Data privacy laws exist worldwide, affecting businesses that collect and process the personal information of their website’s visitors.
In South Africa, individuals are protected by the Protection of Personal Information Act, also called POPIA or the POPI Act.
In this guide, learn about who POPIA applies to, what it requires from businesses, the penalties for violating the law, and how to simplify POPIA compliance.
- What Is South Africa’s Protection of Personal Information Act (POPIA)?
- POPIA Key Terms and Definitions
- What Does the Protection of Personal Information Act Cover?
- Requirements of the Protection of Personal Information Act
- POPIA vs. Global Data Privacy Laws: Similarities and Differences
- How Does the POPIA Impact Consumers?
- How Does the POPIA Impact Businesses?
- Who Must Comply With the POPIA?
- How Can Businesses Prepare for the POPIA?
- How Is the POPIA Enforced?
- Fines and Penalties Under the Protection of Personal Information Act
- How Does Termly Help With POPIA Compliance?
- Are There Other Privacy Related Laws in South Africa?
What Is South Africa’s Protection of Personal Information Act (POPIA)?
The Protection of Personal Information Act, sometimes called POPIA or POPI Act, is South Africa’s leading consumer data privacy law.
It’s a comprehensive piece of legislation that safeguards the personal data of individuals in South Africa by outlining requirements and obligations for entities that collect, process, and use that information.
It shares many similarities with Europe’s General Data Protection Regulation (GDPR) but differs in notable ways — for example, penalties for violating POPIA could lead to possible jail time.
When Did POPIA Take Effect?
Parliament passed POPIA in November 2013, but it didn’t take effect until July 1, 2020.
It originally had a one-year grace period for businesses to ready themselves for compliance, so the bulk of the law became enforceable on July 1, 2021.
However, the Section 58 requirement to notify the Information Regulator if data processing is subject to prior authorization entered into action on February 1, 2022.
Today, the law is fully in effect.
POPIA Key Terms and Definitions
To fully understand how to comply with POPIA, it’s important to familiarize yourself with how the law defines certain terms, which are included below:
What Does the Protection of Personal Information Act Cover?
POPIA covers the personal information of individuals in South Africa and describes conditions for the lawful processing of that data.
It also regulates the flow of personal information outside of South African borders.
Requirements of the Protection of Personal Information Act
POPIA outlines several legal requirements for collecting and processing personal information.
Reasons for Processing Personal Information
Under POPIA, you can only process personal information for the following reasons, as outlined in Chapter 2, Section 11 of the law:
- The data subject consents to the processing.
- Processing is necessary to carry out actions for the performance of a contract.
- Processing complies with an obligation outlined by a law on the responsible party.
- Processing protects the legitimate interest of the data subject.
- Processing is necessary for pursuing the legitimate interests of the responsible party.
When necessary, businesses under POPIA are responsible for proving they’ve obtained adequate consent from data subjects.
However, data subjects can object to data processing at any time for any of the reasons listed above unless legally required, and responsible parties must comply with the requests.
Consent under POPIA has a specific opt-in definition that closely aligns with how the GDPR defines the term.
Users must actively volunteer using an “informed expression of will,” and the agreement must be for a specific purpose regarding processing their personal information.
Conditions for Lawful Processing
There are eight conditions for lawful processing outlined by POPIA, which include the following:
Responsible parties must follow all eight of the above conditions for processing when collecting and using personal information from South African data subjects.
Notification of Security Breaches
One of the conditions of lawful processing under POPIA requires responsible parties to inform data subjects and the Information Regulator if an unauthorized party ever accesses information.
As explained in Chapter 3, Section 22 of the law, this notification must happen as soon as reasonably possible, with few exceptions.
The notification must be in writing and communicated in one of the following ways:
- Mailed to the last known address of the data subject
- Sent via email
- Placed in a prominent position on the responsible party’s website
- Published in the news
- Another method as directed by the Information Regulator
In addition, the notification must include:
- A description of the consequences of the security breach
- The measures the business will take to address the compromise
- How the responsible party plans to mitigate such an offense from occurring again
- The identity of the unauthorized party, if known
International Data Transfers
POPIA describes requirements for international data transfers in Chapter 9, Section 72, which states that responsible parties cannot transfer personal data to a foreign country unless:
- The third-party recipient is subject to a law, binding corporate rule, or other agreement upholding the principles of POPIA.
- The data subject consents to the data transfer.
- Transferring the data is necessary for the performance or conclusion of a contract.
- The data transfer benefits the data subject, and it’s not practicable to obtain consent from the subject, or if it were, they would likely give consent.
POPIA vs. Global Data Privacy Laws: Similarities and Differences
South Africa is one of several countries and regions that has a comprehensive consumer data privacy law, and it shares some similarities with the following pieces of legislation:
- The California Consumer Privacy Act (CCPA)
- Europe’s General Data Protection Regulation (GDPR)
- Brazil’s General Data Protection Law (LGPD)
- Argentina’s Personal Data Protection Act (Argentina PDPA)
- Thailand’s Personal Data Protection Act (Thailand PDPA)
- Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA)
- Australia’s Privacy Act 1988 (the Privacy Act)
- New Zealand’s Privacy Act 2020
You can compare POPIA to other global privacy laws in the table below.
|Data Privacy Law
|Requires opt-in consent*
|Outlines contractual obligations with third parties
|Holds businesses accountable for data security
|Has specific requirements for international data transfers
|Requires additional guidelines for categories of sensitive (special) information
|Privacy Act 1988
|Privacy Act 2020
*With some exceptions for some laws.
How Does the POPIA Impact Consumers?
POPIA impacts consumers by granting them various rights and control over how covered entities collect and use their personal information.
According to Chapter 2, Section 5 of the law, data subjects have the right to:
- Be notified that their personal information is being collected.
- Be notified if an unauthorized person accesses their information.
- Access their personal information.
- Request to correct, destroy, or delete their information.
- Object to the processing of their personal information on reasonable grounds.
- Object to the processing of personal information for the purpose of direct marketing.
- Not be subject to decision-making based on the automated processing of their data.
Additionally, data subjects have the right to submit a complaint to the Information Regulator if they feel a covered entity violates their rights and can pursue civil proceedings.
Who Does the POPIA Apply To?
According to the definition of person in Section 1 of the Protection of Personal Information Act, the Act applies to both natural and juristic persons in South Africa.
In other words, it protects the personal information of individuals and organizations capable of suing or being sued in a court of law.
How Does the POPIA Impact Businesses?
Under Section 18 of the POPIA, responsible parties must take “reasonably practical steps” to ensure their consumers are aware of their data processing activities.
- The information collected and what source information comes from, if not from the subjects themselves.
- The responsible party’s name and address.
- The purpose of collecting the information.
- Whether providing personal information is voluntary or not for the data subject.
- Any laws authorizing or requiring the collection of the information.
- If the responsible party intends to transfer the information internationally.
Additionally, you must list the recipients or category of recipients of the data, the nature of the category of the information, and the existence of all rights of the data subjects.
POPIA significantly effects cookie policies and the general use of internet cookies.
South Africa’s data privacy law also requires website owners to get permission from users to place cookies on their browsers, so businesses must use a consent banner or other mechanism to obtain an opt-in agreement.
Who Must Comply With the POPIA?
Your business must comply with POPIA if you process personal information and are located in South Africa or if you’re located elsewhere but make use of automated or non-automated means in the country, as outlined in Chapter 2, Section 3.
Unlike some other privacy laws, POPIA does apply to non-profit entities.
Who Is Exempt From the POPIA?
Data collected and processed for personal or household activities is exempt from POPIA, as are certain public bodies related to national security.
How Can Businesses Prepare for the POPIA?
You can also link a Data Subject Access Request (DSAR) form to your website to help people easily follow through on their rights.
How Is the POPIA Enforced?
The Information Regulator enforces all aspects of POPIA and performs investigations when a business allegedly violates the law.
Fines and Penalties Under the Protection of Personal Information Act
Depending on the severity of the infraction, violating POPIA can lead to a fine of up to R10 million ($536,000), up to 10 years in jail, or both.
Minor offenses lead to smaller fines of up to R1 million ($53,000) or one year of imprisonment.
How Does Termly Help With POPIA Compliance?
Vetted by our legal team and data privacy experts, it asks basic questions about your business and its data processing activities.
It makes a unique policy based on your answers that you can embed on your website or app and update anytime directly in your Termly dashboard.
We also provide a Consent Management Platform (CMP) configurable to meet the POPIA opt-out requirements regarding targeted advertising.
Are There Other Privacy Related Laws in South Africa?
A few other privacy-related laws exist in South Africa besides POPIA, including the following:
- Financial Intelligence Centre Act (FICA): Requires financial institutions to retain financial records and transactions with their clients for up to five years to combat money laundering.
- National Strategic Intelligence Act (NSIA): Regulates what agencies can participate in covert intelligence gathering and outlines guidelines for their functionality.
If your business falls under the scope of South Africa’s Protection of Personal Information Act, make sure you take the steps to meet all obligations outlined by the law, including:
- Following all contractual obligations if you work with any third-party processors.
- Implementing adequate security measures to keep personal information safe.