The purpose of the Protection of Personal Information Act, 4 of 2013 (POPIA) is to promote the protection of personal information being processed by public and private bodies and to introduce certain conditions for the lawful processing of personal information.
As a public body (as described in section 1 of POPIA), the Companies and Intellectual Property Commission must ensure that whilst it performs a public function in terms of the Companies Act, 71 of 2008, the personal information of its clients are protected and lawfully processed.
The purpose of POPIA as it pertains to the CIPC is to –
“(a) give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at-
(i) balancing the right to privacy against other rights, particularly the right of access to information;”
POPIA must be interpreted in such a manner that –
“does not prevent any public or private body form exercising or performing its powers, duties and function in terms of the law as far as such powers, duties and functions relate to the processing of personal information and such processing is in accordance with this Act or any other legislation”
This policy explains how we obtain, process and disclose the personal information of individuals and juristic persons in accordance with the requirements of the Protection of Personal Information Act (“POPIA“).
At CIPC we are committed to protecting our clients’ privacy and to ensure that personal information is collected, processed and disclosed (where applicable) properly, lawfully and transparently.
About the Companies and Intellectual Property Commission (CIPC):
The Commission (CIPC) was established in terms of section 185 of the Companies Act, 71 of 2008, (“the Act”) as a juristic person to function as an organ of state within the public administration, but as an institution outside the public service. In order to perform its functions as fully described in section 187 of the Act, it is necessary to collect, process and disclose in some instances the personal information of natural and juristic persons.
The information we collect:
In terms of the Companies Act, section 187 in toto, and specifically subsection (4), the Commission must-
“(a) establish and maintain in the prescribed manner and form-
(i) a companies register; and
(ii) any other register contemplated in this Act, or in any other legislation that assigns a registry function to the Commission;
(b) receive and deposit in the registry any documents required to be filed in terms of this Act;
(c) make the information in those registers efficiently and effectively available to the public, and to other organs of state;
(d) … ;
(e) perform any related functions assigned to it by legislation, or reasonably necessary to carry out its
assigned registry functions.”
Section 38 of POPIA provides for exemptions in terms of POPIA, in respect of certain functions of a public body.
“38(1) Personal information processed for the purpose of discharging a relevant function is exempt from sections 11(3) and (4), 12, 15, and 18, in any case to the extent to which the application of those provisions to the personal information would likely to prejudice the proper discharge of that function.”
The exempted functions referred to above, relate to the following
- The data subject’s right to object to the processing of personal information, in terms of section 11(3) and (4);
– This exemption indicates that the provision of personal information to the Commission is necessary and mandatory in order for the CIPC to perform its functions in terms of the Companies Act and other legislation.
- The obligation to ensure that personal information is collected directly from the data subject, in terms of section 12;
– CIPC may collect personal information of data subjects from other sources other than the data subject
- The requirement that further processing must be compatible with the purpose of initial collection, in terms of section 15;
– CIPC is required to maintain its registers for historical purposes (amongst others), which allows for collected personal information to be retained and processed further if required.
- The requirement to notify data subjects when collecting personal information in terms of section 18
-The CIPC is not required to notify data subjects when collecting personal information due to the impracticality thereof, thus, data subjects are required to provide consent to collect and process personal information, and the POPIA manual will serve as a general notification of collection, processing and disclosure of personal information.
“Relevant function” as described above, means any function of-
(a) a public body;
Information is collected either from the data subject directly, or from third parties (i.e. company secretaries, POA authorised persons, etc.) which “consent” is covered in the general consent confirmation when accessing the CIPC systems. Where possible we will inform natural and juristic persons what information is required to be provided to the CIPC in order to perform its functions and activities in terms of the Companies Act and other relevant legislation as described in schedule 4 of the Companies Act, 71 of 2008.
- How the CIPC processes the personal information collected:
The personal information of natural persons and where applicable juristic persons, will be used for the purpose for which it is collected. In addition, thereto, where necessary, information will be retained for legal, research and governance purposes.
Reasons for collection and retention of personal information:
(a) To gather contact information of an identifiable, living, natural person and where applicable an identifiable, existing juristic person;
(b) To confirm and verify the identity of a natural person (ID numbers) or juristic person (registration numbers) or to verify that a person (i.e. third parties) are an authorized user of the CIPC systems, processes, website, etc.
(c) For the detection and prevention of fraud, criminal activities, money laundering or any other malpractice based in dishonesty;
(d) To ensure compliance with the Companies Act and other legislation that the Commission is mandated to govern, i.e. maintain corporate and IP registers;
(e) To conduct customer satisfaction, trend development, statistical purposes and historical research or to allow for such research activities to be conducted making use of the CIPC data;
(f) For audit and record keeping purposes – the Companies and Intellectual Property Commission (CIPC) is the sole administrator and Regulator of the Companies Act and other legislation;
(g) To provide collected information in connection with legal proceedings and in the prevention, detection and prosecution of offences.
- Disclosure of information
The disclosure of personal information to other organs of state and the public in general is governed by the Companies Act, 71 of 2008 and particular reference is made to section 187(4)(c), which indicates that the Commission must make the information in our registers (corporate and IP) efficiently and effectively available to the public, and other organs of state.
Section 187(5) of the Act details what information should be made available to the public and in which format.
“(5) Subject to the provisions of subsections (6) and (7), any person, on payment of the prescribed fee, may-
(a) inspect a document filed under this Act;
(b) obtain a certificate form the Commission as to the contents or part of the contents of any document that-
(i) has been filed under this Act in respect of any company; and
(ii) is open to inspection; or
(c) obtain a copy of or extract from any document contemplated in paragraph (b); or
(d) through any electronic medium approved by the Commission-
(i) inspect, or obtain a copy of or extract from, any document contemplated in paragraph (b) that has been converted into electronic format; or
(ii) obtain a certificate contemplated in paragraph (b).”
In the process of disclosure of personal information, it is important to weigh the public interest against the interference with the privacy of a data subject.
Section 6 of the Protection of Personal Information Act (POPIA) provides for exclusions in terms of which the POPI Act would not apply to the processing of personal information in the circumstances listed.
Such exclusions that are applicable to the CIPC include-
(a) Information that has been de-identified to the extent that it cannot be re-identified again;
(b) Information that involves national security, including activities relating to financing of terrorist and related activities, defence or public safety;
(c) Provision of personal information in the prevention, detection, including assistance in the identification of the proceeds of unlawful activities;
(d) Information provided in the process of investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures;
(e) Personal information processed, that relates to the judicial functions of a court referred to in section 166 of the Constitution.
Exemption from conditions for the processing of personal information may be approved by the Information Regulator, if the processing thereof is in the public interest. (Section 37 of POPIA). Public interest includes-
(a) The interests of national security;
(b) The prevention, detection and prosecution of offences;
(c) Important economic and financial interests of a public body;
(d) Historical, statistical or research activity; or
(e) The special importance of the interest in freedom of expression.
- Information security
We are legally obliged (in terms of POPIA and other legislation) to take reasonable steps to provide adequate protection for the personal information we hold and to prevent unauthorized access and use of personal information contained on the CIPC registers.
On an ongoing basis (every 12 months), the CIPC will review internal security controls and related processes to ensure that the personal information kept on the CIPC records, remains secure and data subjects (natural and juristic persons) will be informed of any breaches in accordance with POPIA.
Our security policies and procedures cover the following:
(a) Physical security (files stored off site and in transit);
(b) Computer and network security (protocols in place to safeguard against malware, ransomware, unauthorized access, password security, etc.
(c) Access to personal information in terms of the Promotion of Access to Information Act (PAIA);
(d) Secure communications;
(e) Security in contracting out activities or functions to external service providers (“operators”);
(f) Data sales security;
(g) Retention and disposal of information;
(h) Acceptable processing of personal information in terms of POPIA;
(i) Governance and regulatory protocols;
(j) Monitoring access and processing of personal information (records of users accessing information via the CIPC registers);
(k) Investigating and reacting to security breaches, unlawful access and other security incidents;
- Correction of personal information
Every person (natural or juristic) has the right to access their own personal information and to ensure that the information is correct, up to date and accurate, in fact the CIPC insists that personal information is reviewed and updated annually, which is made possible by filing annual returns. It is each data subject’s responsibility to keep his or her personal information up to date and accurate.
- How to contact us
If you have any queries about the personal information that the CIPC processes or need further information regarding our privacy policies and security safeguards, please contact the CIPC via firstname.lastname@example.org