Page 99 - Profile's Unit Trusts & Collective Investments - September 2025
P. 99
Legislation and guidelines Chapter 5
The responsible party (usually called the “controller” in other parts of the world): the party
who determines why and how to process the data (eg, a company, a government department,
an NGO).
The operator (called “processors” elsewhere): a party who processes personal information on
behalf of a responsible party (eg, an IT vendor).
POPI imposes various obligations on responsible parties. Where they use third parties to process
data, such operators must comply with the POPI requirements.
The main obligations of responsible parties under POPI can be summarised as follows:
R Only information needed for a specific purpose (usually disclosed to the data subject) should
be collected
R Reasonable security measures to protect data must be put in place
R Personal data stored with permission must be relevant and up to date
R Only as much as needed must be held, and only for as long as needed
R Data subjects must be permitted to see what data is held if they so request
Processing personal information
“Personal information” is defined as any information relating to an identifiable, living natural person
or any juristic person. It includes (but is not limited to) the following examples (amongst others):
Contact details: email, telephone, birth date, ethnicity
History: employment, financial, educational, criminal, medical records
Biometric information: blood type, fingerprints, voice signature
Personal opinions: including private views and preferences
Private correspondence: where it is implicitly or explicitly of a confidential nature
“Processing” means, very broadly, anything done with personal information, including collection,
usage, storage, dissemination, modification, and even deletion.
Note that “personal information” does not necessarily mean data held in a database, it would
include hand-written notes, emails, WhatsApp messages, or even audio or video call recordings.
Hard copy records also fall under POPI.
Does POPI apply to financial advisers?
The scope of POPI is very wide and it applies to almost everything that gets done with the personal
data of individuals.
POPI covers the defined activity of “processing” personal data – the activity is defined rather
than particular professions or types of entities. This makes the definition very broad: anyone who
processes personal data must comply with POPI and must only use personal data in accordance
with POPI’s data protection principles.
Any person or entity, therefore, that collects and/or holds information on identifiable individuals
– or uses, discloses or retains such information – is likely to fall under the definition of “processing”
personal data.
Clearly, financial services firms, including brokers and financial advisers, need to make sure they
comply with POPI. Any non-compliance with POPI since 1 July 2021 can have consequences
including penalties up to R10m, civil proceedings instituted by data subjects or the Regulator, and
the possibility of both criminal charges and fines in some circumstances.
Consent
Under POPI, consent needs to be informed and specific; it needs to be voluntary and an expression
of will. In other words, the subject must make an active choice (clicking on a tick box, for example) – it
is no longer permissible to engineer automatic “opt in” when someone types an email address or cell
number, with “consent” buried somewhere in the terms and conditions.
Profile’s Unit Trusts & Collective Investments September 2025 97
