South Africa Protection of Personal Information Act (POPIA)

What is Popia Act South Africa

South Africa’s Protection of Personal Information Act (POPIA) took effect on July 1, 2020, and enforcement began on July 1, 2021. South Africa’s POPIA is one of the major data privacy laws in the world to be modelled closely after the EU’s GDPR.

The purpose of South Africa popia Act is to give effect to the constitutional right to privacy, regulate the manner in which personal information may be processed and provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act.

Amid the growing global emphasis on data protection, South Africa’s POPIA has emerged as a leading body in shaping the landscape of privacy compliance laws globally. 

Who must comply with South Africa Protection of Personal Information Act Regulation?

  1. South Africa Popia Act applies to the processing of personal information
    • Entered in a record by or for a responsible party by making use of automated or non-automated means, and
    • Where the responsible party is
      • Domiciled in the Republic; or
      • Not domiciled in the Republic but makes use of automated or non-automated means in the Republic unless those means are used only to forward personal information through the Republic.

As businesses indulge in the landscape of South Africa’s data protection, for them, staying well-versed in the nuances of POPIA compliance becomes important.

Enforcement under South Africa’s POPIA

Serious POPIA Offences

The responsible party will be liable to fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment, if you have committed the following offences:

  • Obstruct the regulator (section 100)
  • Fail to comply with an enforcement notice (section 103(1))
  • Give false evidence before the regulator under oath (section 104(2))
  • Fail to comply with the conditions when processing account numbers (section 105(1))
  • Knowingly or recklessly obtain or disclose an account number (section 106(1))
  • Sell (or offer to sell) an account number (section 106(3) and (4))

Minor POPIA Offences

The responsible party will be liable to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment, if you have committed the following offences:

  • Fail to get prior authorisation from the regulator if you need to (section 59)
  • If a person acting for (or under the direction of) the regulator does not keep personal information confidential (section 101)
  • Obstruct a person executing a warrant or fail to give assistance to the person (section 102)
  • Make a statement knowing it to be false (or recklessly) (section 103(2))
  • Fail to give evidence when summonsed to do so by the regulator (section 104(1))
South Africa Protection of Personal Information Act (POPIA)  - Mandatly Inc.

Key highlights of POPIA:

Personal informationPersonal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable existing juristic person.
Data Subject RightsThe POPIA provides the data subject rights, which largely mirror those provided by the GDPR.
ConsentConsent means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
Privacy AssessmentsControllers are required to perform and document Data Protection Impact Assessments for each processing activity “that presents a heightened risk of harm” to consumers.

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Download White Paper
Know the difference between Virginias CDPA, CCPA and CPRA - Mandatly Inc.

Data Subject Rights under South Africa's POPIA

The POPIA regulations provide a detailed framework, offering practical guidance on the lawful processing of personal information, and ensuring a harmonious integration of privacy measures into daily business operations.

  1. Right to be notified (Section 18)
    The responsible party has to notify the data subjects about the personal information about him, her or it is being collected or his, her or its personal information has been accessed or acquired by an unauthorised person.
  2. Right to access (Section 23)
    A data subject, having provided adequate proof of identity, has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject.
  3. Right to deletion (Section 24)
    A Data Subject can request the responsible party to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
  4. Right to objection (Section 11)
    Data Subject has the right to object, on reasonable grounds relating to his, her or its situation to the processing of his, her or its personal information.
  5. Right to Complaint (Section 74)
    Right to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data.A responsible party or data subject may, in terms of section 63(3), submit a complaint to the Regulator in the prescribed manner and form if he, she or it is aggrieved by the determination of an adjudicator.
  6. Right to Civil Action (Section 99)
    A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act.

Information Officer (Section 55)

Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of

  1. Such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of this Act; and
  2. Any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.

How Mandatly helps you achieve South Africa's POPIA compliance?

Mandatly’s POPIA compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks.

Hence, Mandatly’s Popia compliance software for South Africa privacy law will help you protect & automate consumer rights, data inventory & mapping, and privacy assessment.

Data Subject Rights (DSR) - Mandatly Inc.
Consumer RightsEnd-to-end DSAR fulfillment solution with automated identity verification and data discovery to fulfill the consumer request timely, securely, and efficiently.
Data Inventory and Mapping - Mandatly Inc.
Data Inventory and MappingMaintain your data sources and map data flows to meet the POPIA "Lookback" requirements.
Assessment Portal - Mandatly Inc.
Privacy AssessmentsBundled with intelligence to uncover and assess privacy risks that your business can be exposed to.
Privacy Notices - Mandatly Inc.
Privacy NoticesGenerate privacy notices for your website or applications to keep your customers informed about how their Personal Information is collected, processed, and shared.
Automated 'Do Not Sell' Requests Handling - Mandatly Inc.
Do not sell my informationEnables customers to opt-out of the cookie based and non-cookie based sale of personal information.
Reporting and Governance - Mandatly Inc.
AnalyticsReporting features are built into the system to get a holistic view of the compliance program for different stakeholders.

Start with our forever free edition

Get Started Free

No credit card required

Recent Articles

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024Understanding New Data Privacy LawIn the ever-ex...
Read more
The Role of Employee Training in GDPR Compliance and Data Security - Mandatly Inc.

The Role of Employee Training in GDPR Compliance and Data Security

The Role of Employee Training in GDPR Compliance and Data SecurityOverview: GDPR Training For EmployeesIn today's rapidly evo...
Read more
The Intersection of GDPR & Cybersecurity - Mandatly Inc.

Explore the Link Between Cybersecurity and GDPR Compliance

The Intersection of GDPR & CybersecurityWhat is GDPR?Enforced since May 2018, GDPR is a comprehensive set of regulations ...
Read more
Cross Border Data Transfer & Legal Framework - Mandatly Inc.

International Data Transfers: Understanding Legal Frameworks

Cross Border Data Transfer & Legal FrameworkA Legal Framework For Data ProtectionBefore delving into the legal mechanisms...
Read more
Future Data Privacy Trends in the Digital Age - Mandatly Inc.

Navigating the Complex Landscape of Data Privacy Compliance

Data Privacy Compliance in E-commerce: Navigating the Complex LandscapeIn the digital age, data privacy has emerged as a crit...
Read more
The GDPR and the EU-U.S. Data Privacy Framework: A Symbiotic Relationship - Mandatly Inc.

EU-U.S. Data Privacy & GDPR: A Symbiotic Bond

The GDPR and the EU-US Data Privacy Framework: A Symbiotic RelationshipEU-US Data Privacy Shield FrameworkThe EU US Data Priv...
Read more