South Africa: Adopted Information Regulator Code of conduct for processing of personal information by the banking industry

On 12 October 2022, the Information Regulator issued the Code of conduct for processing of Personal Information by the banking industry under the Protection of Personal Information Act 4 of 2013. The code applies to member banks of the Banking Association of South Africa. The code mandates lawful and reasonable processing of personal information, requiring compliance frameworks to manage risks, retention policies for data, and conditions for further processing. It also establishes guidelines for handling special personal information, children's data, direct marketing, automated decision-making, and the use of unique identifiers. Additionally, member banks must implement security safeguards, ensure transparency in processing operations, and maintain a complaints management framework for addressing grievances.