- You can rely on this lawful basis if you need to process the personal information to comply with a common law or statutory obligation.
- This does not apply to contractual obligations.
- The processing must be necessary. If you can reasonably comply without processing the personal information, this basis does not apply.
- You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.
- You should be able to either identify the specific legal provision or an appropriate source of advice or guidance (e.g. Legal Register) that clearly sets out your obligation.
- What’s required?
- What does POPIA say?
- When is the lawful basis for legal obligations likely to apply?
- When is processing ‘necessary’ for compliance?
- What else should we consider?
The lawful basis for processing necessary for compliance with a legal obligation is set out in Section 11(1)(c). You need to review your existing processing so that you can document where you rely on this basis and inform data subjects.
Section 11(1)(c) provides a lawful basis for processing where:
“processing complies with an obligation imposed by law on the responsible party”
In short, when you are obliged to process the personal information to comply with the law.
Section 11(1)(c) requires that the legal obligation must be laid down by law. A recent judgement confirms that this must be an explicit statutory obligation.
This means that there must be a legal obligation specifically requiring the specific processing activity. Your overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in law or statute.
You should be able to identify the obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you can refer to a government website or to industry guidance that explains generally applicable legal obligations, or prepare a legal register.
An employer needs to process personal information to comply with its legal obligation to disclose employee salary details to SARS.
The employer can point to SARS documentation where the requirements are set out to demonstrate this obligation. In this situation it is not necessary to cite each specific piece of legislation.
A financial institution relies on the legal obligation imposed by anti-money laundering legislation to process personal information in order submit a Suspicious Activity Report to the Financial Intelligence Centre when it knows or suspects that a person is engaged in, or attempting, money laundering.
A court order may require you to process personal information for a particular purpose and this also qualifies as a legal obligation.
Regulatory requirements also qualify as a legal obligation for these purposes where there is a statutory basis underpinning the regulatory regime and which requires regulated organisations to comply.
Although the processing need not be essential for you to comply with the legal obligation, it must be a reasonable and proportionate way of achieving compliance. You cannot rely on this lawful basis if you have discretion over whether to process the personal information, or if there is another reasonable way to comply.
It is likely to be clear from the law in question whether the processing is actually necessary for compliance.
If you are processing on the basis of legal obligation, the data subject has no right to erasure or right to object.
- document your decision that processing is necessary for compliance with a legal obligation;
- identify an appropriate source for the obligation in question; and
- include information about your purposes and lawful basis in your privacy notice.