Most data protection legislation, including the General Data Protection Regulation (GDPR), does not afford protection to the personal data of a legal person. South Africa’s Protection of Personal Information Act (POPIA) is quite unique in this regard, as POPIA affords protection to juristic persons (known globally as legal persons) in addition to natural persons.Â
In POPIA, the definition of “personal information” covers this by extending to, “where it is applicable, an identifiable, existing juristic person”. But what is the personal information of a juristic person? POPIA provides an open list of examples but it is not always clear of “where it [would be] applicable”.
You cannot protect or process a juristic person’s personal information lawfully if you do not know what counts as their personal information. This post helps you answer this question in more detail.
Personal information of a juristic person
In some instances, it will be relatively easy to determine some types of personal information of a juristic person. These are either relatively easy to identify or there has been case law to support this position. Here are some examples:
- any identifying number (for example, its registration number), symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the juristic person;
- account numbers;
- confidential oral or written communications of the directors and employees of a juristic person;
- information that private and public bodies use to take significant decisions relating to them (such as perhaps their BEE status);
- religious beliefs; and
- employee information (such as the number of employees, their identities, their remuneration, and their status within their organisation).
These are just a few examples. POPIA’s definition of personal information is open to interpretation and adding more types to this list.
What types of personal information will not apply to a juristic person?
As we’ve seen above, some types of personal information make sense to protect for a juristic person. Account numbers are a clear winner. Juristic persons are just as at risk, if not more at risk, to business email compromises and account numbers often play a large role in this. On the other hand, there are types of personal information that a juristic person simply cannot have or it would not make sense to try to protect it. We believe that POPIA is not likely to protect the following types of information:
- race (Dadoo Ltd v Krugersdorp Municipal Council);
- their identifying information – for example, their web address;
- their legal standing (whether the juristic person has legal capacity); or
- the information of the natural persons who manage and control them.
Crucially, the information of the natural persons associated with a juristic person would not be the personal information of a juristic person. Rather, that information is the natural person’s personal information and the natural person is the data subject in that context. POPIA does not need to extend to or protect it in relation to the juristic person as POPIA already affords the protection for the natural person.
The grey areas
We’ve listed types of personal information that probably will apply and types that probably won’t. But there are others that we are not sure about. The following types of personal information demonstrate these grey areas.
Publically available personal information of a juristic person
A question we often get asked is whether POPIA applies to publically available information? The answer is yes: POPIA will protect publically available personal information.
Just because personal information is publically available does not relax a responsible party’s obligation to protect it. For example, you need to protect the personal information of your employees, as natural persons, and just because they might choose to list their personal information publically on LinkedIn or Facebook does not mean you can relax that protection.
Most of a juristic person’s potentially personal information is publically available via CIPC’s BizPortal. The question now is whether the same principles apply to juristic persons? Unfortunately, this is not entirely clear. Our research into the South African Law Reform Commission’s (SALRC) report, suggested that they take the view that a responsible party does not need to protect this type of juristic person’s personal information.
Special personal information
Whether or not a juristic person can have special personal information is another grey area. Data protection law treats special personal information differently. So it is important to know whether a juristic person can have special personal information as different rules will apply to the way you process it.
In the USA, a juristic person can have a religion and it’s possible that South African courts will take a similar view. On the other hand, South African courts have clearly stated that juristic persons cannot have a race. Both of these types of information fall under the definition of special personal information. Consequently, we cannot say with certainty which special personal information types can or cannot apply to juristic persons. This is something that the courts will need to determine on a case by case basis.
This demonstrates another challenge for juristic persons’ personal information. One country might regard a juristic person as having a religion and another not. How should you protect the information in that situation? And not all data protection laws apply to or protect juristic persons. This may frustrate cross-border data transfers as various countries will not have adequacy ratings.
Conclusion
The answer to our question of “what is the personal information of a juristic person” is not clear and in many instances, the courts will need to determine the answer on a case-by-case basis. What is clear though, is the SALRC’s main reason for including juristic persons under POPIA’s protection. Their reason is that a juristic person has a legitimate interest in protecting their sphere of privacy. Consequently, you should keep a juristic person’s legitimate interests in mind when processing their information as this will likely assist you in determining whether it is personal or not.
How can we help you?
We can:
- Help you comply with POPIA and improve your understanding of data protection law as it relates to juristic persons by joining our programme or attending an online data protection workshop.
- Answer your questions about juristic persons’ personal information by researching the types of personal information relevant to you and drafting an opinion.
You can:
- Stay on top of the data protection insights about juristic persons by subscribing to our newsletter.
- Keep up to date on what the court views as juristic persons’ personal information by subscribing to Giles Files.