The responsible party must obtain prior authorisation from the Information Regulator prior to any processing if that responsible party plans to—:
- processing of any unique identifiers of data subjects—
- for a purpose other than the one for which the identifier was specifically intended at collection; and
- with the aim of linking the information together with information processed by other responsible parties;
- process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
- process information for the purposes of credit reporting; or
- transfer special personal information or the personal information of children, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
To assist the Regulator, the responsible party should carry out an assessment of the impact of the envisaged processing operations on the protection of personal information. The POPIA platform has an automated process for preparing prior authorisation requests.