POPIA: Compliance with South Africa’s data protection law

What is the South African Protection of Personal Information Act (POPIA)?

The Protection of Personal Information Act (POPIA) is a data protection regulation that protects the personal information of persons in South Africa by establishing requirements for its collection, processing, and use.

Unlike many global data protection regulations that only protect personal information or personal data of natural persons or individuals, POPIA also safeguards personal information of juristic persons. This includes companies, trusts, nonprofits, and partnerships, among others.

The purpose of POPIA (Section 2) is to:

• safeguard personal information 
• establish conditions that regulate how personal information may be processed
• provide data subjects with rights and remedies for the protection of personal information 
• establish measures to ensure compliance and enforce the rights of data subjects

Who does the Protection of Personal Information Act apply to?

Under Section 3, POPIA applies to the processing of personal information using automated or non-automated means “by or for a responsible party” that is either:

• located in South Africa

    or

• processes personal information inside South Africa, even if located outside South Africa

All South African companies must comply with POPIA. The law does not have compliance thresholds like the state-level privacy laws in the United States do. Companies located outside the country must comply if data subjects, whose personal information is being processed, are in South Africa.

The term “by or for a responsible party” places POPIA compliance obligations on two types of entities based on the role they play in processing personal information, defined as “responsible party” and “operator” under the law.

A responsible party means “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.” This is similar to a data controller under other data privacy laws like the European Union’s (EU) General Data Protection Regulation (GDPR).

An operator means “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party” and functions in the same manner as a data processor under other regulations.

POPIA applies to responsible parties and operators that process personal information, which includes:

• collecting, receiving, recording, organizing, collating, storing, updating or modifying, retrieving, altering, consulting, or using personal information
• disseminating personal information by means of transmission, distribution or making it available in any other form
• merging, linking, restricting, degrading, erasing or destroying personal information

What is personal data under the Protection of Personal Information Act?

POPIA has a broad definition of personal data, known as personal information under the law, which encompasses information relating to an identifiable, living, natural person or existing juristic person, including but not limited to:

• names, addresses, telephone numbers, email addresses
• information about age, race, gender, appearance, ethnic or social origin, characteristics, sexual orientation, political convictions, religious beliefs, language, culture
• health data such as physical or mental health, well-being, disabilities
• online identifiers such IP addresses, cookies, unique IDs, search and browser history, location data
• biometric information such as blood type, fingerprint, DNA, retinal scan, voice recognition
• their personal opinions, views, or preferences, and the views of another individual about that person
• private or confidential correspondence 

POPIA’s broad personal information definition covers activities that happen on most websites in the world, such as first- and third-party cookies collecting IP addresses, search and browser history, trackers setting unique IDs, and more.

If your website processes personal information from people inside South Africa, e.g. through the use of cookies and similar trackers, you must comply with POPIA.

Exemptions from POPIA requirements

Section 6 specifies that the POPIA law does not apply to the processing of personal information:

• exclusively for personal or household activities
• that has been deidentified or anonymized and cannot be reidentified 
• by a public body, with adequate safeguards to protect the personal information, when done:
  • in the interest of national security
  • against unlawful activities and money laundering
  • while investigating offenses
  • for prosecuting offenders
  • for executing sentences or security measures
• by the Cabinet and its committees or the Executive Council of a province
• relating to a court’s judicial functions

Section 7 provides a further exclusion for personal information processed “solely for the purpose of journalistic, literary or artistic expression” to balance the right to privacy with freedom of expression. Where a responsible party that is subject to a code of ethics processes personal information for journalistic purposes, this code will apply to the processing instead of the POPIA law.

Processing of special personal information under POPIA

The South Africa data protection law prohibits the processing of special personal information (Section 26), known as “sensitive personal information” under the GDPR, without authorization under conditions laid down in Sections 27 to 33.

Special personal information includes:

• religious or philosophical beliefs
• race or ethnic origin
• trade union membership
• political persuasion
• health or sex life
• biometric information
• criminal behavior, including the commission of an offense or any proceedings in respect of an offense

Data subject rights under the Protection of Personal Information Act

Like the EU’s GDPR and Brazil’s General Data Protection Law (LGPD), POPIA in South Africa establishes a set of rights (Section 5) that data subjects can exercise.

• Right to be notified about collection and processing of personal information, and if their personal information has been accessed or acquired by an unauthorized person
• Right to access personal information held by a responsible party
• Right to request correction, destruction, or deletion of personal information
• Right to object to the processing of personal information on reasonable grounds
• Right to not have personal information processed for the purpose of direct marketing by means of unsolicited electronic communications
• Right to not be subject to a decision based solely on automated processing that significantly affects them
• Right to submit complaints to the Information Regulator
• Right to seek an effective judicial remedy through civil proceedings

What are POPIA’s requirements for processing personal information?

POPIA law establishes eight minimum requirements that organizations must meet for lawful processing of personal information. These are broadly similar to the principles relating to processing of personal data under the GDPR. Organizations must meet all these requirements for POPIA compliance.

1. Accountability

Under Section 8, responsible parties must ensure that they follow all the rules and conditions of the law, both when deciding why and how to process personal information and while processing the information. This means being diligent about data protection right from the planning stage and continuing through the entire process of collecting, using, and managing the data, a concept known as privacy by design.

2. Processing limitation

Responsible parties must ensure that information is processed lawfully and in a reasonable manner without infringing on data subjects’ privacy rights (Section 9). Section 10 provides for minimality, meaning that the responsible party should only process personal information that is “adequate, relevant, and not excessive” for the purpose of processing.

The processing of personal information can only be done if one of six legal bases is applicable (Section 11):

• with the data subject’s consent
• where necessary to conclude or perform a contract with the data subject
• to comply with a legal obligation
• to protect the data subject’s legitimate interest
• where necessary to perform a public law duty by a public body
• in the legitimate interests of the responsible party or a third party who has the personal information

With certain exceptions, personal information must be collected directly from the data subject in order to be processed (Section 12). Exceptions include when the information is available from a public record, when the data subject has made the information public, or the data subject has consented to the collection from another source, among others.

3. Purpose specification

Section 13 provides that the responsible party can only collect personal information for a specific and legal purpose that has been explicitly defined, and that the data subject has been made aware of the purpose. Responsible parties can only retain the information for as long as necessary to achieve the stated purpose and must destroy, delete, or deidentify personal information once it is no longer needed (Section 14).

4. Further processing limitation

Except in specific circumstances laid out in Section 15, any additional processing of personal information must be compatible with the original purpose for which the data subject gave consent. The exceptions include when:

• the data subject has consented to further processing
• the personal information is available in a public record or the data subject has made it public
• further processing is necessary for the maintenance of law, to comply with a legal obligation, for legal proceedings, or in the interest of national security
• further processing is necessary to prevent a threat to public health or safety, or life or health of the data subject or another individual
• the information is used for historical, statistical, or research purposes
• the Information Regulator has granted an exemption

5. Information quality

The responsible party must make sure that the personal information is complete, accurate, not misleading, and kept updated.

6. Openness

Under Sections 17 and 18, the responsible party must document all processing operations and notify data subjects when collecting personal information about the conditions of processing.

7. Security safeguards

POPIA requires responsible parties to ensure the integrity and confidentiality of personal information. The responsible party must, under Section 19, take appropriate, reasonable, technical, and organizational measures to prevent:

• loss of, damage to, or unauthorized destruction of personal information
• unlawful access to or processing of personal information 

An operator or third party acting on behalf of a responsible party or operator can only process personal information with authorization and confidentiality (Section 20). A responsible party must enter into a contract with an operator and ensure that the operator maintains the security measures required by the POPIA law (Section 21).

Section 22 contains detailed steps for the responsible party to take if a security breach occurs, including notifying the Information Regulator and data subjects affected by the breach.

8. Data subject participation

Sections 23 and 24 of the POPIA law require responsible parties to ensure that data subjects can exercise their rights under the regulation to access, correct, and delete their personal information.

Consent under the Protection of Personal Information Act

Consent is a legal basis for processing personal information under POPIA, and is defined as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.” This means that consent must be given freely, for a specific purpose, and with a clear understanding of what is being consented to.

Similar to the GDPR and LGPD, POPIA requires explicit or opt-in consent from data subjects before a responsible party can collect or process their personal information. This consent must be specific, meaning it must be given for a defined purpose, and informed, meaning data subjects must be made aware of what they are consenting to.

Under Section 11, the responsible party must be able to prove that the data subject has given consent to the collection of personal information. Additionally, data subjects have the right to withdraw consent at any time.

Using a cookie banner can be an effective way to obtain explicit consent from data subjects online for the use of tracking cookies. A POPIA-compliant cookie banner enables responsible parties to:

• clearly inform users about the types of cookies used on the website and their purposes
• provide detailed information about data handling practices through links to privacy policies and cookie policies
• offer explicit options for users to accept, decline, or customize their consent preferences
• enable users to withdraw consent already given
• record the user’s preferences, ensuring a clear record of explicit consent

Cookie banners help achieve compliance with POPIA’s requirements for explicit consent and maintain transparency and control for data subjects.

What is a POPIA-compliant privacy policy?

POPIA requires responsible parties to provide data subjects with detailed information about their data processing practices under Section 18. This information can commonly be found in a privacy policy and must include:

• what information is collected and where it is collected from, if not from the data subject
• name and address of the responsible party
• purpose(s) for collecting personal information
• whether it is mandatory or voluntary for data subjects to supply the personal information
• what are the consequences if data subjects don’t provide the personal information
• any specific law that authorizes or requires the collection of the personal information
• transfer of personal information to a third party or international organization, if applicable
• recipient or category of recipients of the personal information
• nature or category of the personal information
• data subjects’ rights under the law
• contact details for the Information Regulator

Responsible parties must share these details with data subjects before collecting personal information from them. These details can be shared on a cookie consent banner, with a link to a detailed privacy policy from the banner. A website footer is a common place to link to the privacy policy so that it is accessible from every page of the website.

Processing of personal information of children under the Protection of Personal Information Act

Under POPIA, personal information concerning children, defined as individuals under the age of 18, is subject to strict processing conditions.  Since children under 18 are not legally responsible for making their own decisions, their personal information cannot be processed without the necessary safeguards.

In most cases, processing children’s personal information requires obtaining prior consent from a parent, guardian, or another legal representative, referred to as a “competent person.” 

Sections 34 and 35 outline the rules and conditions for processing children’s personal information. 

The conditions under which children’s personal information can be processed include: 

• with prior consent of a competent person
• for compliance with legal obligations
• for historical, statistical or research purposes that serve a public interest
• when the personal information has been made public by the child with their consent of a competent person

Information officer under the Protection of Personal Information Act

Under Section 55, organizations are required to appoint an Information Officer, a role similar to a Data Protection Officer as found in the GDPR. The Information Officer encourages compliance with the Act and manages data protection practices within the organization. Organizations may also appoint one or more Deputy Information Officers to assist the Information Officer if necessary. 

The responsible party must register the Information Officer and any deputies with the Information Regulator before they may begin their duties, which include ensuring compliance, managing data subject requests, collaborating with the Information Regulator on investigations, and overseeing data protection practices.

Enforcement of the Protection of Personal Information Act

The main independent supervisory and enforcing body under POPIA is theInformation Regulator,established under Section 39 of the law and given the responsibilities of:

• providing education about the South African data protection law and compliance with it
• monitoring and enforcing compliance of companies and organizations that process personal information in South Africa
• addressing complaints from data subjects regarding their personal information
• creating guidelines, regulations, and industry codes of conduct for practical compliance with POPIA
• facilitating foreign cooperation for the enforcement of compliance with POPIA outside of South Africa

The Information Regulator is a juristic person and consists of five persons: a Chairperson and four members.

Data subjects have the right to submit a complaint in writing to the Information Regulator for the protection of their personal information. The Information Regulator may investigate the complaint and take action if necessary or discontinue the investigation if no further action is required. It may also refer the complaint to the Enforcement Committee established under Section 50 of the POPIA law.

The Information Regulator may decide not to take action on a complaint if they deem the complaint to be trivial, frivolous, vexatious, or not made in good faith, or if the complainant does not have sufficient personal interest in the matter. 

It may also decide not to take action if too long has passed between the date when the alleged infringement occurred and complaint was made, which would make investigation difficult. In these cases, the Information Regulator must inform the complainant of its decision and the reason why it has decided not to take action.

Fines and penalties under the Protection of Personal Information Act

The maximum administrative fines under Section 109 of POPIA are ZAR 10 million (~USD 550,000). When determining the fine amount, the Information Regulator must take into account:

• the nature of the personal information involved
• the duration and extent of the violation
• the number of data subjects affected or potentially affected
• whether or not the infringement raises an issue of public importance
• the likelihood of substantial damage or distress, including injury to feelings or anxiety suffered by data subjects
• whether the responsible party or a third party could have prevented the infringement
• any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information
• whether the responsible party has previously committed an offense under POPIA

Section 107 includes penalties for any person convicted of certain offenses under POPIA, which may include a fine, a prison sentence, or both. Depending on the severity of the violation, the penalty could include a prison sentence of up to 12 months or up to 10 years, depending on the type and severity of violation, and is imposed by a Magistrate’s Court.

How to be compliant with the Protection of Personal Information Act

There are some steps organizations can take to achieve POPIA compliance.

1. Audit your website’s use of cookies and other trackers

Understanding which cookies your website uses is essential for POPIA compliance so you can accurately inform data subjects about your data processing activities. Start by thoroughly auditing your website to identify all cookies and trackers in use. Tools like Cookiebot CMP can automatically scan your site, detect cookies and trackers and control or block their usage depending on consent, and generate a comprehensive report. This report helps you list these cookies and trackers on your cookie consent banner, enabling transparency. By clearly listing and explaining the purpose of each cookie, you inform your users and can meet regulatory requirements.

2. Create a comprehensive privacy policy

A dedicated privacy policy can help you comply with POPIA’s openness requirements. Your privacy policy should include: 

• types of personal information collected
• purposes for processing this information
• consequences if data subjects don’t provide the personal information
• data subjects’ rights under POPIA
• contact details for the Information Regulator

A detailed list of information to include can be found in Section 18 of the POPIA law. Ensure your privacy policy is updated whenever there are changes in your data handling practices.

3. Obtain explicit user consent

User consent must be explicit, specific, and informed to be valid under POPIA. If you handle personal information of individuals or entities in South Africa, a consent management platform (CMP) like Cookiebot CMP can help you obtain valid consent.

A POPIA-compliant cookie consent banner from Cookiebot CMP enables you to collect and record opt-in consent from users. It supports granular consent collection, enabling users to consent to certain purposes while rejecting others. Additionally, it provides an easy way for users to change or withdraw their consent at any time.

4. Appoint an Information Officer

POPIA law requires all responsible parties to appoint an Information Officer. You may also appoint Deputy Information Officers if your business requires them to help handle the tasks of the Information Officer, based on the volume and types of duties. Ensure you appoint an Information Officer and register them, as well as any Deputy Information Officers, with the Information Regulator as required by the law.

GDPR vs POPIA: Key provisions and differences

The EU’s GDPR is reflected in several aspects of South Africa’s POPIA, but there are also differences. It makes good sense to hold them up against each other to spot the similarities and key differences in the laws that are vital for websites and companies to be aware of, in order to navigate the two regimes and comply with POPIA and the GDPR if needed for your business.

Personal information and data subjects under POPIA and GDPR

POPIA defines personal information as information relating to an identifiable, living, and natural person, which is very close to the GDPR and its definition of personal data as information relating to an identified or identifiable natural person (“data subject”, as both laws call it).

However, POPIA also includes juristic persons in its definition of data subjects and therefore protects the personal information of companies, organizations, and other legal entities. The GDPR strictly limits its definition to human individuals.

This obviously has great significance, because it allows companies to not only be “responsible parties” but also “data subjects”, with rights to the “personal” information collected and shared about them.

Consent under POPIA and GDPR

When it comes to the definitions of consent, POPIA and the GDPR are very similar.

POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information,” whereas the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes”.

Both require explicit, opt-in consent to collect and process the personal information of data subjects, who must be informed of what they are consenting to. Consent must be specific for a given purpose.

Scope of GDPR vs POPIA

POPIA applies to processing done by websites, companies, organizations, and other legal entities that are located inside of South Africa as well as those that are located outside of South Africa if they process personal information inside South Africa (not only passing data through the country).

The GDPR applies to any processing of personal data from inside the EU,regardless of where in the world the data controller and/or data processor is located.

Data controllers in GDPR and POPIA

The GDPR is very clear when it comes to dividing the responsibility between a data controller and a data processor (i.e. an entity processing personal data on behalf of the data controller) and specifies how both must obtain GDPR compliance under the term joint controllers.

By not having joint controllers in the law like the GDPR, POPIA creates a bigger liability for websites and companies, who are ultimately responsible for all processing of their end users’ information, even if it’s being done by third-party ad tech companies or social media platforms embedded on their websites through cookies and trackers.

Information Officer in POPIA and GDPR

The GDPR’s Data Protection Officer is mirrored in POPIA as the Information Officer that every responsible party must appoint. However, the role of the Information Officer under POPIA differs significantly from its GDPR equivalent.

Under the GDPR, the Data Protection Officer has to have specific expertise and training in EU data privacy law but is not automatically required in every company or organization, and in fact can be an external, independent supervisor.

Under POPIA, the Information Officer is compulsory for every company and organization. The law also enables companies and organizations to appoint Deputy Information Officers, a position without equivalent in the GDPR.

Does the GDPR apply to South Africa?

Yes, as the GDPR applies to South African companies if they process the personal data of EU residents. This means that if a South African business offers goods or services to individuals in the EU, collects personal data from them, or monitors their behavior, it must comply with GDPR requirements. This extraterritorial application helps ensure that the data protection rights of EU residents are maintained regardless of where the processing takes place.

Summary: POPIA in South Africa

Here’s a breakdown of the key provisions of POPIA.

• POPIA took full effect on July 1, 2020 and enforcement began on July 1, 2021.
• The law applies to any company or organization processing personal information in South Africa, which is domiciled in the country, or not domiciled but making use of automated or non-automated means of processing in the country.
• POPIA protects the personal information of South African citizens as well as legal entities such as companies, trusts, and partnerships.
• POPIA creates actionable rights for South African data subjects, including but not limited to the right to access, right to correction, and right to deletion.
• POPIA also creates eight conditions for lawful data processing, in which the consent of the data subject is central. Itdefines consent as any voluntary, specific, and informed expression of will.

Fines for non-compliance with POPIAcan range up to ZAR 10 million (~USD 550,000). It is also one of the rare data protection regulations where infringement can result in imprisonment.

FAQ