A lot of unsuspecting business owners have landed up in court because of legal compliance issues – not because they were irresponsible but because they were not aware of their legal duties in the first place.
We have listed a number of the important Acts below which any business owner in South Africa today will need to comply with in order to be termed “legally compliant”.
The Companies Act
The Companies Act is a set of laws that governs the running of every business in South Africa. The Act was re-written in 2008 and has been in effect since 2011, providing business owners and company directors with legal guidelines on how to run their companies according to the letter of the law. Here are some important highlights from the Companies Act:
Every company must be registered and operate in accordance with all South African laws, including the Companies Act and others.
Company owners and directors are responsible for running their businesses responsibly and ethically – this means that the business must not be run in a way that puts its owners, staff, or customers at a disadvantage on purpose.
Company directors are more liable than they used to be for losses and mismanagement – if a director makes a decision that causes losses or damage to the business, the person could be held legally responsible for these.
Closed Corporations (CCs) are being phased out by the new Companies Act – it is advisable to register all new businesses as (Pty) Ltd entities and convert any older CC businesses to this type as well.
The rules on auditing of financial results and tax returns have changed in the new Companies Act of 2008 – make sure that you have consulted an attorney and accountant before you submit your first tax return.
The constitution of every type of Company is now comprised in only one document, called the company’s “Memorandum of Incorporation”. The MOI replaces both the memorandum of association and articles of association of pre-existing companies.
Pre-existing Companies had until the 31 April 2013 to bring their memorandum of association and articles of association into harmony with the act.
Changing the memorandum of incorporation (MOI)
Companies incorporated before 1 May 2011 have until 1 May 2013 to lodge an amended memorandum of incorporation (MOI) with the Companies and Intellectual Property Commission (CIPC), free of charge.
Why should companies change their MOI?
Although not mandatory, the Companies Act of 2008 is creating opportunities for companies to reconsider the stipulations of their MOI. For example, if a company’s existing MOI requires an annual audit of its financial statements, it may be advisable to consider updating the MOI.
An audit may no longer be required in terms of the 2008 Act for the particular company, yet unless the MOI is amended, this requirement will prevail.
In addition, the existing MOI may require that the company hold an annual general meeting after the end of its financial year. The Act no longer contains such a requirement for private or non-profit companies, but unless the MOI is amended, this requirement will also remain.
How to lodge an amended memorandum of incorporation (MOI)
Given these considerations, should a company elect to amend its MOI, it can choose to prepare and lodge three different types of amendments:
A default MOI which incorporates the default provisions of the Act
An altered MOI which incorporates the alterable provisions of the Act
A unique MOI which is specifically tailored towards the company’s unique needs and requirements.
Standard templates to amend MOIs have been issued in terms of the Act and Regulations, for non-profit companies (with or without members), a short standard form for private companies which incorporates the default provisions of the Act (CoR15.1A), and a long standard form for profit companies (CoR15.1B). These forms, although standardised and convenient, are not recommended to amend the MOI, due to errors and inconsistency in their content.
Example, the 2008 Act defines a private company’ as a company that is not a State-Owned Company and its MOI prohibits it offering securities to public and restricts the transferability of its securities. The CoR15.1A form however, does not include a clause which restricts the transferability of the securities.
This may mean that even although the company is intended to be a private company, it may be treated as a public company, and have to comply with the requirements for public companies as set out in the Act (that it requires an audit and must hold an AGM and have at least three directors). This is clearly an error in drafting by the Legislature.
The Companies Act stipulates several rules for the appointment, resignation, removal, obligations, and duties of directors. Duties include both a fiduciary duty, and a duty of reasonable care, which operate in addition to existing common law duties.
A director is required to act:
in good faith and for a proper purpose,
in the best interests of the company,
with the degree of care, skill and diligence that may reasonably be expected of a person,
carrying out the same functions in relation to the company as those carried out by the director,
having the general knowledge, same skill, and experience of that director – a reasonable man/women test.
Liability of Directors
The term director includes alternate director, prescribed officer (CEO, MD CFO etc), audit committee or board committee members.
A director is liable for breach of fiduciary duty, acting without authority, party to supplying false or misleading information about company or making of an untrue statement in a prospectus.
A director must disclose any personal financial interests in any matter before the company.
A director may not use the position as director or information gained as a director to make a secret profit or gain advantage for themselves or someone else or to cause harm or detriment to the company.
Directors or related persons must also disclose to the company any financial interest acquired, after the agreement or other matter has been approved by the company.
A sole director who does not hold all the beneficial interest of securities or related persons to the director, who discloses a personal financial interest in a company agreement, may acquire approval to enter into that agreement by the passing of an ordinary resolution of the shareholders.
In addition, directors could be held liable to shareholders for fraudulent acts or acts of gross negligence or to a third party who has suffered damages due to the acts of the directors.
The Act also includes the “business judgment test” which states that if a director has applied reasonable care, skill, and diligence, has no material financial interest, and has a basis for believing that the decision made was in the best interest of the company, the director will not be held liable for a breach of duty. This is only if a director did not act in bad faith or for improper purpose.
The Consumer Protection Act
Just like the Companies Act regulates the nitty-gritty of running your business, the Consumer Protection Act regulates how businesses interact with their customers.
It aims to:
Promote a fair, accessible, and sustainable marketplace for consumer products and services;
Establish national norms and standards to ensure consumer protection; Make provision for improved standards of consumer information, to prohibit certain unfair marketing and business practices;
Promote responsible consumer behaviour;
Promote a consistent legislative and enforcement framework, related to consumer transactions and agreements;
Establish the National Consumer Commission; and Replace, in a new and simplified manner, existing provisions from five acts, including the Consumer Affairs (Unfair Business Practices) Act of 1988; Trade Practices Act of 1976; Sales and Service Matters Act of 1964; Price Control Act of 1964; and Merchandise Marks Act of 1941 (specifically Sections 2-13, and 16-17).
The CPA has an impact on your business in two ways:
you need to follow the CPA when dealing with your customers, and
you should be aware of your own consumer rights when you trade with other businesses.
Here are the KEY Consumer Rights you should afford your customers and demand from your suppliers:
Equality in the consumer market – no group of consumers should be discriminated against by your company’s marketing efforts.
Privacy – this includes refusing advertising or promotional materials and calls from call centres.
The right to choose – consumers should be given as much choice of products and services as is possible.
Disclosure of information – suppliers should be as honest and upfront as possible when dealing with consumers.
Fair and responsible marketing – consumers should never be misled by marketing and advertising campaigns.
Fair and honest dealing – there should be a high level of honesty between consumers and suppliers in every transaction.
Fair, just, and reasonable terms and conditions – the small print on contracts and agreements should be fair and reasonable to both consumer and supplier.
Fair value, good quality, and safety – products and services should be well priced and of a good quality.
Accountability – suppliers need to take responsibility for the products and services they supply.
Whether you find yourself selling or buying products and services, you should ensure that you follow the guidelines in the Consumer Protection Act and demand your rights as a consumer when you deal with suppliers. Business owners should note that the CPA does not apply to transactions with government departments and the military.
What does the Consumer Protection Act apply to?
Every transaction occurring within the Republic of South Africa;
Promotion or supply of any goods and services occurring within the Republic; and Goods or services that are supplied or performed, in the Republic, in terms of transactions mentioned in the Act.
What is exempt?
Goods or services promoted or supplied to the state; Industry-wide exemption being granted to regulatory authorities; Credit agreements, in terms of the National Credit Act, but not goods or services; Services under employment contracts;
Agreements giving effect to collective bargaining agreements; and
Agreements giving effect to bargaining agreements (Section 213 of the Labour Relations Act).
Financial Intelligence Centre Act (FICA)
South Africa has adopted money laundering laws to help it comply with its international obligations to fight organised crime and terrorism. The latest and most comprehensive legislation detailing money laundering controls is the Financial Intelligence Centre Act (FICA), the focus of which is on control requirements.
FICA creates money laundering control obligations for banks and other institutions and professionals, such as estate agents, brokers, attorneys, and insurance companies.
Customer identification is a crucial element of any effective money laundering control system. The banks have implemented measures for them to know who their customers are and to prevent criminals from using false or stolen identities to gain access to our services.
The banks are required to obtain certain information and supporting documents from new customers before accounts could be opened. Make sure that you are FICA-compliant by supplying your bank with the required documentation.
Protection of Personal Information Act 2013
What is POPI all about?
POPI refers to South Africa’s Protection of Personal Information Act which seeks to regulate the Processing of Personal Information.
Personal Information broadly means any information relating to an identifiable, living natural person or juristic person (companies, CC’s etc.) and includes, but is not limited to:
contact details: email, telephone, address etc.
demographic information: age, sex, race, birth date, ethnicity etc.
history: employment, financial, educational, criminal, medical history
biometric information: blood type etc.
opinions of and about the person
private correspondence etc.
Processing means broadly anything done with the Personal Information, including collection, usage, storage, dissemination, modification, or destruction (whether such processing is automated or not).
Some of the obligations under POPI are to:
only collect information that you need for a specific purpose.
apply reasonable security measures to protect it.
ensure it is relevant and up to date.
only hold as much as you need, and only for as long as you need it.
allow the subject of the information to see it upon request.
Does POPI really apply to me?
Accountability for compliance rests with a Responsible Party, meaning a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. Generally, the Responsible party must be resident in South Africa, or the processing should occur within South Africa (subject to certain exclusions).
Who does the POPI apply to?
Applies to anyone who processes personal information.
Includes public and private bodies.
AND persons who act for responsible parties in terms of a mandate or contract.
There are cases where POPI does not apply.
purely household or personal activity
sufficiently de-identified information
some state functions including criminal prosecutions, national security etc.
journalism under a code of ethics
judiciary functions etc.
POPI provides that, in certain circumstances, the Information Regulator (the Regulator) may grant an exemption to a Responsible Party from the conditions of processing personal information.
The Regulator may do so if, for example, it feels that the public interest outweighs the interference with the privacy of the data subject, or if there are reasons of national security, criminal law, or the economic and financial interests of a public body that warrant the processing.
There are eight information protection conditions contained in the Bill and they are the following:
Condition 1: Accountability
This condition contemplates the assigning of responsibility by organisations for overseeing compliance with the Bill i.e., an Information officer.
Condition 2: Processing Limitation
This condition requires that personal information may only be processed in a fair (minimality): adequate, relevant, and not excessive) and lawful manner.
Condition 3: Purpose Specification
The condition of Purpose Specification helps to determine the scope within which personal information may be processed by an organisation.
In other words, you can process personal information only if:
The data subject or competent person where the data subject is a child consents to the processing;
Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;
Processing complies with an obligation imposed by law on the responsible party;
Processing protects a legitimate interest of the data subject;
Processing is necessary for the proper performance of s public duty by a public body;
Processing is necessary for pursuing the legitimate interests of the responsible part of a third party to whom the information is supplied.
Note clause 112(2): The Regulator may, subject to Section 113, make regulations relating to:
The manner in terms of which a data subject may object to the processing of personal information as referred to in Section 113.
The collection of information must be for a specific, explicitly defined, and lawful purpose.
An organisation must take steps to ensure that the data subject is aware of the purpose of processing the information unless express exclusions apply (see above).
The information must be retained only for as long as necessary for achieving the purpose for processing or required by law i.e., info kept for as long as you use/need it but after that must be destroyed. However, you need to keep general documents for 5 years so that it does not conflict with law.
Condition 4: Further Processing Limitation
Once an organisation has identified and obtained consent for specific, legitimate, and explicitly defined purposes, the processing of such personal information may only occur insofar as it is necessary for the fulfillment of those purposes.
Condition 5: Information Quality
Clause 16 of the Bill sets out, in general terms, the responsibility of organisations to ensure and maintain the quality of the personal information that they process.
The information must be complete, accurate, not misleading and updated when necessary.
Condition 6: Openness
The sixth condition of “Openness” is linked directly to an organisation’s duty to process information in a fair and transparent manner.
Condition 7: Security Safeguards
The underlying theme of Condition 7 is that all personal information should be kept secure against the risk of loss, unauthorised access, interference, modification, destruction, or disclosure.
There are three essential components of information security:
Physical security: i.e., security TV, fences, alarms;
Technological security: encryption, firewalls
Non-technological security: persons involved with the use and maintenance of the information and the system.
Condition 8: Data Subject Participation
Condition 8 empowers individuals to access and/or request the correction or deletion of any personal information held about them that may be inaccurate, misleading, or outdated.
Right to be informed that your information is being processed and you also have the right to object to such processing.
There are certain circumstances where you must obtain prior authorisation from the Regulator before you can process information.
These include situations where you want to process information on criminal behaviour or for the purposes of credit reporting, or where you plan to transfer personal information to countries that do not have adequate information protection laws.
In cases like this you cannot do any processing until such time as the prior authorisation has been obtained, however, you will only need to obtain such prior authorisation once.
The requirement of a prior authorisation will, however, not apply if an applicable code of conduct (discussed next) has come into force.
Codes of Conduct
The Regulator may issue codes of conduct that relate to classes of information or to specific industries, and it will keep a register of approved codes. Such codes can be issued at the request of industry players.
Once issued, the code becomes binding on every class of information or every company operating in the industry referred to in that code.
A code may contain its own procedures for dealing with complaints. A failure to comply with a code will be deemed to be a breach of the conditions for the lawful processing of personal information.
POPI provides that you cannot process personal information for the purposes of direct marketing by way of email, SMS, and the like, unless the Data Subject has given his or her consent to the processing, or if the Data Subject is a customer of yours. Importantly, the Data Subject’s consent must be requested (i.e., the Data Subject must opt-in).
It also provides that you can only process a customer’s personal information in certain circumstances, namely where: you obtained the contact details in the context of the sale of a product or service; the purpose is to market your own similar products or services; and the Data Subject had a chance to object, free of charge, when the information was collected; and the Data Subject has a chance to object on each communication. All communications that you send to the Data Subject must feature your identity and contact details.
Trans-border information flows
POPI provides that you may not transfer personal information abroad unless one or more of a number requirements are met, for example: the recipient is subject to a law, binding corporate rules, binding agreement or memorandum of understanding which provide an adequate level of protection that is substantially similar to the conditions for the processing of personal information as set out in POPI; the Data Subject has consented to the transfer; the transfer is necessary for the performance of a contract; the transfer is for the benefit of the Data Subject and it was not reasonably practicable to get their consent.
Any person may submit a complaint, in writing, about information processing to the Regulator, who can then conduct an investigation.
The Regulator may decide to take no action in certain circumstances, for example, if the subject matter of the complaint is trivial, if a long period of time has elapsed, if a complaint is frivolous, vexatious or is not made in good faith, or if the person doing the complaining failed to use a complaints procedure under a code.
The Regulator may try to reach a settlement between the parties, or it can conduct a hearing at which it can summon witnesses and receive evidence.
The Regulator can even ask a judge or magistrate for a warrant to enter and search premises. If the Regulator finds for the complainant, it may serve a Responsible Party with an enforcement notice, requiring it to take certain steps. There is a right of appeal to the High Court.
A Data Subject, or the Regulator at the request of a Data Subject, may also institute a civil action for damages against a Responsible Party for breach of any provision of POPI relating to interference with the protection of personal information of a Data Subject, irrespective of whether or not there was intent or negligence on the part of the Responsible Party.
Offences and penalties
POPI creates various offences. For example: it will be an offence not to comply with an enforcement notice; for any person acting on behalf of the Regulator not to treat the information as confidential; to obstruct the Regulator; to obstruct the execution of a warrant. Any person convicted of an offence in terms of POPI may be liable for a fine or to imprisonment, the term of which will depend on the contravention.
Administrative fines up to R10 million may also be applicable in certain cases.
Therefore, why should I comply with POPI?
POPI promotes transparency with regard to what information is collected and how it is to be processed. This openness is likely to increase customer confidence in the organisation.
POPI compliance involves capturing the minimum required data, ensuring accuracy, and removing data that is no longer required. These measures are likely to improve the overall reliability of the organisation databases.
Compliance demands identifying Personal Information and taking reasonable measures to protect the data. This will likely reduce the risk of data breaches and the associated public relations and legal ramifications for the organisation.
Non-compliance with the Act could expose the Responsible Party to a penalty of a fine and / or imprisonment of up to 12 months. In certain cases, the penalty for non-compliance could be a fine and / or imprisonment of up 10 years.
You can ready yourselves for the implementation of the Protection of Personal Information Bill (“POPI”) by considering the following minimum requirements:
Audit the processes used to collect, record, store, disseminate and destroy personal information: in particular, companies must ensure the integrity and safekeeping of personal information in their possession or under their control. They must take steps to prevent the information being lost or damaged, or unlawfully accessed.
Define the purpose of the information gathering and processing: personal information must be collected for a specific, explicitly defined, and lawful purpose that is related to a function or activity of the company concerned.
Limit the processing parameters: the processing must be lawful and personal information may only be processed if it is adequate, relevant, and not excessive given the purpose for which it is processed.
Take steps to notify the ‘data subject’: the individual whose information is being processed has the right to know this is being done and why. The data subject must be told the name and address of the company processing their information. In addition, he or she must be informed as to whether the provision of the information is voluntary or mandatory.
Check the rationale for any further processing: if information is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.
Ensure information quality: the company processing the information must make sure the information is complete, accurate, up to date and not misleading.
Notify the information Protection Regulator: when the POPI is enacted, and a Regulator established organisations processing personal information will have to notify the Regulator about their actions.
Accommodate data subject requests: the POPI allows data subjects to make certain requests, free of charge, to organisations holding their personal information. For instance, the data subject has the right to know the identity of all third parties that have had access to their information. A data subject can also ask for a record of the information concerned.
Retain records for required periods: personal information must be destroyed, deleted or ‘de-identified’ as soon as the purpose for collecting the information has been achieved. However, a record of the information must be retained if an organisation has used it to decide about the data subject. The record must be kept for a period long enough for the data subject to request access to it.
Cross border data transfer: there are restrictions on the sending of personal information out of South Africa as well as on the transfer of personal information back into South Africa. The applicable restrictions will depend on the laws of the country to whom the data is transferred or from where the data is returned, as the case may be.
How can we help ensure that you are legally compliant with the above important Legislature?
We will assess the following documentation:
Company Act Compliance
Your Memorandum of Incorporation (MOI);
If you do not have a MOI, your current Memorandum of Association;
Your Shareholders Agreement.
Consumer Protection Act and FICA Compliance
Your Service Level Agreements;
Your Provider Agreements;
Sale of Goods;
Do you have a Social Media Policy?
Website terms and conditions?
Hilton Johnson: CEO - Compliance Hub