THE 8 CONDITIONS FOR THE PROCESSING OF PERSONAL INFORMATION: PART III

Protection of Personal Information Act

Addressing compliance with the Protection of Personal Information Act, 2013 (“POPI“) may seem like a daunting task. The good news is that it is not too late; the better news is that you may be further along than you think.

Over the next few weeks, we will be briefly unpacking POPI’s minimum requirements for the processing of personal information. These requirements are set out in Part A of Chapter 3 of POPI, and incorporate the following conditions:

1) Accountability of the Responsible Party

2) Processing Limitation

3) Purpose Specification

4) Further Processing Limitation

5) Information Quality

6) Openness

7) Security Safeguards

8) Data Subject Participation

Our previous two articles looked at conditions 1 through 4. This article addresses the 5th and 6th conditions, namely, information quality, and openness.

Condition 5: Information Quality

In terms of POPI, a responsible party must take reasonably practicable steps to ensure that the personal information it processes is complete, accurate, not misleading and updated where necessary. This is applicable to information collected both electronically and manually.

In doing so, the responsible party must have regard to the purpose for which personal information is collected or further processed. In other words, the purpose for collecting personal information must be considered in deciding on the mechanisms to keep information updated. In this regard, compliance with condition 3 (purpose specification) is essential to compliance with condition 5 (information quality).

POPI does not specify what constitutes “reasonably practicable steps”. Accordingly, each business must consider its own operations to ensure that personal information is correct and updated as and when required.

Data subjects must be informed of and reminded of their duty to provide personal information that is up-to-date and to notify the responsible party where any such information requires correction.

Practically, in dealing with the processing of personal information belonging to your customers, for example, you may use your customer terms and conditions as the mechanism to draw attention to the customer’s duty to notify you of any changes to their personal information.

It has been stated, in the context of the European Union’s data protection laws, that personal information utilised merely as a historical record of a transaction does not require updating as its purpose is to record information at the time of the relevant transaction.

Condition 6: Openness

The condition of openness relates to transparency, and has two primary elements, namely maintaining documentation relating to processing operations, and notifying data subjects of the collection and processing of their personal information.

Documentation:

In terms of section 17 of POPI, a responsible party must maintain documentation of all processing activities. Furthermore, where applicable to the responsible party, a manual must be developed in terms of the Promotion of Access to Information Act, 2000 and made available to data subjects.

Notifying data subjects:

When personal information is collected from a data subject, the responsible party must take reasonably practical steps to ensure the data subject is kept notified of such collection each time personal information is collected from the data subject.

These steps include ensuring that the data subject is aware of:

  • The fact that the information is being collected.
  • The name and address of the responsible party.
  • The purpose for which the information is collected.
  • Whether is collection of the information is voluntary of mandatory.
  • The consequences of failing to provide the information.
  • Any laws that authorise the collection of the information.
  • Where applicable, that the responsible party intends transferring the information to another country.

Data subjects should be notified before their personal information has been collected (or as soon thereafter as possible). You may use a privacy notice displayed on your website to achieve compliance with the above, provided the privacy notice is easily accessible and sufficient attention is drawn to its existence.

There are certain exclusions to the general rule of having to notify data subjects. It is important to consider these exclusions carefully so that, if relying on any such exclusions, you don’t fall foul of POPI.

Read Part I here. Read Part II here

Contact us here.

The 8 Conditions for the Processing of Personal Information: Part II

Protection of Personal Information

The deadline for full compliance with the Protection of Personal Information Act, 2013 (“POPI“) is around the corner, and it certainly has caused a recent spike in emails from concerned clients wondering if it is too late. Although ensuring compliance may seem like a daunting task, the good news is that it is not too late; the better news is that you may be further along than you think.

Over the next few weeks, we will be briefly unpacking POPI’s minimum requirements for the processing of personal information. These requirements are set out in Part A of Chapter 3 of POPI, and incorporate the following conditions:

1) Accountability of the Responsible Party

2) Processing Limitation

3) Purpose Specification

4) Further Processing Limitation

5) Information Quality

6) Openness

7) Security Safeguards

8) Data Subject Participation

Our first article looked at conditions 1 and 2, namely, the accountability of the responsible party, and the limitations placed on processing. Now that you know that you need to be accountable and impose limitations on processing of information, we will look at conditions 3 and 4: purpose specification and further processing limitation.

Condition 3: Purpose Specification:

When you collect personal information, it must be for a purpose. It cannot be collected on the basis that the information “might be useful” or is “nice to have”. For every piece of personal information that you collect, you need to specifically and explicitly define the purpose for collecting the information. For example, if you collect cookies from website users, you need to articulate why you do so and for what purpose.

Personal information, once collected, must not be kept longer than necessary. Once you have no further need for the personal information, it must be destroyed or permanently deleted. Unless the law requires you to keep certain records, these records should only be kept for so long as it is reasonably required. Records can also be retained for longer than necessary with the consent of the data subject. We recommend that you obtain the consent of data subjects to (securely) retain their personal information for an indeterminate amount of time, unless the data subject requests its deletion sooner. With consent, you do not have to worry about constantly staying on top of retention timelines.

Condition 4: Further Processing limitations:

You might have collected a client’s contact details for purposes of onboarding them as a potential client. Once they have been onboarded as a client, may you use those contact details for another purpose i.e., further processing? That depends. Further processing must be compatible with the original purpose for which it was collected. In the current example, using the contact details to invoice the client for work performed pursuant to the onboarding process would be acceptable. However, using those contact details to contact the client on a matter pertaining to a separate business division, or sharing those contact details with another service provider may not be acceptable. You need to weigh up:

  • the relationship between the original purpose of collecting the information and the purpose behind the further processing – how close is the relationship?
  • the nature of the information – a personal phone number or email address may need to be treated with more caution than a generic “info” address or telephone number.
  • the consequences of the intended further processing for the client – how severe are the consequences?
  • the manner in which the information has been collected – was it collected under the guise of a particular purpose, by a particular person, in such a way that an impression could be created that the information would not be used elsewhere?
  • any contractual rights and obligations between the parties. If you need to use a client’s contact details to send an invoice to them as per your contract with the client, it is acceptable to use the contact details for that purpose, despite the fact that the details may originally have been collected for a different purpose.

Read Part I here.

Contact Brevity Law here.

Juliette Thirsk
Author: Juliette Thirsk

The 8 Conditions for the Processing of Personal Information: Part I

Protection of Personal Information

The deadline for full compliance with the Protection of Personal Information Act, 2013 (“POPI“) is around the corner, and it certainly has caused a recent spike in emails from concerned clients wondering if it is too late. Although ensuring compliance may seem like a daunting task, the good news is that it is not too late; the better news is that you may be further along than you think.

Over the next few weeks, we will be briefly unpacking POPI’s minimum requirements for the processing of personal information. These requirements are set out in Part A of Chapter 3 of POPI, and incorporate the following conditions:

1) Accountability of the Responsible Party

2) Processing Limitation

3) Purpose Specification

4) Further Processing Limitation

5) Information Quality

6) Openness

7) Security Safeguards

8) Data Subject Participation

This article addresses the first two conditions, namely, the accountability of the responsible party, and the limitations placed on processing.

Condition 1: Accountability of the responsible party:

In terms of POPI, the responsible party must take necessary measures to ensure, amongst other things, the security, integrity and safety of information processed, including by adopting appropriate, reasonable technical and organisational measures to prevent loss, damage, or unlawful access to data in its possession or under its control. An organisation that collects the names, identity numbers and financial information of its clients will, of course, be held to a higher standard of care that an organisation that only collects email addresses. Practically speaking, you need to make sure that the personal information you collect is safe and secure. If it is stored digitally, you must ensure appropriate firewalls, antivirus software and anti-spyware packages are installed. If you are using a third-party sever, ensure that you are using a trusted provider that has its own security measures in place. You need to make sure that you use complex passwords. If you have personal information accessible in hard copy form, these need to be securely stored and not lying around on a desk in an open-plan office. Invest in a paper shredder. Your employees need to be educated about their responsibilities under POPI.

Another feature of accountability is the requirement for every organisation to have an ‘information officer’. This individual is responsible for:

  • encouraging compliance with the conditions for lawful processing of personal information;
  • attending to any POPI-related requests or queries;
  • ensuring that the organisation is POPI compliant; and
  • assisting the regulator with any investigation relating to the organisation’s POPI compliance.

Where the details of an alternative individual aren’t registered with the regulator, the default position is that this role is assigned to the head of the organisation.

Although the information officer is the custodian of activity relating to the processing of personal information (and may ultimately be held accountable), it is the responsibility of the organisation as a whole to ensure compliance with POPI. It is accordingly important that each member of an organisation that handles personal information is adequately educated in respect of the organisation’s data protection policies.

Condition 2: Processing limitations:

In addition to the condition relating to accountability, POPI imposes limits on the way personal information may be processed, by requiring that the processing of personal information be lawful and reasonable, meet the requirement of minimality, and that the consent of the data subject be obtained.

In processing personal information, you must ensure that the information is only processed to the extent that it is adequate, relevant and not excessive, given the purpose for which it is processed. Put simply, an organisation should never collect or keep more personal information than it needs.

In order to process personal information, the voluntary, specific and informed consent of the relevant data subject (or competent person, in the case of a minor) must be obtained. This can easily be achieved by providing data subjects with access to an accurate privacy notice which they must actively consent to by, for example, utilising a tick-box. This privacy notice must be clear and concise so that the data subject understands exactly what information is being processed and why. It is important to note that POPI provides that a data subject may withdraw its consent at any time and/or request that its personal information be deleted, so the personal information relating to each specific data subject should be easily accessible so requests can be complied with timeously.

Contact Brevity Law here.

Candice
Author: Candice Dayton

Shareholder Loans and the National Credit Act

Shareholder Loans and National Credit Act

Introduction

Loans made by a company to its shareholders, and shareholder loans made to companies are common. In particular, and often in B-BBEE transaction, we see companies offering vendor finance to prospective shareholders by way of the provision of loan funding, with interest. The borrowing shareholder in such an example is often an individual, and a minority shareholder without a controlling interest in the company. Our clients are often surprised to learn that this arrangement falls within the ambit of the National Credit Act. As a result, the company, as lender, will not be able to enforce its rights under the loan agreement, unless it is a registered credit provider (which it will not be, unless it is in the business of money lending). Our clients will say to us, “But this is a once-off shareholder loan. Surely there is no need for us to register as a credit provider?”. Unfortunately, the National Credit Act is broad enough in its application that it very likely could apply in such a situation.

Application of National Credit Act

The National Credit Act applies to every credit agreement between parties dealing at arm’s length and made within, or having an effect within, South Africa, subject to certain exceptions. For example, if the borrower is a juristic person (e.g. a company) with an asset value or annual turnover which is, at the time the agreement is made, equal to or more than R1,000,000, then the credit agreement will not be subject to the National Credit Act. Large credit agreements (more than R250,000) are also not subject to the National Credit Act if the borrower is a juristic person (even with no, or very little, asset value or turnover).

A loan made to a borrower that is not a juristic person will not fall within any of these exceptions.

But surely, regardless of the size of the loan or whether the borrower is a juristic person, loans to shareholders and shareholder loans are not subject to the National Credit Act for the simple reason that they are not made between parties dealing at arm’s length?

Shareholder Loans Exception

Many of our clients assume that the National Credit Act doesn’t apply at all to shareholder loans, or loans to shareholders. However, the National Credit Act states that this is only the case where the relevant shareholder has a controlling interest in the company. A controlling interest is not defined in the National Credit Act, but it was confirmed in a High Court judgement that “there appears little purpose in limiting the term to a majority shareholding … It is clear that a person can influence the affairs of another person by means other than holding a majority shareholding in the latter.” Whether a shareholder has a controlling interest in a company must be assessed on a case by case basis. However, what is clear is that if a company lends money to a minority shareholder (with no controlling interest) or vice versa, that transaction will not automatically be seen as arm’s length.

Arm’s Length

We caution our company clients to make sure that if they lend money to one of their minority shareholders, that the arrangement must genuinely not be arm’s length, for reasons other than the fact that there is shareholder relationship between them. The key here is that the arrangement must be one in which each party is not independent of the other and consequently does not necessarily strive to obtain the utmost possible advantage out of the transaction. In the relevant loan agreement, we would state that this is the case and reference why it is the case, for example, with reference to the interest rate or repayment terms being more favourable than what the borrower would otherwise obtain from a third party financier. Substance over form is important here, however. It doesn’t matter what a contract says, if, in fact, the loan terms demonstrate that the transaction is arm’s length and akin to any ordinary commercial lending arrangement.

Consequences of Non-Compliance

The National Credit Act requires that a person must apply to be registered as a credit provider if the total principal debt owed to that credit provider under all outstanding credit agreements exceeds the prescribed threshold – which has been nil since 11 May 2016. If the lender, or credit provider, is not registered as such, the loan agreement is seen to be invalid. The lender will not be able to enforce its rights for repayment of the loan.    

Conclusion

A loan agreement which is subject to the National Credit Act will be invalid if the lender is not a registered credit provider. It does not matter whether the loan is a once-off arrangement, or whether it is made between a company and a shareholder. A shareholder loan (bearing interest) does not automatically fall outside the ambit of the National Credit Act. We caution our clients who are considering lending money to a shareholder or to a prospective shareholder to consider the National Credit Act carefully. The loan arrangement must not be arm’s length in nature. The parties must be able to show that the loan was made due to the shareholding relationship between the parties and the terms must reflect that the lender is not striving to obtain the utmost possible advantage out of the transaction.   

Contact Brevity Law here.

Juliette Thirsk
Author: Juliette Thirsk

WHAT DOES THE NATIONAL CREDIT ACT SAY ABOUT RECKLESS LENDING?

National Credit Act

What is Reckless Credit?

Reckless Credit is any credit granted to a consumer in terms of a credit agreement where the credit provider (e.g., a bank, or a retail store), at the time the credit agreement is to be concluded, has not conducted a proper assessment.

What is the credit assessment?

When a consumer applies to credit, the credit provider must conduct a proper assessment of the consumer. As part of this assessment, the credit provider must take reasonable steps to evaluate the prospective consumer’s (i) understanding and appreciation of the proposed credit agreement (the risks, and costs to be incurred, as well as the consumer’s rights, under the credit agreement) and (ii) the prospective consumer’s ability to meet his or her obligations timeously (e.g., the ability to pay instalments in full and on time).

The credit provider is also obliged to assess the debt repayment history (credit rating) of the consumer under other credit agreements, the consumer’s existing financial means, income and expenditure and the prospects of success of any commercial purpose, if this is the reason for application for credit.

The prospective consumer, during the assessment, must fully and truthfully answer any requests for information made by the credit provider.

When is a credit agreement reckless?

A credit agreement may be reckless if:

  • If the credit assessment is not done at all
  • Where a credit assessment is conducted, but it is apparent to the credit provider that the consumer does not fully understand and appreciate the implications, costs, risks and obligations of entering the credit agreement
  • Where, even if the assessment were properly conducted, and even if the consumer did fully understand and appreciate the implications of the credit agreement, by entering into the credit agreement, the consumer would become over-indebted.

When can a credit provider defend an allegation that a credit agreement is reckless?

If the credit provider shows that a consumer did not fully and truthfully answer any requests for information made by the credit provider when doing its assessment, and that such failure had a material impact on the credit provider’s ability to make a proper assessment, then this is a complete defense to an allegation of reckless credit. This means that a court would not set aside or suspend a credit agreement and the consumer will be bound by it.

What happens if the credit is reckless?

The consequences are drastic. The credit agreement may be set aside, which means that the credit provider cannot claim payment of any amounts due by the consumer, nor for the return of any goods bought on credit. The credit agreement may be suspended, which means the consumer’s obligations to perform (e.g. to make payment), and the credit provider’s right to enforce its rights (e.g. to enforce payment) are suspended for a time, where after they revive. During suspension, no interest or charges may be levied by the credit provider.

Contact Brevity Law Here.

Author: Shelley Mackay-Davidson

,

WHAT DOES THE NCA SAY ABOUT LEASING MOVABLES?

National Credit Act

Introduction

The National Credit Act, 2005 (“National Credit Act“) has widely been criticized as being one of the most confusing pieces of legislation in our law. In fact, in Absa Technology Finance Solutions (Pty) Ltd v Michael’s Bid A House CC and Another 2013 (3) SA 426 (SCA), in referring to the decision made by the court of first instance, Lewis JA stated “the [H]igh [C]ourt … held that the particular lease was not a lease. This may sound like a fragment of Alice in Wonderland.  If that is so, it is because the [National Credit] Act itself could have been written by Lewis Carroll, so peculiar are some of its provisions“. So what is it about the way the National Credit Act deals with leases that is so peculiar?

What is a lease?

Most would agree that a lease can accurately be described as an agreement in terms of which one person (the lessor) gives another person (the lessee) temporary possession of property in exchange for the payment of rent. The word “temporary” assumes that the property must be returned by the lessee to the lessor at the end of the agreement.

The National Credit Act’s definition of a lease

The National Credit Act also defines a lease as an agreement in terms of which “temporary possession” of movable property is given to a lessee. However, the definition then goes on to specify that at the end of the agreement, ownership of the property in question passes to the lessee (rather than requiring possession to be returned by the lessee to the lessor). 

This definition is clearly problematic. Not only does it run counter to the essential elements of a lease, but the reference to “temporary possession”, followed by the requirement for ownership of the property to pass to the lessee at the end of the lease, is illogical.

Conclusion

While the National Credit Act is commendable in its aim to protect consumers by promoting fair and responsible lending practices, it can be an intimidating piece of legislation, rife with obscurity. If you are in the business of leasing moveable property, be sure to investigate whether the National Credit Act applies to you.

Contact Brevity Law here

Author: Candice Dayton

Exchange Control – An investors nightmare?

Exchange Controls

Essentially, Exchange Controls are limitations and rules imposed by governments on currency transactions.

The intention is that these controls will create a way to stabilize economies by limiting and controlling how money flows in and out of a country, which left unchecked, would (this is the logic) detrimentally affect currency stability, and would create an unacceptable level of currency volatility.

How does exchange controls affect foreign investment

Unfortunately, while the intention to protect the currency may be good, the fall out is that Exchange Control regulations can be problematic for potential investors into South Africa, who may not be aware of them, or who underestimate the consequences of not having the correct approvals and structures in place, when investing.

If not dealt with at the time of investment, this can lead to a potential nightmare for the foreign investor down the line when wanting to disinvest, when wanting to repay loans or when wanting to reap the benefits of any investment upside, such as dividends.

If you are looking to invest into South Africa, for example,  by way of equity investment, or by way of lending money, you must consider the Exchange Control implications upfront and ensure that your proposed investment is properly structured and approved in terms of the applicable Exchange Control regulations.

What steps should an investor take?

When making an investment into South Africa it is crucial that you consider whether you need to obtain the approval of the South African Reserve Bank (SARB) through an Authorised Dealer. Approval is generally required for most movement of capital/funds in and out of South Africa. 

Whilst SARB has relaxed exchange controls over the last few years with the intention of decreasing the administrative burden for businesses, where foreign investors subscribe for shares in a South African company, it is a requirement for the share certificates to be endorsed ‘nonresident’ by an Authorised Dealer (generally one of the large commercial banks in South Africa). This allows for any dividends declared in such shares to be freely repatriated from South Africa. Where the foreign investor advances a loan to a South African company, it is necessary to obtain exchange control approval for the loan. Once approval has been obtained, any interest or capital repayments on the loan may be freely remitted from South Africa.

Without these approvals in place, it would be extremely difficult to repatriate any investment.

Author: Shelley Mackay-Davidson

For any Questions please Click Here to contact us.

Endorsement of non-resident share certificates

Endorsement

Introduction

The Exchange Control Regulations of 1961 (“Regulations”) were promulgated in terms of the Currencies and Exchanges Act, 9 of 1933. This is to regulate the flow of funds into South Africa from external or foreign sources. As well as the outflow of funds from South African residents in South Africa to non-South African residents. In terms of the Regulations, natural and juristic persons acquiring ownership of shares in South African companies must obtain a ‘non-resident’ endorsement on their share certificates.

Submission for non-resident endorsement

The Regulations provide that within 30 days of a natural or juristic person purchasing or subscribing for shares in a South African company. Their share certificates must be submitted to an authorised dealer, along with the following information:

  • the name and country of residence of the foreign acquirer, together with a declaration of non-residency;
  • the name of the South African company in which the shares are being acquired;
  • the total number of shares being acquired; and
  • the name and residential address of the person in possession of the shares.

Once the authorised dealer has satisfied itself with its assessment of the submission, it will affix a ‘non-resident’ stamp to the relevant share certificate.

Consequences of non-compliance

The ‘non-resident’ endorsement is more of a formality than an ‘application’. However, failure to obtain this endorsement will mean that the non-resident shareholder will not be entitled to repatriate any sale proceeds or dividends (or other distributions) is in respect of the South African company until it has successfully been granted condonation from the South African Reserve Bank.

Author: Candice Dayton

For any questions please click here to contact us.

Are Loop Structures “Still A Thing”?

Loop Structures

For years, many of our South African clients raising capital have struggled to attract investment from offshore.  It is a familiar story. Investors are willing to bet on South African companies. However, they would prefer to do it via an offshore holding company. This would typically be in an investment friendly jurisdiction with which they are familiar. Importantly, the jurisdiction of choice typically has a more favorable regulatory and tax regime than South Africa. For example, R&D tax credits. However, these structures have not been allowed thanks to the South African Reserve Bank’s infamous loop structure prohibition.

What is a Loop Structure?

A loop structure can be summarized as a structure where a South African has an interest in a foreign structure, and that foreign structure in turn (directly or indirectly) owns assets in South Africa.

Since 2018, South African exchange control has only permitted South Africans to hold no more than 40 per cent equity in a foreign structure which in turn has investments in South Africa. Previously, the permitted equity percentage threshold was even lower.

There is an exception to the loop structure restrictions. Unlisted South African technology, media, telecommunications, exploration and other R&D companies are allowed to establish an offshore company to raise foreign funding. Crucially, however, the established offshore company still has to be a tax resident of South Africa. The tax implications meant that this exception had little to no effect practically speaking. Our clients continue to implement complex, clunky (and expensive) alternative structures in order to establish an offshore presence, without falling foul of the Exchange Control Regulations.

Removal of Loop Structures

However, in October 2020, there was good news. The October medium term budget speech announced the “removal” of loop structure restrictions.

National Treasury stated that:

“the full ‘loop structure’ restriction has been lifted to encourage inward investments into South Africa, subject to reporting to Financial Surveillance Department of the South African Reserve Bank (FinSurv) as and when the transaction is finalized. This reform will be effective from 1 January 2021, provided that the entity is a tax resident in South Africa.”  

Tax residency is accordingly still a requirement for any company wishing to set up a loop structure. Once again, we cannot realistically see any of our clients embracing this new exemption with any gusto.  

No circulars have yet been issued amending our Exchange Control Manuals to make this “removal” of loop structure prohibitions effective. As at the date of writing, the loop structure restrictions are alive and well in the existing manuals. Hopefully publication of these amendments is imminent.

However, with the tax residency disclaimer in place, this “liberalization” may turn out to be a damp squib.

If you have any questions please click here to contact us.

Juliette Thirsk
Author: Juliette Thirsk

Shelley’s Best Lawyers Nomination!

Congratulations to our founder, Shelley Mackay-Davidson, for selection by her peers for inclusion in the 10th Edition of The Best Lawyers in South Africa, for her work in Corporate Law and Real Estate Law (for 4 years running!). Only the best at Brevity Law! https://www.bestlawyers.com/current-edition/south-africa