The regulator published a guidance note on exemptions from the conditions for lawful processing of personal information in terms of Section 37 and 38 of POPIA on 21 June 2021. The guidance note helps those who intend to apply for exemption and those who are automatically exempt. The guidance note raises all sorts of questions.

  • Who is exempt from having to comply with POPIA?
  • Is my organisation exempt?
  • Is it worth me applying for exemption?
  • How do I apply?
  • What information must I provide to support my application?
  • Does this mean I don’t have to comply?

This exemption from POPIA is different to being exempt from having a PAIA manual. They are totally different things and be sure not to confuse the two. This is also different from prior authorisation.

The golden nuggets

You can be exempt in one of two specific circumstances.

  1. Some organisations have to specifically apply for exemptions (section 37)
  2. Other bodies who protect the public are partially and automatically exempt (section 38), and do not have to apply.

The guidance note unfortunately does not give us much more than what is already in POPIA. This article should help you find answers to most of your questions. If not, contact us on the right and we can help you.

Only very few bodies are or will be exempt. This is probably not your get out of jail free card.

Even where you think you are automatically exempt, you have to keep striving to comply with all the conditions for lawful processing until the regulator exempts you by placing a notice in the government gazette.

The regulator may limit your exemption and still require you to comply with some of the conditions.

Public interest or benefit outweighs infringement – Application only

The regulator may exempt a responsible party from having to comply with POPIA (or part of it) if:

  1. the public interest outweighs the interference of privacy, or
  2. the benefit to the data subject (or third party) outweighs the interference of privacy. (section 37)

For example, if a pension fund wants to find people who have not claimed their pension, but they can’t because of POPIA, the regulator would probably grant them an exemption.

What is the public interest?

The guidance note says that “Public interest is a wide and diverse concept that cannot and should not be limited in its scope and application. The definition of what constitutes public interest varies across jurisdictions and should be assessed on a case-by-case basis. In its very basic formulation, public interest is the notion that an action or process or outcome widely and generally benefits the public at large (as opposed to a few or a single entity or person) and should be accepted, imposed or pursued in the spirit of equality and justice.

POPIA itself gives us examples:

  1. the interests of national security
  2. the prevention, detection and prosecution of offences
  3. important economic and financial interests of a public body
  4. fostering compliance with legal provisions established in the interests referred to under paragraphs (b) and (c)
  5. historical, statistical or research activity
  6. the special importance of the interest in freedom of expression.

The guidance note adds to these examples and gives further information, which is useful.

Benefit to the data subject (or third party)

To succeed in receiving this exemption, a responsible party must:

  1. explain why the processing will benefit the data subject,
  2. state the nature of the benefits, and
  3. specify how the benefit outweighs the interference.

Application for exemption using the application form

To apply, you need to complete the exemption application form and email it to the regulator. The regulator will acknowledge receipt of your application by email with an application reference number. You may send additional information in support of your application. If the regulator grants the exemption, it may impose reasonable conditions and it must publish an exemption notice in the gazette.

Bodies that protect the public are automatically and partially exempt

If complying with POPIA means that a body (or person) that protects the public cannot perform their function (section 38), they are exempt from having to:

  • give the data subject the right to object to them processing (section 11(3) and (4),
  • collect personal information directly from the data subject (section 12),
  • restrict further processing (section 15),
  • notify the data subject about their processing (section 18).

A good example is the public protector. Unbelievably, at the time of writing this article, the public protector did not have a valid SSL certificate on their website. Remember that they must comply with the rest of POPIA. A body wishing to rely on this partial exemption must document the reasons it relies on so that it can provide them to the regulator if asked.

This is an automatic exemption and the body does not need to apply.

Guidance note on exemptions from the conditions of POPIA

Find out more by reading the guidance note itself. We don’t suggest this because it does not add much more than is in this post.