19.
(1) Subject to subsections (2) and (3), records of personal information shall not be
retained any longer than a prescribed period, unless –
(a) retention of the record is required or authorised by law;
(b) the data controller reasonably requires the record for lawful
purposes related to its functions or activities;
(c) retention of the record is required by a contract between the
parties; or
(d) the data subject has consented to the retention of the record;
(2) Records of personal information may be retained for periods in excess of those
contemplated in subsection (1) for historical, statistical or research purposes
and the data controller has established appropriate safeguards against the
personal data being used for any other purposes and the data controller has
established appropriate safeguards against the personal data being used for any
other purposes.
(3) A data controller which or who has used a record of personal information of a
data subject to make a decision about the data subject shall –
(a) retain the record for such period as may be required or prescribed
by law or code or a code of conduct; or
(b) if there is no law or code of conduct prescribing a retention period,
retain the record for a period which will afford the data subject a
reasonable opportunity, taking all considerations relating to the use
of the personal information into account, to request access to the
record.
(4) A data controller shall destroy or delete a record of personal information or deidentify it as soon as reasonably practicable after the data controller is no longer
authorised to retain the record in terms of subsection (1) or (2).
(5) The destruction or deletion of a record of personal information in terms of