South Africa: The Legal Implications of Coronavirus (COVID-19) National Disaster - Booking Repayments and Data Protection 

Following the South African President’s speech on 15 March 2020 that a national state of disaster has been declared in terms of the coronavirus (COVID-19), a number of measures were implemented to counteract the impact of the virus by the South African Government. We cover below the legal implications of some of these measures, particularly the repayment of bookings and data protection.

Repayment of bookings

In terms of section 27(5) of the Disaster Management Act, 2002, a national state of disaster lapses three months after it has been declared, but can be withdrawn or extended.

In the meantime, all public gatherings of more than 100 people are prohibited and all non-essential domestic travel – especially by air, rail, taxis and bus – are discouraged. This will have significant impact on the travel and events industry and a key question is whether consumers will be entitled to a full refund for prepaid bookings, tickets and the like.

This matter is largely regulated in terms of the Consumer Protection Act, 2008 (“CPA”) and South African common law of contract. While consumers may be entitled to a refund in terms of the CPA in certain circumstances, companies may, in turn, be entitled to cancel payments to their suppliers.

Data protection

COVID-19's serious effects on an individual’s health and its contagious nature may be viewed as an actual or potential hazard in the workplace, which requires employers to take steps to prevent and mitigate any effect it may have in the workplace. As such, employers may consider asking employees and other persons (such as clients and suppliers) questions and request some personal information (including health information about symptoms of the virus) to ascertain whether these persons are at risk of having the virus or being able to transmit it to others.

On the other hand, organisations should not overlook the rights of employees and other third parties in terms of data protection legislation, such as the Protection of Personal Information Act, 2013 (“POPIA”). Although POPIA is only expected to become fully effective on 1 April 2021, several organisations have committed to voluntary and proactive compliance with POPIA. In addition, the South African Constitution and common law recognises the right to privacy and, in some instances, South African companies are already subject to the EU General Data Protection Regulation (“GDPR”), which came into force in May 2018.

Several regulators or supervisory authorities in the EU have published useful guidance or information in respect of data protection and COVID-19, including, on 2 March 2020, the Italian Supervisory Authority, Garante. Garante emphasises that companies must not collect, in a systematic and generalised manner, information on possible COVID-19 symptoms suffered by their employees (or their family members) and their whereabouts.Such collection should be left to healthcare authorities and companies should not engage in the spontaneous collection of health data of their employees, unless this is specifically required by law or requested by the competent authorities.

However, Garante also notes that employees must, as a general rule, inform their employers of any health and safety risks at work of which they are aware, including risks of contagious diseases. Accordingly, companies may invite their employees to notify them if they have recently been exposed to epidemiological risk areas or have other relevant information regarding possible risks of contagion.

For more information, please contact:

Angela Itzikowitz

Banking and Finance Executive

[email protected]

+27 83 680 2077

Era Gunning

Banking and Finance Director

[email protected]

+27 82 788 0827

Suemeya Hanif

Employment Director

[email protected]

+27 82 787 9934



WSG Member: Please login to add your comment.