POPIA for the Automotive Industry

In part 3 in our POPIA series, aimed at assisting our Dealers and MBR clients in gearing up for POPIA implementation, we look at the definition of exactly what and who the Responsible Party is and who the Operator is.

We also look at the all-important Eight Conditions for Lawful Processing that the Responsible Party needs to uphold. In summary these are:

  1. Accountability
  2. Processing Limitation
  3. Purpose Specification
  4. Further Processing Limitation
  5. Information Quality
  6. Openness
  7. Security Safeguards
  8. Data Subject Participation

Top Tip: We have created a simple, infographic summary of the Eight Conditions for Lawful Processing, which you can download here as a quick reference guide.

What are the different roles/responsibilities for handling Person Information (PI) under POPIA?
POPIA allows for two different levels of responsibility for handling PI, depending on whether you’re the person who is primarily responsible for the data or if you’re simply processing it on the instruction of someone else.
The main role with the largest responsibility is the Responsible Party. If you are the person who is collecting PI and deciding what to do with it, then you are the Responsible Party. So, if a Dealership or MBR collects contact details from a prospective client and decides to store it and use it to connect with the prospective client, then they are the Responsible Party under POPIA. This role involves a lot of responsibility around the collection, use and care of that data. If the Responsible Party contracts an Operator to do something on their behalf, then the Operator will only be allowed to execute on the terms of that arrangement and will not be bound to some of the other conditions of POPIA, which apply to the Responsible Party.
What kind of person/company would be considered an Operator in the Dealership and MBR world?
An example would be the company that does repairs for you. You would give them some Personal Information on the client so that they can arrange the date and time for repairs to be done. They can use the PI purely for the purposes of that engagement and not for any other reason. They also have to ensure they store that Personal Information appropriately and securely and protect it from breach. They will need to delete that PI when the engagement is complete and notify the Responsible Party immediately if they believe that the Personal Information has been accessed or compromised. In short, the Operator may only process the Personal Information with the knowledge or authorisation of you, the dealership or MBR, and must treat that information as confidential and may not disclose it. POPIA requires a Responsible Party to enter a written contract with the Operator to ensure that the Operator establishes and maintains the necessary security measures when dealing with the Personal Information.
Can you give an example of when a Dealership acts as a Responsible Party?
If I’m a Dealership and having an open day, and the owner of a vehicle comes over for a chat and they say they are thinking about selling their vehicle and ask me to arrange to come and see the vehicle and chat about the possible sale of it. If I take down their number and name to call them the next day, I am the Responsible Party, as I am deciding what data to collect and for what purpose.
What are the Eight Conditions for Lawful Processing?
If you are the Responsible Party, you will need to adhere to what POPIA lays out as the Eight Conditions for Lawful Processing.
These are:
  1. Accountability
  2. Processing Limitation
  3. Purpose Specification
  4. Further Processing Limitation
  5. Information Quality
  6. Openness
  7. Security Safeguards
  8. Data Subject Participation
There is quite a lot of detail to this section of the Act, and it is actually the crux of the Act so we encourage Dealers and MBRs to read it in full and download the infographic summary as a quick reference guide. This will explain some of the key points on each.
What does Accountability deal with?
This condition simply says that if you are the Responsible Party, it is your job to ensure that the other seven conditions are complied with throughout your journey with that data. You also must ensure that your Operators are able to handle the data with that same due care.
What is the Processing Limitation?
The Processing Limitation requires a Responsible Party to process Personal Information only if it is adequate, relevant, and not excessive given the purpose for which it is being processed. This means that you can’t collect more information than what you need to cover the purpose, as a “just in case” or because it would be useful to have that information. Under Processing Limitation, you need to ensure you have a lawful reason for collecting their information. This comes down to the eight Lawful Grounds for Processing, (as covered in series 1, part 6 of Getting to know POPIA which you can access here for a quick recap) which includes gathering consent or processing the data in the execution of a contract, for example. These Lawful Grounds for Processing are important because they give you the right to collect and process the PI in the first place. But there is also one more element in the Condition of Processing Limitation, and that is that you need to collect the information directly from the Data Subject. There are some exceptions to this, which are clearly outlined in the Act, but for the most part you should get the information directly from the Data Subject.
Is the client of a Dealership or MBR allowed to give them the phone number of their neighbour?
No, they can’t, not unless the neighbour has consented to her passing on the details to the Dealership or MBR. In summary, Processing Limitations cover minimality, which means you must not collect more PI than you need; lawful grounds, which means you must have one of the possible legitimate reasons for processing information, and that you have to collect the PI directly from the Data Subject, for the most part.
What does Purpose Specification cover?
Basically, the data you collect must be for a specific and lawful purpose related to your functions or activities, and you must make sure the Data Subject is aware of that purpose. That means you cannot just collect PI in case you might need it later, because then you will be in breach of both ‘minimality’, ‘collection for specific purpose’, and you probably don’t have one of the ‘lawful grounds’ for collecting it. Essentially, you must have a purpose and the Data Subject must be aware of it.

Purpose Specification also includes a detailed section explaining what your responsibilities are for retaining and restricting access to the records of Personal Information. You are not allowed to keep the Personal Information for longer than is necessary for the purpose you collected them. In other words, you must delete the records after that purpose has been completed. There are a few exceptions to this, so we encourage everyone to read this section of the Act, which is available on our website, to see if any of those exceptions apply to them.
Can I keep the data to use for anything else afterwards?
No, you can’t. Actually, that’s Condition number four, called Further Processing Limitation. This condition outlines that anything else you do with that data must be compatible with the purposes for which you first collected that data. So, for instance, If I give out my medical aid information about my health, they cannot use that information to profile me for a life insurance product if I did not consent to that. You can only use that information to do something in line with the purpose of your collection. Not something unrelated.
What does Information Quality cover?
It basically says that it’s your job, as the Responsible Party, to ensure that the PI you are collecting is accurate, complete, not misleading, and updated, where necessary, while always bearing in mind the purpose for which it was collected.
What does Openness deal with?
This has two components. Firstly, if you’re working with PI you need to keep documentation of your processing operations and make this available to people in an accessible POPIA policy. Secondly, you need to notify them and make sure they’re aware of several things, like what Personal Information you’re collecting, your name and address, the purpose you’re collecting it for, and who you’ll be sharing it with, if anyone, etc. For the most part, Dealerships and MBR’s will be dealing directly with the person they are getting PI from. But please check the full section of POPIA obligations to make sure you know what all your obligations are. Also, there are some exceptions to this section so it’s wise to read this section of the Act.
What does Security Safeguards cover?
If you’re holding other peoples’ Personal Information, you have to make sure you can secure the integrity and confidentiality of that data. This means not leaving it lying around, making sure you lock your computer when you leave it, keeping your diary and phone inaccessible to others, and so on. You must proactively identify all the risks, internally and externally, that could result in inappropriate access to the data, and put in place measures to protect it. The obligation to keep the Personal Information secure and confidential applies to both Responsible Parties and Operators.
Is it enough for Dealers or MBRs to have a security scanning program on their laptops?
No. You need to look at security more holistically and take steps to ensure that anybody who doesn’t have the right to see that data doesn’t and can’t access that data in any form.
Can Dealers/ MBRs still keep a Client Register at the front desk for people to complete when they visit?
If people visiting the dealership can see the names and phone numbers of other people who have visited, either on a piece of paper or digital record, then you’re breaching POPIA, strictly speaking. But this is easy to remedy – instead of having a register, you would simply have each visitor complete a separate form and make sure you keep these forms secure and out of sight. It helps to think of peoples’ PI as a precious asset. If you wouldn’t ask your clients to leave vehicles keys lying around unattended on a Visitor Register, then you shouldn’t ask them to leave their data there either. Both are precious. And, to jump back to a previous Condition, you will also have to consider the content of the Visitor Register. What information is absolutely required to be collected, considering the purpose of the Register and make sure you don’t collect anything more.
What other key areas does Security Safeguards cover?
Two more things. Firstly, it’s the Responsible Party’s job to make sure that there’s a written contract in place between them and any operator who needs to process that data on their behalf. This contract also needs to bind the Operator to the same levels of security that the Responsible Party has to comply with. The Operator is compelled to treat the Personal Information with confidence and only process it with the authorisation of the Responsible Party. Finally, the Act specifies how people and companies must notify the Regulator and Data Subject if there is a breach. We strongly suggest that anyone or any company handling lots of Personal Information makes sure they are aware of these responsibilities proactively. By that we mean creating an established process, policy document or the like, so that if there is a breach, you’re not starting from the very beginning in terms of understanding your obligations. This proactive approach applies to several obligations under POPIA – being prepared is both smart and important.
What does the Data Subject Participation cover?
People have the right to know whether a company or person holds their Personal Information. They also have a right to know what it has been used for and who it has been shared with. They also have the right to request changes to it if it is incorrect, and they have the right to ask that the company or person to delete their Personal Information. While empowering for individuals, this can be onerous for companies. But going back to the purpose of POPIA - which is to give people a say in how their Personal Information is used so that it doesn’t infringe on their privacy – it is a necessary part of the Act. As with all the other conditions, there are exclusions and a lot more detail so please read the relevant section of the Act to understand exactly what you will need to change in your business.
How important are the Eight Conditions for Lawful Processing?
It’s the key part of the Act for all Responsible Parties to understand and there is a lot of very important details to understand in the Eight Conditions for Lawful Processing. The good news is that, if you’re addressing all Eight Conditions, you’re probably doing a good job of staying on the right side of the law.