject

Section 10

Minimality

Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

Section 11

Consent, justification and objection

  1. Personal information may only be processed if—
    1. the data subject or a competent person where the data subject is a child consents to the processing;
    2. processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
    3. processing complies with an obligation imposed by law on the responsible party;
    4. processing protects a legitimate interest of the data subject;
    5. processing is necessary for the proper performance of a public law duty by a public body; or
    6. processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
    1. The responsible party bears the burden of proof for the data subject’s or competent person’s consent as referred to in subsection (1)(a).
    2. The data subject or competent person may withdraw his, her or its consent, as referred to in subsection (1)(a), at any time: Provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information in terms of subsection (1)(b) to (f) will not be affected.
  3. A data subject may object, at any time, to the processing of personal information—
    1. in terms of subsection (1)(d) to (f), in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
      1. for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications as referred to in section 69.
  4. If a data subject has objected to the processing of personal information in terms of subsection (3), the responsible party may no longer process the personal information.

Section 12

Collection directly from data subject

  1. Personal information must be collected directly from the data subject, except as otherwise provided for in subsection (2).
  2. It is not necessary to comply with subsection (1) if—
    1. the information is contained in or derived from a public record or has deliberately been made public by the data subject;
    2. the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
    3. collection of the information from another source would not prejudice a legitimate interest of the data subject;
    4. collection of the information from another source is necessary—
      1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
      2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
      3. for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
      4. in the interests of national security; or
      5. to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
    5. compliance would prejudice a lawful purpose of the collection; or
    6. compliance is not reasonably practicable in the circumstances of the particular case.

Questions