- (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, color, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and the birth of the person;
- (b) information relating to the education or the medical, financial, criminal, or employment history of the person;
- (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;
- (d) the biometric information of the person;
- (e) the personal opinions, views, or preferences of the person;
- (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- (g) the views or opinions of another individual about the person; and
- (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
- (a) the collections, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation, or use;
- (b) dissemination by means of transmission, distribution, or making available in any other form; or
- (c) merging, linking, as well as restricting, degrading, erasing, or destroying of information.
Instead of sensitive personal information, POPIA describes a category of special personal information in Section 26 of the law as:
- Religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, or biometric information;
- Criminal behavior of the data subject, to the extent that it relates to
- the data subject’s alleged commission of any offense or participation in any
- proceedings regarding any offense allegedly committed
What Does the Protection of Personal Information Act Cover?
POPIA covers the personal information of individuals in South Africa and describes conditions for the lawful processing of that data.
It also regulates the flow of personal information outside of South African borders.
Requirements of the Protection of Personal Information Act
POPIA outlines several legal requirements for collecting and processing personal information.
Reasons for Processing Personal Information
Under POPIA, you can only process personal information for the following reasons, as outlined in Chapter 2, Section 11 of the law:
- The data subject consents to the processing.
- Processing is necessary to carry out actions for the performance of a contract.
- Processing complies with an obligation outlined by a law on the responsible party.
- Processing protects the legitimate interest of the data subject.
- Processing is necessary for pursuing the legitimate interests of the responsible party.
When necessary, businesses under POPIA are responsible for proving they’ve obtained adequate consent from data subjects.
However, data subjects can object to data processing at any time for any of the reasons listed above unless legally required, and responsible parties must comply with the requests.
Consent
Consent under POPIA has a specific opt-in definition that closely aligns with how the GDPR defines the term.
Users must actively volunteer using an “informed expression of will,” and the agreement must be for a specific purpose regarding processing their personal information.
Conditions for Lawful Processing
There are eight conditions for lawful processing outlined by POPIA, which include the following:
- Accountability: The covered entity is responsible for ensuring compliance with all aspects of POPIA.
- Processing limitation: Processing personal data must be reasonable, lawful, and processed for the purpose provided to the user, among other requirements.
- Purpose specification: Responsible parties can only collect data for a lawful, specifically defined purpose, cannot retain it for longer than necessary, and must take steps to ensure data subjects are aware of the data collection.
- Further processing limitations: Any additional collection and further processing of data must be for the purposes provided to the consumer unless the responsible party obtains consent or the data comes from public sources.
- Information quality: The responsible party must make reasonable efforts to ensure the personal data collected is accurate, not misleading, and updated.
- Openness: Responsible parties must document all processing activities and make reasonable efforts to inform data subjects about the collection and use of their personal data.
- Security safeguards: Responsible parties must make reasonable efforts to protect the collected data and are required to notify data subjects if an unauthorized breach occurs.
- Data subject participation: Data subjects that provide proof of identity have the right to access the data collected about them.
Responsible parties must follow all eight of the above conditions for processing when collecting and using personal information from South African data subjects.
Notification of Security Breaches
One of the conditions of lawful processing under POPIA requires responsible parties to inform data subjects and the Information Regulator if an unauthorized party ever accesses information.
As explained in Chapter 3, Section 22 of the law, this notification must happen as soon as reasonably possible, with few exceptions.
The notification must be in writing and communicated in one of the following ways:
- Mailed to the last known address of the data subject
- Sent via email
- Placed in a prominent position on the responsible party’s website
- Published in the news
- Another method as directed by the Information Regulator
In addition, the notification must include:
- A description of the consequences of the security breach
- The measures the business will take to address the compromise
- How the responsible party plans to mitigate such an offense from occurring again
- The identity of the unauthorized party, if known
International Data Transfers
POPIA describes requirements for international data transfers in Chapter 9, Section 72, which states that responsible parties cannot transfer personal data to a foreign country unless:
- The third-party recipient is subject to a law, binding corporate rule, or other agreement upholding the principles of POPIA.
- The data subject consents to the data transfer.
- Transferring the data is necessary for the performance or conclusion of a contract.
- The data transfer benefits the data subject, and it’s not practicable to obtain consent from the subject, or if it were, they would likely give consent.
POPIA vs. Global Data Privacy Laws: Similarities and Differences
South Africa is one of several countries and regions that has a comprehensive consumer data privacy law, and it shares some similarities with the following pieces of legislation:
- The California Consumer Privacy Act (CCPA)
- Europe’s General Data Protection Regulation (GDPR)
- Brazil’s General Data Protection Law (LGPD)
- Argentina’s Personal Data Protection Act (Argentina PDPA)
- Thailand’s Personal Data Protection Act (Thailand PDPA)
- Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA)
- Australia’s Privacy Act 1988 (the Privacy Act)
- New Zealand’s Privacy Act 2020
You can compare POPIA to other global privacy laws in the table below.
| Data Privacy Law | Requires opt-in consent* | Mandates publishing a privacy policy | Outlines contractual obligations with third parties | Holds businesses accountable for data security | Has specific requirements for international data transfers | Requires additional guidelines for categories of sensitive (special) information |
| POPIA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CCPA | ✓ | ✓ | ✓ | ✓ | ||
| GDPR | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| LGPD | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Argentina PDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Thailand PDPA | ✓ | ✓ | ✓ | ✓ | ✓ | |
| PIPEDA | ✓ | ✓ | ✓ | |||
| Privacy Act 1988 | ✓ | ✓ | ✓ | ✓ | ||
| Privacy Act 2020 | ✓ | ✓ | ✓ | ✓ | ✓ |
*With some exceptions for some laws.
How Does the POPIA Impact Consumers?
POPIA impacts consumers by granting them various rights and control over how covered entities collect and use their personal information.
According to Chapter 2, Section 5 of the law, data subjects have the right to:
- Be notified that their personal information is being collected.
- Be notified if an unauthorized person accesses their information.
- Access their personal information.
- Request to correct, destroy, or delete their information.
- Object to the processing of their personal information on reasonable grounds.
- Object to the processing of personal information for the purpose of direct marketing.
- Not be subject to decision-making based on the automated processing of their data.
Additionally, data subjects have the right to submit a complaint to the Information Regulator if they feel a covered entity violates their rights and can pursue civil proceedings.
Who Does the POPIA Apply To?
According to the definition of person in Section 1 of the Protection of Personal Information Act, the Act applies to both natural and juristic persons in South Africa.
In other words, it protects the personal information of individuals and organizations capable of suing or being sued in a court of law.
How Does the POPIA Impact Businesses?
Along with the contractual obligations, international data transfers, and legal basis for processing data mentioned above, the Protection of Personal Information Act impacts a business’s privacy policy and cookie policy.
How Does the POPIA Affect My Privacy Policy?
Under Section 18 of the POPIA, responsible parties must take “reasonably practical steps” to ensure their consumers are aware of their data processing activities.
The easiest way to meet these standards is to provide data subjects with a POPIA-compliant privacy policy informing them of all of the following:
- The information collected and what source information comes from, if not from the subjects themselves.
- The responsible party’s name and address.
- The purpose of collecting the information.
- Whether providing personal information is voluntary or not for the data subject.
- Any laws authorizing or requiring the collection of the information.
- If the responsible party intends to transfer the information internationally.
Additionally, you must list the recipients or category of recipients of the data, the nature of the category of the information, and the existence of all rights of the data subjects.
How Does the POPIA Affect My Cookie Policy?
POPIA significantly effects cookie policies and the general use of internet cookies.
Because data subjects have a right to know if their data is collected, and cookies can collect personal information, websites must present users with a clear, accurate cookie policy.
South Africa’s data privacy law also requires website owners to get permission from users to place cookies on their browsers, so businesses must use a consent banner or other mechanism to obtain an opt-in agreement.
Who Must Comply With the POPIA?
Your business must comply with POPIA if you process personal information and are located in South Africa or if you’re located elsewhere but make use of automated or non-automated means in the country, as outlined in Chapter 2, Section 3.
Unlike some other privacy laws, POPIA does apply to non-profit entities.
Who Is Exempt From the POPIA?
Data collected and processed for personal or household activities is exempt from POPIA, as are certain public bodies related to national security.
How Can Businesses Prepare for the POPIA?
To prepare for complying with the Protection of Personal Information Act, businesses should update their privacy policy to meet all notification requirements outlined by the law.
It’s also necessary to post an accurate cookie policy and use a cookie banner to allow your South African users to act on their rights to object to processing.
You can also link a Data Subject Access Request (DSAR) form to your website to help people easily follow through on their rights.
How Is the POPIA Enforced?
The Information Regulator enforces all aspects of POPIA and performs investigations when a business allegedly violates the law.
Fines and Penalties Under the Protection of Personal Information Act
Depending on the severity of the infraction, violating POPIA can lead to a fine of up to R10 million ($536,000), up to 10 years in jail, or both.
Minor offenses lead to smaller fines of up to R1 million ($53,000) or one year of imprisonment.
How Does Termly Help With POPIA Compliance?
Termly can help simplify your POPIA compliance because our Privacy Policy Generator includes the necessary clauses to satisfy the notification requirements outlined by the law.
Vetted by our legal team and data privacy experts, it asks basic questions about your business and its data processing activities.
It makes a unique policy based on your answers that you can embed on your website or app and update anytime directly in your Termly dashboard.
We also provide a Consent Management Platform (CMP) configurable to meet the POPIA opt-out requirements regarding targeted advertising.
Are There Other Privacy Related Laws in South Africa?
A few other privacy-related laws exist in South Africa besides POPIA, including the following:
- Financial Intelligence Centre Act (FICA): Requires financial institutions to retain financial records and transactions with their clients for up to five years to combat money laundering.
- National Strategic Intelligence Act (NSIA): Regulates what agencies can participate in covert intelligence gathering and outlines guidelines for their functionality.
In addition, other industry and sector-specific laws complement POPIA, like the Consumer Protection Act (CPA) and the National Health Act (NHA).
Summary
If your business falls under the scope of South Africa’s Protection of Personal Information Act, make sure you take the steps to meet all obligations outlined by the law, including:
- Posting a compliant privacy policy to meet all notification requirements.
- Using a cookie consent banner and updating your cookie policy.
- Following all contractual obligations if you work with any third-party processors.
- Implementing adequate security measures to keep personal information safe.
Simplify your POPIA compliance using Termly’s Privacy Policy Generator and Consent Management Platform.
More about the author
Written by Anokhy Desai CIPP/US, CIPT, CIPM
Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author
