South Africa’s Protection of Personal Information Act (POPIA) Explained

Anokhy Desai CIPP/US, CIPT, CIPM

by Anokhy Desai CIPP/US, CIPT, CIPM

November 12, 2024

Generate a Free POPIA Privacy Policy
What-Is-South-Africas-Protection-of-Personal-Information-Act-(POPIA)-01

Data privacy laws exist worldwide, affecting businesses that collect and process the personal information of their website’s visitors.

In South Africa, individuals are protected by the Protection of Personal Information Act, also called POPIA or the POPI Act.

In this guide, lI explain who POPIA applies to, what it requires from businesses, the penalties for violating the law, and how to simplify POPIA compliance.

Table of Contents
  1. What Is South Africa’s Protection of Personal Information Act (POPIA)?
  2. POPIA Key Terms and Definitions
  3. What Does the Protection of Personal Information Act Cover?
  4. Requirements of the Protection of Personal Information Act
  5. POPIA vs. Global Data Privacy Laws: Similarities and Differences
  6. How Does the POPIA Impact Consumers?
  7. How Does the POPIA Impact Businesses?
  8. Who Must Comply With the POPIA?
  9. How Can Businesses Prepare for the POPIA?
  10. How Is the POPIA Enforced?
  11. Fines and Penalties Under the Protection of Personal Information Act
  12. How Does Termly Help With POPIA Compliance?
  13. Are There Other Privacy Related Laws in South Africa?
  14. Summary

What Is South Africa’s Protection of Personal Information Act (POPIA)?

The Protection of Personal Information Act, sometimes called POPIA or the POPI Act, is South Africa’s leading consumer data privacy law.

It’s a comprehensive piece of legislation that safeguards the personal data of individuals in South Africa by outlining requirements and obligations for entities that collect, process, and use that information.

It shares many similarities with Europe’s General Data Protection Regulation (GDPR) but differs in notable ways — for example, penalties for violating POPIA could lead to possible jail time.

When Did POPIA Take Effect?

Parliament passed POPIA in November 2013, but it didn’t take effect until July 1, 2020.

It originally had a one-year grace period for businesses to ready themselves for compliance, so the bulk of the law became enforceable on July 1, 2021.

However, the Section 58 requirement to notify the Information Regulator if data processing is subject to prior authorization entered into action on February 1, 2022.

Today, the law is fully in effect.

POPIA Key Terms and Definitions

To fully understand how to comply with POPIA, it’s important to familiarize yourself with how the law defines certain terms, which I’ve included below:

What Does the Protection of Personal Information Act Cover?

POPIA covers the personal information of individuals in South Africa and describes conditions for the lawful processing of that data.

It also regulates the flow of personal information outside of South African borders.

Requirements of the Protection of Personal Information Act

POPIA outlines several legal requirements for collecting and processing personal information.

Reasons for Processing Personal Information

Under POPIA, you can only process personal information for the following reasons, as outlined in Chapter 2, Section 11 of the law:

  • The data subject consents to the processing.
  • Processing is necessary to carry out actions for the performance of a contract.
  • Processing complies with an obligation outlined by a law on the responsible party.
  • Processing protects the legitimate interest of the data subject.
  • Processing is necessary for pursuing the legitimate interests of the responsible party.

When necessary, businesses under POPIA are responsible for proving they’ve obtained adequate consent from data subjects.

However, data subjects can object to data processing at any time for any of the reasons listed above unless legally required, and responsible parties must comply with the requests.

Consent

Consent under POPIA has a specific opt-in definition that closely aligns with how the GDPR defines the term.

Users must actively volunteer using an “informed expression of will,” and the agreement must be for a specific purpose regarding processing their personal information.

Conditions for Lawful Processing

There are eight conditions for lawful processing outlined by POPIA, which I’ve summarized for you below.

Responsible parties must follow all eight of the above conditions for processing when collecting and using personal information from South African data subjects.

Notification of Security Breaches

One of the conditions of lawful processing under POPIA requires responsible parties to inform data subjects and the Information Regulator if an unauthorized party ever accesses information.

As explained in Chapter 3, Section 22 of the law, this notification must happen as soon as reasonably possible, with few exceptions.

The notification must be in writing and communicated in one of the following ways:

  • Mailed to the last known address of the data subject
  • Sent via email
  • Placed in a prominent position on the responsible party’s website
  • Published in the news
  • Another method as directed by the Information Regulator

In addition, the notification must include:

  • A description of the consequences of the security breach
  • The measures the business will take to address the compromise
  • How the responsible party plans to mitigate such an offense from occurring again
  • The identity of the unauthorized party, if known

International Data Transfers

POPIA describes requirements for international data transfers in Chapter 9, Section 72, which states that responsible parties cannot transfer personal data to a foreign country unless:

  • The third-party recipient is subject to a law, binding corporate rule, or other agreement upholding the principles of POPIA.
  • The data subject consents to the data transfer.
  • Transferring the data is necessary for the performance or conclusion of a contract.
  • The data transfer benefits the data subject, and it’s not practicable to obtain consent from the subject, or if it were, they would likely give consent.

POPIA vs. Global Data Privacy Laws: Similarities and Differences

South Africa is one of several countries and regions that has a comprehensive consumer data privacy law, and it shares some similarities with the following pieces of legislation:

You can compare POPIA to other global privacy laws in the table I composed below.

Data Privacy Law Requires opt-in consent* Mandates publishing a privacy policy  Outlines contractual obligations with third parties Holds businesses accountable for data security Has specific requirements for international data transfers Requires additional guidelines for categories of sensitive (special) information
POPIA
CCPA
GDPR
LGPD
Argentina PDPA
Thailand PDPA
PIPEDA
Privacy Act 1988
Privacy Act 2020

*With some exceptions for some laws.

How Does the POPIA Impact Consumers?

POPIA impacts consumers by granting them various rights and control over how covered entities collect and use their personal information.

According to Chapter 2, Section 5 of the law, data subjects have the right to:

  • Be notified that their personal information is being collected.
  • Be notified if an unauthorized person accesses their information.
  • Access their personal information.
  • Request to correct, destroy, or delete their information.
  • Object to the processing of their personal information on reasonable grounds.
  • Object to the processing of personal information for the purpose of direct marketing.
  • Not be subject to decision-making based on the automated processing of their data.

Additionally, data subjects have the right to submit a complaint to the Information Regulator if they feel a covered entity violates their rights and can pursue civil proceedings.

Who Does the POPIA Apply To?

According to the definition of person in Section 1 of the Protection of Personal Information Act, the Act applies to both natural and juristic persons in South Africa.

In other words, it protects the personal information of individuals and organizations capable of suing or being sued in a court of law.

How Does the POPIA Impact Businesses?

Along with the contractual obligations, international data transfers, and legal basis for processing data mentioned above, the Protection of Personal Information Act impacts a business’s privacy policy and cookie policy.

How Does the POPIA Affect My Privacy Policy?

Under Section 18 of the POPIA, responsible parties must take “reasonably practical steps” to ensure their consumers are aware of their data processing activities.

An easy way to meet these standards is to provide data subjects with a POPIA-compliant privacy policy informing them of the following:

  • The information collected and what source information comes from, if not from the subjects themselves.
  • The responsible party’s name and address.
  • The purpose of collecting the information.
  • Whether providing personal information is voluntary or not for the data subject.
  • Any laws authorizing or requiring the collection of the information.
  • If the responsible party intends to transfer the information internationally.

Additionally, you must list the recipients or category of recipients of the data, the nature of the category of the information, and the existence of all rights of the data subjects.

How Does the POPIA Affect My Cookie Policy?

POPIA significantly effects cookie policies and the general use of internet cookies.

Because data subjects have a right to know if their data is collected, and cookies can collect personal information, websites must present users with a clear, accurate cookie policy.

South Africa’s data privacy law also requires website owners to get permission from users to place cookies on their browsers, so businesses must use a consent banner or other mechanism to obtain an opt-in agreement.

Who Must Comply With the POPIA?

Your business must comply with POPIA if you process personal information and are located in South Africa or if you’re located elsewhere but make use of automated or non-automated means in the country, as outlined in Chapter 2, Section 3.

Unlike some other privacy laws, POPIA does apply to non-profit entities.

Who Is Exempt From the POPIA?

Data collected and processed for personal or household activities is exempt from POPIA, as are certain public bodies related to national security.

How Can Businesses Prepare for the POPIA?

To prepare for complying with the Protection of Personal Information Act, businesses should update their privacy policy to meet all notification requirements outlined by the law.

It’s also necessary to post an accurate cookie policy and use a cookie banner to allow your South African users to act on their rights to object to processing.

You can also link a Data Subject Access Request (DSAR) form to your website to help people easily follow through on their rights.

How Is the POPIA Enforced?

The Information Regulator enforces all aspects of POPIA and performs investigations when a business allegedly violates the law.

Fines and Penalties Under the Protection of Personal Information Act

Depending on the severity of the infraction, violating POPIA can lead to a fine of up to R10 million ($536,000), up to 10 years in jail, or both.

Minor offenses lead to smaller fines of up to R1 million ($53,000) or one year of imprisonment.

How Does Termly Help With POPIA Compliance?

Termly can help simplify your POPIA compliance because our Privacy Policy Generator includes the necessary clauses to satisfy the notification requirements outlined by the law.

Vetted by our legal team and data privacy experts, it asks basic questions about your business and its data processing activities.

It makes a unique policy based on your answers that you can embed on your website or app and update anytime directly in your Termly dashboard.

We also provide a Consent Management Platform (CMP) configurable to meet the POPIA opt-out requirements regarding targeted advertising.

A few other privacy-related laws exist in South Africa besides POPIA, including the following:

  • Financial Intelligence Centre Act (FICA): Requires financial institutions to retain financial records and transactions with their clients for up to five years to combat money laundering.
  • National Strategic Intelligence Act (NSIA): Regulates what agencies can participate in covert intelligence gathering and outlines guidelines for their functionality.

In addition, other industry and sector-specific laws complement POPIA, like the Consumer Protection Act (CPA) and the National Health Act (NHA).

Summary

If your business falls under the scope of South Africa’s Protection of Personal Information Act, make sure you take the steps to meet all obligations outlined by the law.

Post a compliant privacy policy on your site to meet all notification requirements, and use a cookie consent banner that links to your updated cookie policy.

Follow all contractual obligations if you work with any third-party processors, and remember to implement adequate security measures to keep personal information safe.

Simplify your POPIA compliance using Termly’s Privacy Policy Generator and Consent Management Platform.

Anokhy Desai CIPP/US, CIPT, CIPM
More about the author

Written by Anokhy Desai CIPP/US, CIPT, CIPM

Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author

Related Articles

Explore more resources