During lockdown online buying has become the way to do and view things, from homes to clothing, food and gym equipment but before you press send on that online form, your right to the protection of how your ‘details’ are collected and processed is something you should be aware of, as should the responsible parties who can suffer significant legal and financial repercussions should they contravene the provisions of POPIA which came into effect on 1 July 2020. 

You know the drill, you’re flicking through homes on a property site, scrolling back to that house on the corner that’s looking even more affordable what with the recent reductions in the repo rate and you click on the standard information form which is a pre-requisite to you being able to receive a link to a virtual viewing, which admittedly you need and want to do, given you are in lockdown.   Without further thought, you complete the usual ‘what is your name, surname, cellular number and email’ press send, and boom the link is sent to you and you sit back, watch and pause and watch again, picturing the family in every room.  

But in the coming weeks advertisements keep on coming, and coming and coming, each one seemingly more personal than the last – emails addressed to you personally suggesting properties personalised to your profile (price, area and property specifications). At first you’re impressed to see how big data is being commercialised but as the emails keep coming you soon became annoyed by the fact that you never ‘opted-in’ to receive the emails and the ‘personal touches’ are now starting to make you feel somewhat uncomfortable since they are coming from an estate agent whom you have never even spoken to.

Stephan Haynes, from Gillan & Velhuizen Inc expands on why POPIA is very important for real estate players, and property buyers and sellers alike.     

Real estate players

As a responsible party you must also be POPIA compliant.  You are also encouraged to include compliancy clauses in your service agreements with third-party vendors and should review all such existing contracts to ensure compliance.

For an entity to become compliant with POPIA the following issues need to be considered:  

  1. Educate Executives on the “do’s and do not’s” of POPIA;
  2. Arrange the appointment an Information Officer;
  3. Review and update your Policies (Privacy Policy; Data Protection Policy, Personal Information Sharing Policy, BYOD; Password Policy; Document Retention Policy, Etc.); 
  4. Review and update Operations Contracts;
  5. Review and revise internal policies and practices.

Furthermore the Act states that personal information may only be processed if:

  • processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party; 
  • protects the legitimate interests of the data subject; processing complies with for the proper performance of a public law duty by a public body; 
  • for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied”.

Bottom line, adds Haynes, is that the days of routinely collecting and then storing personal information are over and responsible parties must conform to the practice of less is more by only collecting personal data for justified purposes. 

Prospective buyers, sellers, tenants, landlords

Few prospective buyers are aware of their rights in terms of how personal information may be used; that they are entitled to the option to ‘opt-in’ and/or bar, in this instance the estate agency, from using your personal information.

It is worthwhile noting that personal information is a very broad term. POPIA lists some examples, which include demographic information, personal records, biometrics, personal opinions and identifying information.  POPIA further distinguishes “special personal information” as comprising of personal information pertaining to religious beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex or biometric information and criminal behaviour of the data subject.   

“Most importantly, the processing of special personal information is prohibited without the consent of the data subject and may only be processed if the requirements for consent and justification have been met,” cautions Haynes.   The collection of your personal information must be obtained directly from you unless the information contained is derived from a public record or has deliberately been made public by yourself. For this reason, Haynes warns data subjects to carefully consider the personal information you publish online as you may unwittingly be making your personal information ‘fair game’.

Roll on Level 1 where you can go back to strolling through a show house on a wintery Sunday afternoon with your wife, and choose whether or not to leave your contact details – but given the current circumstances we find ourselves in, at least you can be more informed as to your privacy rights before you click on that next online form.

If you suspect your personal information is being abused, you would be wise to seek advice either from an attorney or report any mis-use of your details to the ’Information Regulator’.   If your business needs guidance on becoming compliant with the regulations it would be wise to get legal advice or visit POPI Compliance.