The purpose of POPIA (Section 2<\/a>) is to:<\/p>\n\n\n\n Under Section 3<\/a>, POPIA applies to the processing of personal information using automated or non-automated means \u201cby or for a responsible party\u201d that is either:<\/p>\n\n\n\n or<\/p>\n\n\n\n All South African companies must comply with POPIA. The law does not have compliance thresholds like the state-level privacy laws in the United States<\/a> do. Companies located outside the country must comply if data subjects, whose personal information is being processed, are in South Africa.<\/p>\n\n\n\n The term \u201cby or for a responsible party\u201d places POPIA compliance obligations on two types of entities based on the role they play in processing personal information, defined as \u201cresponsible party\u201d and \u201coperator\u201d under the law.<\/p>\n\n\n\n A responsible party means \u201ca public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.\u201d <\/em>This is similar to a data controller under other data privacy laws like the European Union's (EU) General Data Protection Regulation (GDPR)<\/a>.<\/p>\n\n\n\n An operator means \u201ca person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party\u201d<\/em> and functions in the same manner as a data processor under other regulations.<\/p>\n\n\n\n POPIA applies to responsible parties and operators that process personal information, which includes:<\/p>\n\n\n\n POPIA has a broad definition of personal data, known as personal information under the law, which encompasses information relating to an identifiable, living, natural person or existing juristic person, including but not limited to:<\/p>\n\n\n\n POPIA's broad personal information definition covers activities that happen on most websites in the world, such as first- and third-party cookies collecting IP addresses, search and browser history, trackers setting unique IDs, and more.<\/p>\n\n\n\n If your website processes personal information from people inside South Africa, e.g. through the use of cookies and similar trackers, you must comply with POPIA.<\/p>\n\n\n\n Section 6<\/a> specifies that the POPIA law does not apply to the processing of personal information:<\/p>\n\n\n\n Section 7<\/a> provides a further exclusion for personal information processed \u201csolely for the purpose of journalistic, literary or artistic expression\u201d to balance the right to privacy with freedom of expression. Where a responsible party that is subject to a code of ethics processes personal information for journalistic purposes, this code will apply to the processing instead of the POPIA law.<\/p>\n\n\n\n The South Africa data protection law prohibits the processing of special personal information (Section 26<\/a>), known as \u201csensitive personal information\u201d under the GDPR, without authorization under conditions laid down in Sections 27 to 33<\/a>.<\/p>\n\n\n\n Special personal information includes:<\/p>\n\n\n\n Like the EU's GDPR and Brazil's General Data Protection Law (LGPD<\/a>), POPIA in South Africa establishes a set of rights (Section 5<\/a>) that data subjects can exercise.<\/p>\n\n\n\n POPIA law establishes eight minimum requirements that organizations must meet for lawful processing of personal information. These are broadly similar to the principles relating to processing of personal data under the GDPR. Organizations must meet all these requirements for POPIA compliance.<\/p>\n\n\n\n Under Section 8<\/a>, responsible parties must ensure that they follow all the rules and conditions of the law, both when deciding why and how to process personal information and while processing the information. This means being diligent about data protection right from the planning stage and continuing through the entire process of collecting, using, and managing the data, a concept known as privacy by design<\/a>.<\/p>\n\n\n\n Responsible parties must ensure that information is processed lawfully and in a reasonable manner without infringing on data subjects\u2019 privacy rights (Section 9<\/a>). Section 10<\/a> provides for minimality, meaning that the responsible party should only process personal information that is \u201cadequate, relevant, and not excessive\u201d for the purpose of processing.<\/p>\n\n\n\n The processing of personal information can only be done if one of six legal bases is applicable (Section 11<\/a>):<\/p>\n\n\n\n With certain exceptions, personal information must be collected directly from the data subject in order to be processed (Section 12<\/a>). Exceptions include when the information is available from a public record, when the data subject has made the information public, or the data subject has consented to the collection from another source, among others.<\/p>\n\n\n\n Section 13<\/a> provides that the responsible party can only collect personal information for a specific and legal purpose that has been explicitly defined, and that the data subject has been made aware of the purpose. Responsible parties can only retain the information for as long as necessary to achieve the stated purpose and must destroy, delete, or deidentify personal information once it is no longer needed (Section 14<\/a>).<\/p>\n\n\n\n Except in specific circumstances laid out in Section 15<\/a>, any additional processing of personal information must be compatible with the original purpose for which the data subject gave consent. The exceptions include when:<\/p>\n\n\n\n The responsible party must make sure that the personal information is complete, accurate, not misleading, and kept updated.<\/p>\n\n\n\n Under Sections 17 and 18<\/a>, the responsible party must document all processing operations and notify data subjects when collecting personal information about the conditions of processing.<\/p>\n\n\n\n POPIA requires responsible parties to ensure the integrity and confidentiality of personal information. The responsible party must, under Section 19<\/a>, take appropriate, reasonable, technical, and organizational measures to prevent:<\/p>\n\n\n\n An operator or third party acting on behalf of a responsible party or operator can only process personal information with authorization and confidentiality (Section 20<\/a>). A responsible party must enter into a contract with an operator and ensure that the operator maintains the security measures required by the POPIA law (Section 21<\/a>).<\/p>\n\n\n\n Section 22<\/a> contains detailed steps for the responsible party to take if a security breach occurs, including notifying the Information Regulator and data subjects affected by the breach.<\/p>\n\n\n\n Sections 23 and 24<\/a> of the POPIA law require responsible parties to ensure that data subjects can exercise their rights under the regulation to access, correct, and delete their personal information.<\/p>\n\n\n\n Consent is a legal basis for processing personal information under POPIA, and is defined as \u201cany voluntary, speci\ufb01c and informed expression of will in terms of which permission is given for the processing of personal information.\u201d <\/em>This means that consent must be given freely, for a specific purpose, and with a clear understanding of what is being consented to.<\/p>\n\n\n\n Similar to the GDPR and LGPD, POPIA requires explicit or opt-in consent from data subjects before a responsible party can collect or process their personal information. This consent must be specific, meaning it must be given for a defined purpose, and informed, meaning data subjects must be made aware of what they are consenting to.<\/p>\n\n\n\n Under Section 11<\/a>, the responsible party must be able to prove that the data subject has given consent to the collection of personal information. Additionally, data subjects have the right to withdraw consent at any time.<\/p>\n\n\n\n Using a cookie banner<\/a> can be an effective way to obtain explicit consent from data subjects online for the use of tracking cookies<\/a>. A POPIA-compliant cookie banner enables responsible parties to:<\/p>\n\n\n\n Cookie banners help achieve compliance with POPIA's requirements for explicit consent and maintain transparency and control for data subjects.<\/p>\n\n\n POPIA requires responsible parties to provide data subjects with detailed information about their data processing practices under Section 18<\/a>. This information can commonly be found in a privacy policy and must include:<\/p>\n\n\n\n Responsible parties must share these details with data subjects before collecting personal information from them. These details can be shared on a cookie consent banner, with a link to a detailed privacy policy from the banner. A website footer is a common place to link to the privacy policy so that it is accessible from every page of the website.<\/p>\n\n\n\n Under POPIA, personal information concerning children, defined as individuals under the age of 18, is subject to strict processing conditions. Since children under 18 are not legally responsible for making their own decisions, their personal information cannot be processed without the necessary safeguards.<\/p>\n\n\n\n In most cases, processing children's personal information requires obtaining prior consent from a parent, guardian, or another legal representative, referred to as a \"competent person.\" <\/p>\n\n\n\n Sections 34 and 35<\/a> outline the rules and conditions for processing children's personal information.\u00a0<\/p>\n\n\n\n The conditions under which children's personal information can be processed include: <\/p>\n\n\n\n Under Section 55<\/a>, organizations are required to appoint an Information Officer, a role similar to a Data Protection Officer as found in the GDPR. The Information Officer encourages compliance with the Act and manages data protection practices within the organization. Organizations may also appoint one or more Deputy Information Officers to assist the Information Officer if necessary.\u00a0<\/p>\n\n\n\n The responsible party must register the Information Officer and any deputies with the Information Regulator before they may begin their duties, which include ensuring compliance, managing data subject requests, collaborating with the Information Regulator on investigations, and overseeing data protection practices.<\/p>\n\n\n\n The main independent supervisory and enforcing body under POPIA is the <\/strong>Information Regulator, <\/strong>established under Section 39<\/a> of the law and given the responsibilities of:<\/p>\n\n\n\n The Information Regulator is a juristic person and consists of five persons: a Chairperson and four members.<\/p>\n\n\n\n Data subjects have the right to submit a complaint in writing to the Information Regulator for the protection of their personal information. The Information Regulator may investigate the complaint and take action if necessary or discontinue the investigation if no further action is required. It may also refer the complaint to the Enforcement Committee established under Section 50<\/a> of the POPIA law.<\/p>\n\n\n\n The Information Regulator may decide not to take action on a complaint if they deem the complaint to be trivial, frivolous, vexatious, or not made in good faith, or if the complainant does not have sufficient personal interest in the matter. <\/p>\n\n\n\n It may also decide not to take action if too long has passed between the date when the alleged infringement occurred and complaint was made, which would make investigation difficult. In these cases, the Information Regulator must inform the complainant of its decision and the reason why it has decided not to take action.<\/p>\n\n\n\n The maximum administrative fines under Section 109<\/a> of POPIA are ZAR 10 million (~USD 550,000). When determining the fine amount, the Information Regulator must take into account:<\/p>\n\n\n\n\n
Who does the Protection of Personal Information Act apply to?<\/h2>\n\n\n\n
\n
\n
\n
What is personal data under the Protection of Personal Information Act?<\/h2>\n\n\n\n
\n
Exemptions from POPIA requirements<\/h3>\n\n\n\n
\n
\n
Processing of special personal information under POPIA<\/h3>\n\n\n\n
\n
Data subject rights under the Protection of Personal Information Act<\/h2>\n\n\n\n
\n
What are POPIA\u2019s requirements for processing personal information?<\/h2>\n\n\n\n
![\"POPIA](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/07\/cb_blog_770x513_sthafrica_popia_202406_4.svg\")
<\/figure>\n\n\n\n1. Accountability<\/h3>\n\n\n\n
2. Processing limitation<\/h3>\n\n\n\n
\n
3. Purpose specification<\/strong><\/h3>\n\n\n\n
4. Further processing limitation<\/h3>\n\n\n\n
\n
5. Information quality<\/h3>\n\n\n\n
6. Openness<\/h3>\n\n\n\n
7. Security safeguards<\/h3>\n\n\n\n
\n
8. Data subject participation<\/h3>\n\n\n\n
Consent under the Protection of Personal Information Act<\/h2>\n\n\n\n
\n
\n Obtain explicit consent with the help of a POPIA compliant cookie banner. Sign up for your free Cookiebot CMP trial. <\/h2>\n
What is a POPIA-compliant privacy policy?<\/h2>\n\n\n\n
\n
Processing of personal information of children under the Protection of Personal Information Act<\/h2>\n\n\n\n
\n
Information officer under the Protection of Personal Information Act<\/h2>\n\n\n\n
Enforcement of the Protection of Personal Information Act<\/h2>\n\n\n\n
\n
Fines and penalties under the Protection of Personal Information Act<\/h2>\n\n\n\n
![\"POPIA](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/07\/cb_blog_770x513_sthafrica_popia_202406_3.svg\")
<\/figure>\n\n\n\n\n
![\"POPIA](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/07\/cb_blog_770x513_sthafrica_popia_202406_2.svg\")
<\/figure>\n\n\n\n![\"GDPR](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2021\/07\/cb_blog_770x513_sthafrica_popia_202406_1.svg\")
<\/figure>\n\n\n\n