Processing Lawfulness of Personal Information in HOAs

8 minutesread

Processing Lawfulness of Personal Information in Home Owners Associations

 

Table of Contents. 1

  1. Introduction.

  2. Criteria for Processing Personal Information. 2

  3. Categories of Personal Information. 2

  4. Consent. 

4.1.   Types of Consent. 2

4.2.       Definition of Consent. 3

4.3.       Withdrawal of Consent.

     5.  Applying Criteria to Groups of Data Subjects in Estates. 3

  1. Purpose Specification (Condition 3). 4

  2. Further Processing Limitation. 5

  3. HOA Processing Lawfulness Example Tables. 5

  4. Table 1.  Example of Estate without Biometric technology. 5

  5. Table 2.  Example of Estate with Biometric technology. 6

  6. Personal Information Definition and Categories. 6

  7. 8.1. Standard PI 6

  8. 9.2.       Special Personal Information. 6

  9. 9.3.       Personal Information of Children. 6

  10. Objection to Processing Personal Information. 7

 

1.  Introduction

The purpose of this document is to provide guidance on processing personal information in residential estates by Homeowners Associations (HOA) in order to meet the requirements of the POPI Act (POPIA).

Please note that this document is an operational guide and does not constitute legal advice.  Please contact a legal professional if you require legal advice in your personal information protection journey.

The document aims to cover the following parts of POPIA in a non-legal manner:

  • Condition 2: Processing Limitation. The document focuses on section 11: Consent, Justification and Objection,
  • Condition 3: Purpose Specification and
  • Condition 4: Further Processing Limitation.

In principle, POPIA requires personal information to be processed in a lawful manner and in a manner which does not infringe privacy.  What does this mean and what should HOAs do to ensure they meet this requirement?  We aim to provide guidance from an estate management / HOA perspective.

2.   Criteria for Processing Personal Information

Processing Limitation in POPIA includes six criteria for obtaining personal information directly from the data subject (people or legal entities).  In principle there are four criteria which apply in HOAs for ‘standard’ personal information; they are listed below:

  • Personal information may be obtained in order to perform a contract (section 11.1 (b));
  • Personal information may be processed if it is in the legitimate interest of the data subject (section 11.1 (d));
  • Personal information may be processed if it is in the legitimate interest of the HOA (section 11.1 (f));
  • Personal information may be processed if consent for processing is obtained (section 11.1 (a)).

3.    Categories of Personal Information

Before considering the criteria listed above, it is important to consider the categories of personal information. There are 3 categories as outlined below. Section 10 contains more detailed information:

  • Standard Personal Information: Items such as name, address, phone number, physical address, email address, any identifying number, etc.
  • Special Personal Information: items such as race, health information, biometric information, etc.
  • Personal Information of Children: Personal information of persons under the age of 18.

4.  Consent

4.1.   Types of Consent

There are two types of consent which must be considered:

  • Implied Consent.

Where consent for standard personal information is required, it can be deemed to have been given by a data subject if one or more of the criteria described in section 2 above are met.

  • Explicit Consent.

Where Special Personal Information such as biometric information is going to be obtained and processed, explicit consent should be obtained as section 27 in POPIA does not include the other criteria referred to in section 2 above.  If, however, it is not possible to obtain explicit consent, then the estate should rely on one of the above such as the legitimate interest of the Responsible Party (which is the HOA in this case).

Explicit consent must also be obtained where it is necessary to process the personal information of a child or children under the age of 18.  POPIA requires the consent of a competent person to be obtained. In practice, this is the legally authorised person such as a parent or legal guardian.

4.2.  Definition of Consent

Consent is defined in POPIA as:

  • ‘‘consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
  • Consent must be freely given and should be based on a clear and unambiguous purpose.

4.3.  Withdrawal of Consent

The data subject or competent person may withdraw his or her consent at any time provided that the lawfulness of the processing of personal information before such withdrawal of the processing of personal information will not be affected prior to the withdrawal.  In reality, this will only apply to visitors in an estate as the criteria or legal basis for other data subject groups does not require consent.

5.   Applying Criteria to Groups of Data Subjects in Estates

As part of your HOA’s POPIA compliance programme, the HOA team must assess the groups of data subjects below in conjunction with the criteria for processing personal information as they apply to these groups of data subjects:

  • The constitution, conduct rules, etc. are in fact a contract between the estate/HOA and the homeowner. Section 11.1 (b) therefore applies and represents legal grounds for processing the standard personal information of the homeowner.  It overrides the need for obtaining consent or for justifying that it is in the legitimate interest of the estate or homeowner.

If the estate uses biometric information for identity and access management, then it is necessary to obtain consent for processing biometric information.

New homeowners normally sign documents such as sale agreements when they purchase a property. These documents usually refer to the MOI, constitution rules, etc. A contract is, therefore, established at this point.

  • Residents. Residents such as family members are also required to abide by the HOA’s rules but they do not normally sign the MOI, constitution rules, etc.  Consent should therefore be obtained from them. If the estate uses biometric information for identity and access control, explicit consent should be obtained for the processing thereof.  It is strongly recommended that explicit consent is obtained for the use of biometric information.
  • Tenants normally sign a lease agreement with the homeowner rather than the estate.  They also sign their acceptance of the constitution and rules which means that they are entering into a contract with the HOA.  Consent for processing is, therefore, not required unless biometric information is processed for identify and access control in which case it must be obtained.
  • Visitors. Since there is no contract between the estate and the visitor, one of the other legal grounds should be applied. These are:
    • Obtain consent. Obtaining consent from visitors varies depending on how access is controlled.  If a manual system is used such as a form or register which the visitor signs, the form or register can be changed to include consent.  If a Visitor Management System is in use, a Privacy Notice/Policy should be made available via a link in the Visitor Management System so that visitors are able to read it prior to visiting the estate through the message they receive.  The HOA should also amend their signage at the gate to highlight the fact that personal information is being processed in accordance with the estate’s Privacy Notice and POPIA.

As already mentioned, if biometric information is being processed, consent for this should be obtained from the visitor.

It should be made clear that withholding consent has the consequence of the right of refusal of access for visitors.

In many estates, a condition for entering the estate is the scanning for driver’s licences and licence discs for safety and security purposes.  While this is not a legal requirement in terms of a specific law, HOAs should include this practice as being in the legitimate interest of the HOA based on section 11.1(f) in POPIA and Section 2 above.

  • Legitimate interest of the Estate/HOA (Responsible Party).

In estates where it is impractical to obtain either implied or explicit consent, the HOA can process personal information based on the processing being in the legitimate interest of the HOA. The main reason for this will be for ensuring safety and security.  If this basis for processing personal information is to be used, it must be clearly stated in the Privacy Notice/Policy.

  • Contractors normally have an agreement with homeowners rather than the HOA which means that they should be regarded as visitors to the estate. Contractors often bring employees to the estate. They need to be registered as visitors as well.  In some estates, contractors send details of their employees to the HOA for security registration.  In such cases, the contractor managers should obtain consent from their employees for sharing their personal information with the HOA.
  • Homeowners’ and Tenants’ Employees. Homeowners and tenants generally employ domestic and gardening staff.  In most estates, such employees are registered either by the homeowner or their employer with the HOA.  Where homeowners and tenants register their employees, they should obtain consent for sharing the personal information with the HOA.   Where domestic and gardening employees submit their own personal information to the HOA, consent should be obtained. This Is typically done using a registration form.
  • HOA Employees. The personal information of HOA employees is required by both the HOA from an employee records perspective and in order to comply with the Basic conditions of Employment Act. In view of this, 2 of the criteria for processing are being met with the need to obtain consent.  It is, however, recommended that HOA’s obtain consent for their personal information be shared with organisations such as medical aid and provident schemes if such sharing is conducted.  Consent for processing biometric information should also be obtained if it is being processed.

6.  Purpose Specification (Condition 3)

POPIA requires that personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.

POPIA also requires that steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.

In estates, the purposes for the various data subject groups are clear but they need to be stated when personal information is collected.  In other words, the criteria for processing personal information lawfully as described in section 2 in this document must be based on a specific, clear and relevant purpose.

Retention and Restriction of Records

Section 14 states that personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:

  • the retention of the record is required or authorised by law;
  • the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
  • retention of the record is required by a contract between the parties thereto; or
  • the data subject or a competent person where the data subject is a child has consented to the retention of the record.

7.   Further Processing Limitation

POPIA permits further processing of personal information provided that the purpose of the further processing is compatible with the intended and purpose.  An example of this is the sharing resident or visitor information with an Operator e.g. a security company for the provision of security services to the estate.

POPIA does not permit the further processing for a purpose which is different to the intended purpose. An example of this could be the sharing of resident information to a marketing company with the consent of the resident/s.

8.  HOA Processing Lawfulness Example Tables

Table 1.  Example of Estate without Biometric technology

Legal Basis for Processing in terms of POPIA Section 11
Data Subject Group Contract i.e. Constitution, Rules Legitimate Interest of Data Subject Legitimate Interest of HOA Consent Required (Implied)
Homeowners Yes Not applicable Not applicable Not required
Residents e.g. family members No Yes Yes Recommended
Tenants (Lessors) Yes (Rules) Yes Yes Not required
Visitors No No Yes Yes
Contractors No No Yes Yes
Homeowners’ and Tenants’ Employees No No Yes Yes
HOA Employees Yes (Employee contract) Yes Yes Not required

Table 2.  Example of Estate with Biometric technology

Legal Basis for Processing in terms of POPIA Section 11
Data Subject Group Contract i.e. Constitution, Rules Legitimate Interest of Data Subject Legitimate Interest of HOA Consent Required (explicit)
Homeowners Yes Not applicable Not applicable Yes (for biometric info)
Residents e.g. family members No Yes Yes Yes (for biometric info)
Tenants (Lessors) Yes (Rules) Yes Yes Yes (for biometric info)
Visitors No No Yes Yes (for biometric info)
Contractors No No Yes Yes (for biometric info)
Homeowners’ and Tenants’ Employees No No Yes Yes (for biometric info)
HOA Employees Yes (Employee contract) Yes Yes Yes (for biometric info)

9.  Personal Information Definition and Categories

9.1. Standard PI

Standard Personal Information includes:

first name, surname, email address, office phone, cell phone, fax number, postal address, ID Number, Skype ID, LinkedIn Id, Twitter ID, Facebook Id, physical address, GPS location of address, billing address shipment address, user name, user id, account name, account number

sex (Male/Female), marital status, nationality, social origin, age, language, birth, education, financial history, employment history, personal opinions, view or preferences, private, correspondence sent by the person, views or opinions of another about the person, name with other personal information, where a data subject’s name leads to other information

9.2.  Special Personal Information

Special Personal Information consists of:

Race, pregnancy status, ethnic origin, colour, sexual orientation, physical health, mental health, well-being, disability, religion, conscience, belief, culture, medical history, criminal history, biometric information.

9.3. Personal Information of Children

Personal Information of children consists of: Personal information of persons under the age of 18 years.

10.   Objection to Processing Personal Information

Extract from section 11 (3) and (4)

A data subject may object, at any time, to the processing of personal information—

(a) in terms of subsection (1)(d) to (f), in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or

(b) for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications as referred to in section 69.

(4)           If a data subject has objected to the processing of personal information in terms of subsection (3), the responsible party may no longer process the personal information.

  • Note: In principle personal information may be processed if it is in the legitimate interest of the HOA (section 11.1 (f)).

 

 

0
0
267
  • Facebook
  • Twitter
  • Linkedin
8 minutesread

© 2025 POPI Solutions - WordPress Theme by Kadence WP