By Daniel Pretorius,Sinenhlanhla Dlamini Friday, July 07, 2023

On 14 June 2023, the Information Regulator gave notice, in terms of section 61(2) of the Protection of Personal Information Act 4 of 2013 (POPIA), that it is in receipt of a proposed Code of Conduct from the Direct Marketing Association of South Africa (DMASA). On 30 June 2023, the Department of Justice and Constitutional Development published the notice in the Government Gazette.

Overview of the DMASA

The DMASA is an independent body established by companies in the direct marketing industry to ensure that the industry’s self-regulation system is aligned with the public interest. The DMASA has developed a proposed Code of Conduct to ensure its members comply with the requirements of POPIA when engaging in direct marketing activities.

Direct marketing requirements in terms of POPIA

In terms of POPIA, ‘direct marketing’ means to ‘approach a data subject either in person or by mail or electronic communication, for the direct or indirect purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject or requesting the data subject to make a donation of any kind for any reason’. POPIA outlines, amongst other things, the rights of data subjects regarding direct marketing by means of unsolicited electronic communications, directories, and automated decision-making.

Overview of the proposed Code of Conduct

The proposed Code of Conduct aims to govern the processing of personal information by institutions that are members of the DMASA. The purpose of the proposed Code of Conduct is to:

  • promote appropriate practices, by members of the DMASA, governing the processing of personal information in terms of POPIA;
  • encourage the establishment of appropriate agreements between members of the DMASA and third parties to regulate the processing of personal information; and
  • establish procedures for members of the DMASA to be guided in their interpretation of POPIA and any other data protection laws.

In doing so, the proposed Code of Conduct:

  • provides guidance as to the roles and responsibilities of parties involved in the processing of personal information in direct marketing activities;
  • obliges DMASA members to conduct a personal information impact assessment to measure current and planned direct marketing activities against the lawful processing of personal information; and
  • provides guidance regarding resolving complaints received from data subjects (typically ordinary members of the public).

Importantly, members of the DMASA who process personal information for direct marketing activities in compliance with this proposed Code of Conduct will generally be exempt from requesting prior authorisation and having to notify the Information Regulator when they intend to conduct any of the following activities in terms of section 57(1) of POPIA:

  • processing any unique identifiers in relation to data subjects;
  • processing information on criminal behaviour or unlawful or unconscionable conduct on behalf of third parties;
  • processing information for the purposes of credit reporting; or
  • transferring special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.

Status of the proposed Code of Conduct

 In terms of section 61(2) of POPIA, a notice has been published in the Government Gazette in terms of which affected parties are invited to submit written comments on the proposed Code of Conduct, within 14 days of its publication, to the Information Regulator at the following email address: [email protected]. The deadline for the submission of comments is 14 July 2023.

If the proposed Code of Conduct is recognised under POPIA, it will be enforceable against all members of the DMASA in respect of direct marketing activities where personal information is processed after the effective date of the Code of Conduct.