A Complete Guide To POPI Act South Africa

Popi Stands for Protection of Personal Information. The Protection of Personal Information Act or simply put the Popi Act is simply a data protection law that seeks to protect individuals and juristic persons from the harmful effects of the unauthorized use of their personal information. The Popi Act is sometimes referred to as POPIA or Popia Act. Therefore, do not be confused when this terms are used interchangeably. It is worth noting that the Popi Act also applies to entities that are outside of South Africa but process personal information in South Africa unless such processing is only used to forward the information through the country. POPIA officially came into force on the 1st of July 2021. It sets out the minimum requirements privates and public entities must adhere to before processing personal information.

When entities collect personal information from individuals or juristic persons, they must make sure that the persons from whom they are collecting the information know that they are collecting the information and why they are collecting such information, which of the information would be processed and for what reason, and with whom they would share that information

popi act south africa

What is Personal Information?

According to the POPI ACT, personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or 5 mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • information relating to the education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone 10 number, location information, online identifier or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private 15 or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information 20 about the person;

Transfer of Personal Information Outside of South Africa?

The POPIA ACT specifically prohibits the transfer of personal information outside of South Africa to another 3rd party in a foreign country unless in the following circumstances:

  • The data subject has consented to the transfer
  • The transfer is necessary for the performance of a contract between the company processing the information and the data subject
  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the company/responsible party and a third party.
  • The transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain their consent of the data subject and if it was practicable to obtain consent, such consent would likely be given
  • The 3rd party is subject to a law, binding corporate rules, or a binding agreement providing an adequate level of protection that effectively upholds principles of reasonable processing of the information that are substantially similar to the principles contained in the Protection of Personal Information Act as well as includes provisions that are substantially similar to those contained in the POPIA ACT relating to the further transfer of personal information from the recipient to third parties.

8 Conditions of the Popi Act

8 conditions of the  popi act

The POPI ACT sets out 8 conditions for the lawful processing of personal information

Condition 1: Accountability

The entity needs to ensure that processing of personal information is lawful and that there is a person responsible for the compliance with POPIA and maintaining record upto date record of information processed

Condition 2: Processing Limitation

Personal information must be processed lawfully and in a reasonable manner by ensuring that only authorised information is processed for the purpose for which it was intended, it’s relevant and not excessive

Condition 3: Purpose Specification

Entities need to inform owners of personal information, about the purpose for which they are collecting their information, how the information would be used and must ensure that the information they collect and retain is for specific and well-defined purposes that relates to an activity of the entity.

Condition 4: Further processing limitation

Any further processing of personal information must still be in accordance with the original purpose for which the information was collected and to which the data subject gave their consent to.

Condition 5: Information quality

The entity must ensure that all personal information collected is of quality by being complete, accurate, up to date and not misleading

Condition 6: Openness

Data subjects must be always made aware that their personal information is being collected as well as the purpose for which their personal information is being collected. Entities are by the same token, required to maintain proper documentation of all processing operations

Condition 7: Security Safeguards

All entities are required to put in place security measures to protect the integrity and confidentiality of personal information collected from loss, unauthorized access, unauthorized modification, unauthorized use, or disclosure. Immediately an entity founds out that personal information of data subjects has been accessed without authorization, it must report it to the information regulator.

Condition 8: Data Subject Participation

Through the data subject participation condition, entities must ensure that data subjects have the right to access, modify and delete their personal information

How to Comply with the POPIA Act

  1. Appoint an Information Officer

Every entity needs to appoint an information officer who is responsible for overseeing compliance with the POPIA ACT. The information officer appointment must be registered with the information regulator by visiting https://www.inforegulator.org.za/ . The information officer would be responsible for cooperating with the information regulator in the event of any investigations on privacy compliance as well as dealing with any privacy requests from data subjects. It is recommended that the CEO or deputy should fulfil this the role of information officer

2. The entity through its information officer, needs to conduct a personal information impact assessment (PIIA) of the entities operations to ensure that adequate measures are in place to comply with the conditions for the lawful processing of personal information. The assessment would give light to what information is collected by the entity, how the information is secured, used, modified, or destroyed. It is essentially, a review of your organizations marketing practices

3. You need to develop or update your PAIA Manual in terms of the Promotion of Access to Information Act (PAIA) which requires all entities in south Africa to have one. The PAIA Manual clarifies to data subject steps they can take to have access to their information held by the entity

4. Draft a privacy policy. Always have it on your website

5.Conduct a POPIA Awareness training session within the entity to educate your staff about the provisions of the POPI ACT as relates to what information can be collected, stored, shared and what to do in the event of a data breach.

6.Review your organization’s personal information sharing with outside stakeholders such as suppliers or partners or any person that processes personal information on behalf of the entity. The entity must ensure that there is an agreement in place with any 3rd party that processes information on behalf of the entity to satisfy itself that there are adequate security measures in place to protect information as prescribed under the POPI ACT

7. Ensure that all employees that have access to client’s personal information or process such information sign an undertaking to comply with the POPI ACT

8. Obtain data subject consent for the processing of their personal information, notify them of how their data is being stored, with whom its being shared as well as making available a means through which they can opt out from you using their information

9. Maintain documentation of all processing information


Penalties or fines for non-compliance

Non-compliance with the POPI ACT leads to a fine of up to R10million or 12 months imprisonment or both a fine and imprisonment

Do you wish to contribute towards any of our article, click to CONTACT US HERE