POPIA for the Automotive Industry


The master customer and client contact list is the heart and soul of the Auto business. They take years to build, often at great effort and even greater expense. But we also must recognise that they contain private information about individuals, some of whom we have never met or had direct dealings with. What does POPIA have to say about this vital information that we all collect, store and use? Let us remember that all personal information (being information relating to an identifiable, living natural person and, where it is applicable, an identifiable, existing juristic person) will have to be processed in accordance with POPIA.

Let us unpack it together…

I want to start off by asking, what are client contact books exactly?
Client contact books (master customer and client contact list) contain information about people who are/were looking to become vehicle owners. These could be people you sold to in the past or potential vehicle owners where no deal was ever finalised or vehicle owners that have had their vehicles repaired. In essence, previous clients or potential client’s information you have retained.
Are they only made up of clients you have dealings with?
No. Often you would buy contact details of vehicle owners so you can contact them to see whether they would be interested in buying a new vehicle.
What kind of information do they typically contain about clients?
Usually records of what type of vehicle someone was looking for at the time, their name and their contact details. A client’s name and contact details would be considered ‘personal information’ for the purposes of POPIA.
Can you give an example of how someone would typically use a contact book?
  • Let’s say you get a new vehicle in stock. You would then open your contact book (master customer and client contact list) and call all clients who were looking for a similar vehicle to your new stock. So, it’s kind of like matching someone’s search history to your new stock to see who might be a good fit and then contacting them to see if they are in the market to buy.
  • Another example is when you’re looking for more vehicles to sell. You would call up people you know to own a vehicle, and find out if they’re thinking of selling, with the intention to secure the vehicle as a trade in or to buy as stock for yourself if they are.
But all those contact details are considered personal information, right?
Yes, essentially contact books contain personal information about individuals.
So once the POPIA grace period is over, will anyone be legally allowed to capture, store or even use those details to market their services to customers?
That depends. There are three different categories to consider:
  • The first category deals with all the contact details from someone who is either currently a client or was a client in the past. It does not matter whether you did a deal or not or repaired their vehicle or not, if they gave you their contact details directly and asked you to find them a vehicle or sell their vehicle, they fall into this first category.
  • Category two deals with all contact details gained from another interaction like open days. So if someone attended an open day and completed their details on your register, they fall into this category.
  • The third and final category deals with the contact details you bought or were given by someone other than the Data Subject themselves. So, if someone didn’t give you their details directly (and you obtained their details from any other source, other than the Data Subject), then they fall into this category.
So how does the POPI Act deal with each of these categories?
So, let’s look at Category One, where you obtained the information directly from a client in the context of offering your services to them. If you still need or want to contact these clients about the same thing you got their details for originally, this would most likely be permitted under POPIA, as you are using their contact details for the conclusion or performance of a contract to which they are (or will likely be) a party.
The key phrase I’m hearing is the same thing, right?
Yes, that is important. So, let me give you an example. If a Dealer was busy selling a Golf before POPIA, they could carry on reaching those people who they know are looking to buy that type of vehicle.
But how do you know if someone is still in the market to buy?
You don’t always know, in which case if you’re looking to initiate a new engagement with them, POPIA gives you one opportunity to contact them for direct marketing purposes. If they are not interested in your services, you are not permitted to contact them again unless you get their consent to do that. We will cover consent and its requirements in a future chapter.
Does POPIA allow me to process the personal information of my clients?
Yes, it does. In two instances:
  1. If you have obtained their details in the context of the sale of a product or service and you are using their details for purposes of this service (Buying their vehicle or selling a vehicle to them).
  2. If you are contacting them for the purpose of direct marketing of your own products or services, provided that you follow the prescribed criteria of POPIA which, in essence, requires you to give them a reasonable opportunity to object, free of charge, and without too much formality to use their details.
And what about direct marketing?
That depends on the type of direct marketing you use. POPIA only applies to direct marketing by electronic means, while the Consumer Protection Act, 2008 applies to all direct marketing. So, if you use unsolicited electronic communications you must comply with the provisions of POPIA and the Consumer Protection Act, 2008. But if you use the traditional direct marketing route, that does not involve unsolicited electronic communications, you will be subject to the Consumer Protection Act, 2008.
What do you mean by unsolicited electronic communications?
  • This refers to all text, voice, sound or image messages sent over an electronic communications network, which is either stored in the network or in the recipient's terminal equipment until it is collected by the recipient.
  • Some examples of this are email, automated diallers & pre-recorded messages, voicemail messages, WhatsApp messages and SMSes.
So all other forms of communications around direct marketing would be considered traditional direct marketing?
Yes, that’s correct.
We’ve covered information gathered from past or present clients. What about information gained from open days?
This is Category Two clients. This one is a bit more complicated. POPIA states that a Responsible Party (which would be the motor vehicle dealer or the motor body repairer (MBR) if the dealer or MBR is collecting personal information from ‘data subjects’) may only process Personal Information if:
  • a) the data subject consents to the processing;
  • b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
  • c) processing complies with an obligation imposed by law on the responsible party;
  • d) processing protects a legitimate interest of the data subject;
  • e) processing is necessary for the proper performance of a public law duty by a public body; or
  • f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
That is quite detailed. I guess it becomes a bit more complicated when you might not have direct or personal dealings with every person on your register.
Indeed. The purpose of that list is to make sure you are entitled to request their personal information in an Open Day register. If you have been through the criteria and feel you are entitled to collect it, then you must comply with the lawful conditions of processing that personal information, which includes, amongst the other requirements of POPIA, only collecting the absolute minimum information, safeguarding it and not using it for any other purpose other than the purpose for which is was collected.
What does that mean?
It means that if you want to use those details for direct marketing purposes, you must still obtain that person’s consent in the prescribed manner and form (POPIA has prescribed a form that must be used for this purpose). Their consent must also be voluntary, specific and informed. In other words you must be very clear about what that person is consenting to, and they must know they can say no if they want to.
And how many times can you approach a person to gain consent?
Once again, you can only approach them one time, and only if that person has not previously withheld consent.
And what about the third category? The contacts that were bought or given indirectly?
Remember these contacts haven’t given you their direct consent to process their personal information for any purpose (including direct marketing). So in order to use (process) their personal information, you must obtain their consent. And for direct marketing purposes, you can contact them once to request their consent for direct marketing purposes, but only in the prescribed manner and form. And only if they have not previously withheld consent.
That sounds very complicated. What’s the safest bet?
To always seek consent from anyone you want to contact for direct marketing purposes. We’ll discuss consent in more detail in the next chapter, more specifically around what is required when gathering that consent.