Data Subject Rights (i.e. Members, Tenants, Staff, etc.)
“Personal Information” is any information at all that a living individual or juristic person can be identified from – it can be their name, address, email address, mobile phone number, bank account information, payment card details, computer and mobile phone IP addresses – as well as all information that is specifically linked to a person (for example, the person’s use of our clubs or the class bookings they make).
The key rights that are given to persons under POPIA are to:
- Request access to their personal information (commonly known as a "data subject access request"). Persons are entitled to receive a copy of the personal information we hold about them.
- Request rectification of the personal information that we hold about them. This enables persons to have any incomplete or inaccurate information we hold about them corrected.
- Request erasure of their personal information. This enables persons to ask us to delete or remove personal information where we no longer need it for the purposes for which it was collected.
They also have the right to ask us to delete or remove their personal information where they have successfully exercised their right to object to processing (see below), where we may have processed their information unlawfully or where we are required to erase their personal information to comply with a legal obligation.
- Request the transfer of their personal information to themselves. In this circumstance we must provide to the person, the person’s personal information in a form that is generally understandable
- Object to processing of their personal information where we are relying on a “legitimate interest” ground and there is something about their particular situation which makes them want to object to processing on this ground as the person feels it impacts on the person’s fundamental rights and freedoms. They also have the right to object where we are processing their personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process their information which override their rights and freedoms (for example, where we need to retain their information to enable us to defend potential legal claims).
These rights are not all absolute rights that can be exercised by persons in any circumstance – not every request we receive will have to be complied with. We should try to facilitate customers’ wishes where it is not difficult or time-consuming for us to do so, but we are not legally required to comply with all requests. The request has to meet certain criteria under POPIA for us to be required to action it.
Where a request is made, we have an obligation to respond “within a reasonable time” of the request being made. If we have a lawful reason for not complying with the request, we have to explain this without undue delay.
The Information Regulator, South Africa’s supervisory authority in relation to data protection, can be contacted at the contact details made available on https://justice.gov.za/inforeg/.
Practical steps to follow when a request is received
When a request is made, we should verify the person making the request to make sure they are who they say they are.
We should acknowledge requests promptly, and explain that we will respond as soon as we are able to. We should do that in an email so that we have a record of having done so.
We should create a tracker of requests made (access to which should be limited to those within the Customer Experience team who need to be able to access the tracker) to log when requests were made, the person making the request, the nature of the request, the date of acknowledgement, the date of response and the nature of the response.
As noted above, the rights persons have under POPIA apply in particular circumstances. The notes below give guidance as to the relevant considerations we should be making when handling such requests.
We can only charge the prescribed fee (set out in our manual under section 51 of the Promotional of Access to Information Act, 2002 (PAIA)) for copies of personal data and we have to give the person a written fee estimate of these costs before providing the data to the person. In certain circumstances listed in PAIA these requests can be denied. All requests for information must be referred to Legal.
Requests for access
- This right is available to all members (and other persons whose personal information is under our control) and we must comply with it unless there is a ground for refusal under PAIA.
Requests for rectification
- This right is available to all members (and other persons whose personal information is under our control) we must comply with it, and we should correct or complete inaccurate or incomplete data we hold on request.
- The request must be made in the prescribed form attached hereto.
Requests for erasure
- This right is not always available to members (and other persons whose personal information is under our control).
- The request must be made in the prescribed form attached hereto.
- It is available where it is no longer necessary for us to retain the personal data in question for the purpose for which we collected it.
- It is available where we process on the basis of our “legitimate interests” and the person objects to us processing the data for reasons connected with the person’s particular situation, and our “legitimate interest” in processing the data does not override the person’s interests in having the data erased.
- If a person requests erasure but we have a “legitimate interest” in retaining it, ask what it is about their particular situation that is the reason for the request.
- We are able to retain the information regardless of the request if it is necessary for us to do so to comply with a legal obligation or to make or defend legal claims.
Requests for transfer
- This right is available to all members (and other persons whose personal information is under our control) unless there is a ground for refusal in terms of PAIA.
- Where we are required to transfer data we have to do so in a generally understandable format.
Objections to processing
- This right is available where we are processing personal information on “legitimate interest” grounds unless we can demonstrate that our legitimate interest in processing the data outweighs the interest of the person objecting to processing.
- We do not have to comply with the request where we need to store or process the data to enable us to make or defend legal claims.
- Where personal information is processed for direct marketing purposes, a person always has the right to require us to stop sending direct marketing – you should update the person’s marketing preferences (Get in touch with the Customer Experience team in this regard and ask them to update our systems).
- If you are in doubt as to the appropriate action to take, discuss with the Customer Experience Manager and the Legal team.
REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION OR DESTROYING OR DELETION OF RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 24(1) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO.4 OF 2013). REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018 [Regulation 3].