Skip to content

Protection of Personal Information Act (POPI Act) - POPIA

Details of the Information Regulator

The Information Regulator’s website is

What does POPIA stand for?

The Protection of Personal Information Act 4 of 2013. It is also often called “POPI”, but is the same legislation.

What is the purpose of POPIA?

The purpose is to regulate the processing of Personal Information. It is aimed to encourage the flow of information in a secure, lawful and responsible manner. The spirit of POPIA is to ensure that the state and organisations that hold and process personal information do so carefully and with respect for the rights and interests of the people to whom it pertains.

What laws are linked to POPIA?

There are various other laws that also protect personal information.

The key ones are:

  1. Consumer Protection Act (CPA)
  2. National Credit Act (NCA)
  3. Regulation of Interception of Communications Act (RICA)
  4. Promotion of Access to Information Act (PAIA)
  5. Electronic Communication Act (ECTA)
  6. Cybercrimes and Cybersecurity Acts of 2021
  7. Constitutional Right to Privacy as defined in the Bill of Rights in the Constitution.
Who does POPIA apply to?

Public and Private Sector Natural and Juristic persons (meaning both individuals and registered companies and organisations)

What is considered personal information?

Personal information is information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing, juristic person. Any information about an identifiable human being or an identifiable company.

Examples of personal information include: race, gender, sex, marital status, nationality, sexual orientation, age, physical or mental health, disability, religion, language, education, medical, financial, employment information, ID number, address, email, telephone number, location information, blood type, biometric information, personal opinions, preferences, private or confidential correspondence, and views or opinions of another person.

Why did POPIA come into effect?

It is becoming more difficult to protect the privacy of information, as information becomes more vulnerable to new threats that keep emerging. Worldwide data protection is recognised as a fundamental business practice which applies to small and large organisations. EFSA points out that most privacy requirements are good customer relations practice for ecommerce companies and will help to remove email and phone spam.

POPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests, particularly the right of access to information.

By when do we have to comply to POPIA?

POPIA was signed into law on 19 November 2013 and came into force incrementally. 13 Section 114 of POPIA, which came into force on 1 July 2020, required full compliance with POPIA within one year from the date of its commencement. All responsible parties must have compliance measures in place by 30 June 2021.

What is the definition of a Responsible Party?

The public or private body or any other person which, alone or in conjunction with others, determines the purpose of, and means for processing personal information. This means a SME owner who determines what do with the personal information it has received is a Responsible Party.

Who is an Operator?

A person or body which processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. For example, if a third-party company is contracted to manage your employees’ tax then they would be considered an operator, because they process personal information on your behalf.

Who is a Data Subject?

A person whose data has been processed. These can be individuals or businesses.

How does POPIA apply to company information?

Yes. A juristic person (non-natural living person) is regarded as an entity covered by POPIA. Organisations also have personal information and special personal information as defined by POPIA.

What is “processing”?

Processing means any operation or activity, whether or not by automatic means, concerning personal information including:

OBTAINING: Collection, Receipt, Recording, Organisation, Collation, Storage, Updating, Modification, Retrieval, Alteration

DISSEMINATION: Transmission, Distribution, Making available

DESTROYING: Merging, Linking, Restriction, Erasure, Destruction

What are the conditions POPIA prescribes for protecting personal information? There are 8 conditions and 4 special conditions.

The 8 conditions are Accountability, Processing Limitation, Purpose Specification, Further Processing Limitation, Information Quality, Openness, Security Safeguards and Data Subject Participation.

The 4 special conditions are Secure Cross Border Flow, Permission for Direct Marketing, Secure Special Personal Information and Automatic Decision Making.

How much information about a person can I collect, process and use?

POPIA requires you to apply the principle of minimality and only collect personal information that you absolutely need to be able to service a customer, employee or third party. If you don’t have a valid reason for why you need certain personal information, you shouldn’t be collecting it!

What is the Information Officer?

An individual who works within a private or public body and has been designated, in compliance with section 56 of POPIA, to be responsible for ensuring compliance with POPIA and the Promotion of Access to Information Act (PAIA). They must be registered with the Information Regulator. Registration must be completed by 1 February 2022 at this link [email protected].za

What does “consent” mean?

Consent (“opt-in”) is one of the justifications for the lawful processing of personal information.

Consent has a very particular meaning under POPIA – it means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.

For consent to exist, there must also be the right to withdraw consent (“opt-out”). A data subject may withdraw consent at any time, provided that the withdrawal will not affect the lawfulness of the processing which occurred before the withdrawal of consent.

Consent should not be confused with acknowledgement and should not be a catch all – there are other justifications for lawfulness of processing which are better suited to the processing of personal information.

How should we get consent?
  • A person must have a choice whether to consent or not (it must be voluntary)
  • The consent must relate to a specific purpose and you must specify your purpose.
  • You must notify the data subject of various things as set out in section 18 of POPIA.
  • You must inform the person sufficiently to enable them to make a decision.
  • The person must express their will in some form.
What is the “soft opt-in”?

Data provided in the process of a sale by an individual or company can be used without further consent to approach the buyer to offer similar products (even if the sale does  not  go through) as set down in Section 69 of POPIA. However, an opt-out must always be offered.

“Sensitive/Special” Data requires Opt-in

POPIA identifies the following as “special” data which can only be processed (collected, stored, used) with the informed consent of the data subject, or if legally required. These data are: - political views, religious/philosophic beliefs, race or ethnical background, trade union membership, health and sex life, criminal record, biometric data.

EFSA would like to point out that sometimes these data can be collected inadvertently. For example, a delivery company which picks up a delivery at a halaal restaurant might infer the race and religion of the buyer. While that the buyer has consented by the act of buying the food and ordering the delivery, storing that data or using it to market to the customer in the future without informed consent would be strictly contrary to the law.

If the data subject is a child, consent must be provided by a competent person (such as a parent, or authorized teacher). To learn more you can read these guidelines by the Information Regulator accessible on this link:

What can I not do with personal information?

Use it for any purpose other than the purpose for which it was authorised.

Automated Decision Making (for example, marketing analytics)

This is one of the few issues where POPIA lacks clarity. In Section 71 it says that data subjects must not be subject to an automated decision making process except in specified circumstances, including giving consent, however, it recognises that this process will create challenges and therefore proposes that codes of conduct should be prepared by business associations which the Information Regulator would consider. If the Regulator agrees a code it will become part of the application of the law. EFSA intends to present a code on automated decision making for ecommerce.

Who can I send personal information to?

Only people and organisations authorised by the data subject or those people and organisations allowed under POPIA. Once you have established justification for forwarding the personal information you must ensure that those people or organisations also comply with POPIA and have appropriate security safeguards.

Who can have access to personal information?

Authorised people using the specific personal information for its intended purpose.

What are common examples of breach of POPIA?
  •  Loss of personal information due to inadequate security safeguards
  • Collecting personal information without having the correct justification to do so
  • Sending personal information to people who are not supposed to have it
  • Breach of security safeguards (network with personal information is compromised)
  • Not complying with an enforcement notice issued by the Information Regulator
  • Processing special personal information without there being a necessity, or without obtaining prior authorisation to do so from the Information Regulator.


In the case of a cyber-attack (hack/virus/phishing, etc) the requirements of the new Cybersecurity and Cybercrimes Acts will also apply. Details for the implementation of those laws are presently being prepared

What to do in the case of a data breach?

If you suffer a data breach you must inform the Information Regulator as soon as possible and discuss solutions – for example, the Regulator may require you to inform all those on your database of the breach and advise them on ways in which they can protect themselves. Failure to advise the Regulator in a timely fashion could lead to fines or other penalties. The link to use in the case of a data breach is  [email protected]

What happens if we don’t comply with POPIA?

There are significant consequences for non-compliance, including up to R10m in fines per offence and/or up to 10 years in prison per offence.

Is a cookie notice required on my website?

POPIA does not require cookie notices but EFSA recommends their use in the spirit of transparency. If your website is offering products or providing information to Europe you must include a cookie notice as this is required by the EU’s General Data Protection Regulation (GDPR).

How long must I retain Personal Information?

Only for as long as to fulfil the intended purpose for which the information was collected or processed. Keep in mind other legislative requirements. For example, to keep certain records required for anti-money laundering purposes. A Records Retention Policy will help you to make sure you know how long you retain personal information for all data subjects.

Can I keep personal information for longer than the legally prescribed period?

You can do so only if there is a valid business reason why you should keep the information beyond the prescribed retention periods, and provided that you have informed the Information Regulator and the data subject(s) of the intention and purpose.

Can I store job applicants’ CVs indefinitely, even after their application have failed?

No, unless you have obtained their specific consent for this.

Can I keep personal information about employees that have left our employment?

You are required by certain laws to keep records of staff (even when they leave) for certain periods of time. Beyond this retention period, you should dispose of the information. The retention period for employees that have left the organisation should be defined in the Records Retention Policy.

When am I exempt from following what POPIA prescribes?

When certain permissions were obtained from the Information Regulator. Certain laws may trump POPIA requirements: for example, data subject requests in the insurance industry where the only information available on a person is that they are a beneficiary on a person’s policy.

Is anyone exempt from complying with POPIA?

No, although there are all sorts of exemptions in the Act for specific scenarios and everyone must be aware of what they are as they need to comply with certain criteria to then be able to invoke the exemption.

Does POPIA put an end to Direct Marketing?

No. POPIA is not going to put an end to direct marketing. Direct marketing happens all over the world in many countries that have had data protection laws for decades. Direct marketing is considered to be a legitimate interest that organisations can pursue to find new customers. The big change or implication of POPIA is that in future direct electronic marketing to potential customers will be on an opt-in basis, and that the data subject always must be given the right to opt out.

Can we email or SMS someone to sell them something?

Yes, you can. POPIA will have a big impact on email and SMS marketing. Under POPIA, you will only be able to direct market on an opt-in basis – without an opt-in you can email someone only once to get their consent to send them more emails/SMS/WhatsApp messages.

However, as pointed out above, if you have collected the customer’s data in the process of a sale you may use that data to market similar products without requiring the customer’s opt in (but must always offer the opt out).

Can employees keep customer information on desktops?

For the purposes of Business as Usual (BAU) and BAU only, with respect to POPIA, employees may keep electronic records on their desktops and hard copies on their desks. The Record Retention Policy will shed more light on the retention of information held on desktops and local drives.

Can employees exchange customers’ personal details? Yes and no. It depends on the context of the situation. If it is business-related, i.e. for the intention of servicing the customer (e.g. resolving a query or complaint) then yes, it is normal that a customer’s information would need to be shared across departments to get an issue resolved. Sharing a customer’s information with a friend or relative to assist their business in finding customers, or, for example, sending a customer list to a competitor is strictly forbidden.

How does POPIA apply to supplier information?

As the responsible party, you share certain personal information with suppliers that you interact with. It is important to have formal third–party agreements with all your suppliers, especially the ones that make use of your data subject’s personal information to provide services on your behalf. This contract between you and your supplier must list the privacy and other requirements that you can hold your suppliers accountable to with regards to the processing of personal information.

Will I be held liable if I get a third party to process personal information on my behalf?

Yes, if a third party or supplier breaches any of your customer, employee or other suppliers’ information, you will still remain accountable and liable to the data subjects. You can be found to be in breach of POPIA and will be liable for the penalties.

What happens when a third party breaches POPIA? A third party is held to be Operator in terms of POPIA.

Do cloud solutions have to comply with POPIA?

Absolutely. There is a vast array of concerns. While in transit (i.e. moving) the personal information must be protected (encrypted, de-identified if possible). The cloud environment, if in another country, must provide the same if not more protection than is required in South Africa.

Do cross-border cloud solutions have to be compliant?

Yes. If your cloud service is based in another country, it is your responsibility to ensure that the contracted provider, meets certain privacy requirements. You should also ensure that, if you enter into a relationship with them, they will uphold the same principles as prescribed in POPIA.

Should I worry about personal information leaving South Africa?

Not all countries have adequate data protection or privacy legislation. Transferring personal information to such countries without taking appropriate measures will render the transfer illegal. It is important to have a contract in place with the other party in which they agree to abide by POPIA.

Can I transfer personal information into and out of South Africa?

You may when the recipient in the other country is subject to a law, binding corporate rules or agreements that provide an adequate level of protection that effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject in South Africa.

If the other country does not have such rules in place, you must replicate POPIA stipulations into the contract agreement and ensure the other third party complies with it.

Add content here