Processing subject to prior authorisation
57. (1) The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to—
(a) process any unique identifiers of data subjects—
(i) for a purpose other than the one for which the identifier was specifically intended at the collection; and
(ii) with the aim of linking the information together with information processed by other responsible parties;
(b) process information on criminal behaviour or on unlawful or objectionable
conduct on behalf of third parties;
(c) process information for the purposes of credit reporting; or
(d) transfer special personal information, as referred to in section 26, or the
personal information of children as referred to in section 34, to a third party in
a foreign country that does not provide an adequate level of protection for the
processing of personal information as referred to in section 72.
(2) The provisions of subsection (1) may be applied by the Regulator to other types of
information processing by law or regulation if such processing carries a particular risk
for the legitimate interests of the data subject.
(3) This section and section 58 are not applicable if a code of conduct has been issued and has come into force in terms of Chapter 7 in a specific sector or sectors of society.
(4) A responsible party must obtain prior authorisation as referred to in subsection (1) only once and not each time that personal information is received or processed, except
where the processing departs from that which has been authorised in accordance with the provisions of subsection (1).