South Africa Protection of Personal Information Act (POPIA)

South Africa’s Protection of Personal Information Act (POPIA) took effect on July 1, 2020, and enforcement began on July 1, 2021. South Africa’s POPIA is one of the major data privacy laws in the world to be modeled closely after the EU’s GDPR.

The purpose of this Act is to give effect to the constitutional right to privacy, regulate the manner in which personal information may be processed and provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act.

1. Personal information

   Personal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable existing juristic person.

2. Consent

   Consent means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.

3. Data Subject

   Data Subject means the person to whom personal information relates.

4. Processing

   Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:

   • The collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;
   • Dissemination by means of transmission, distribution or making available in any other form; or
   • Merging, linking, as well as restriction, degradation, erasure or destruction of information.

1. This Act applies to the processing of personal information
   • Entered in a record by or for a responsible party by making use of automated or non-automated means, and
   • Where the responsible party is
     • Domiciled in the Republic; or
     • Not domiciled in the Republic but makes use of automated or non-automated means in the Republic unless those means are used only to forward personal information through the Republic.

1. Right to be notified (Section 18)

   The responsible party has to notify the data subjects about the personal information about him, her or it is being collected or his, her or its personal information has been accessed or acquired by an unauthorized person.

2. Right to access (Section 23)

   A data subject, having provided adequate proof of identity, has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject.

3. Right to deletion (Section 24)

   A Data Subject can request the responsible party to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.

4. Right to objection (Section 11)

   Data Subject has the right to object, on reasonable grounds relating to his, her or its situation to the processing of his, her or its personal information.

5. Right to Complaint (Section 74)

   Right to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data. A responsible party or data subject may, in terms of section 63(3), submit a complaint to the Regulator in the prescribed manner and form if he, she or it is aggrieved by the determination of an adjudicator.

6. Right to Civil Action (Section 99)

   A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act.

Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of

1. Such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of this Act; and
2. Any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.

Serious POPIA Offences

The responsible party will be liable to fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment, if you have committed the following offences:

• Obstruct the regulator (section 100)
• Fail to comply with an enforcement notice (section 103(1))
• Give false evidence before the regulator under oath (section 104(2))
• Fail to comply with the conditions when processing account numbers (section 105(1))
• Knowingly or recklessly obtain or disclose an account number (section 106(1))
• Sell (or offer to sell) an account number (section 106(3) and (4))

Minor POPIA Offences

The responsible party will be liable to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment, if you have committed the following offences:

• Fail to get prior authorisation from the regulator if you need to (section 59)
• If a person acting for (or under the direction of) the regulator does not keep personal information confidential (section 101)
• Obstruct a person executing a warrant or fail to give assistance to the person (section 102)
• Make a statement knowing it to be false (or recklessly) (section 103(2))
• Fail to give evidence when summonsed to do so by the regulator (section 104(1))

With close alignment to EU General Data Protection Regulation, POPIA ensures that South African citizens’ data privacy rights are protected thoroughly, paving the way for an EU adequacy decision, allowing privacy-sensitive information to be transferred safely between the EU and South Africa.

POPIA (South Africa’s data protection law) came into force about eight years after it was enacted in 2013. POPIA is now well positioned to influence privacy legislation in Africa and around the globe as a well-established privacy law.