Protection of Personal Information Act (POPIA) South Africa

    Overview

    The Protection of Personal Information Act (POPIA)also known as Act No. 4 of 2013, is South Africa's principal data privacy law. POPIA is fully enforced as of July 1, 2021 and governs the processing of personal information in South Africa, aiming to promote the protection of personal information processed by both public and private bodies, and ensuring individuals’ rights to privacy while balancing legitimate business needs.

     

    Regulation Summary

    Timeline
    • November 19, 2013: POPIA signed into law.
    • July 1, 2020: Effective date of certain provisions to allow for compliance readiness.
    • July 1, 2021: Full enforcement begins, including penalties for non-compliance.
    What Businesses Are Affected
    • Entities in South Africa processing personal data.
    • Businesses outside South Africa handling South African residents’ data.
    • Public and private bodies across industries.
    Exemptions
    • Personal Use: Data processing for personal or household activities.
    • Journalistic Activities: Processing for journalistic, literary, or artistic purposes under specific conditions.
    • Public Bodies: National security and law enforcement activities.
    Responsibilities for Businesses

    Under POPIA, businesses must comply with the following principles:

    • Accountability: Ensure compliance with the Act’s conditions for lawful processing.
    • Processing Limitation: Process information lawfully and minimally.
    • Purpose Specification: Collect data for a specific, explicitly defined, and lawful purpose.
    • Further Processing Limitation: Align further processing with the initial purpose.
    • Information Quality: Ensure that information is complete, accurate, and updated.
    • Openness: Inform individuals about data collection practices.
    • Security Safeguards: Implement measures to protect data integrity and confidentiality.
    • Data Subject Participation: Allow individuals to access and correct their personal data.

    Additionally, businesses must appoint an Information Officer to:

    • Ensure compliance with POPIA.
    • Handle requests made under the Act.
    • Liaise with the Information Regulator on investigations and compliance matters.

    Information Officers must be registered with the Information Regulator before taking up their duties. 

    Specific Responsibilities for Website Owners
    • Privacy Policies: Display clear and accessible privacy notices.
    • Cookie Management: Obtain user consent for cookies and trackers.
    • Secure Transactions: Ensure data protection during online transactions.
    • Data Requests: Facilitate requests for access, correction, or deletion of personal data.
    Additional Requirements
    • Data Breach Notification: Report data breaches to the Information Regulator and affected individuals within a reasonable time.
    • Cross-Border Transfers: Ensure adequate protection for international data transfers.
    • Data Protection Officer (DPO): Appoint a DPO to oversee compliance where necessary.
    Data Subject Rights
    • Access: Request access to their personal data.
    • Correction: Request correction of inaccurate or outdated data.
    • Objection: Object to the processing of personal information.
    • Erasure: Request deletion of personal data where applicable.
    • Automated Decision-Making: Restrict decisions based solely on automated processing.
    Enforcement
    • Oversight Body: The Information Regulator monitors compliance with POPIA.
    • Penalties:
      • Administrative fines up to ZAR 10,000,000 (approximately USD 530,000).
      • Criminal liability, including imprisonment of up to 10 years, for severe violations.
      • Civil claims for damages filed by affected individuals.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596