Kickstart your POPIA compliance and avoid legal fines
Align your business with POPIA’s conditions for consent in just minutes with our end-to-end cookie consent solution.
The #1 cookie consent solution, trusted by 1.5 Million+ websites
Protection of Personal Information Act (POPIA or POPI Act) is a data protection law in South Africa that aims to regulate the processing of personal information by public and private entities. The Act seeks to protect the privacy of individuals and ensure that their personal data is processed in a fair and transparent manner. POPIA came into full effect on July 1, 2020.
POPIA Compliance Checklist for Websites
- Obtain user consent for cookies and trackers
- Maintain a record of all user consent
- Include an accurate, up-to-date privacy policy
- Limit data collection only for legitimate purposes
- Notify data breaches to DPAs and users
Prepare for POPIA compliance with CookieYes
Obtain informed consent for cookies
POPIA requires that business process personal data after obtaining informed consent from users and let users withdraw consent easily.
With CookieYes you can
Put consent management in auto-pilot
As obtaining consent is a key provision in POPIA, businesses should take measures to ensure ongoing compliance with the requirements for consent and proof of consent.
With CookieYes you can
Generate POPIA-compliant policies
Under POPIA, businesses should implement a privacy policy to meet ‘openness’, a required condition for the processing and include information on the personal data collected, the purpose of collection, and more.
With CookieYes you can
Achieve cookie compliance
without spending hours
Learn more about POPIA and take the
next step towards compliance
What is POPIA?
The Protection of Personal Information Act (POPIA) is a South African data protection law that imposes obligations on companies for processing personal data and grants certain rights to individuals to protect their privacy. POPIA aims to achieve a balance between the constitutional right to privacy and other competing rights and interests. POPIA was first passed in 2013 and came into effect on July 1st, 2021.
Who does POPIA apply to?
POPIA or the POPI Act applies to organisations processing the personal information of South Africans. Under POPIA, personal information can be related to a “natural person” and a “juristic person” i.e. an independent legal entity such as a company. POPIA also applies to processors outside of South Africa if they make use of automated or non-automated means within South Africa.
POPIA also provides for certain exclusions and exemptions, including data processing for purely personal or household activities, for personal irretrievably de-identified data or if the data processor is a public body involved in national security, defence, public safety, anti-money laundering, Cabinet or Executive Council of a province or as part of a judicial function.
What are consumer rights under POPIA?
Right to be informed
The right to know about the personal data a business collects about them and how it is used and shared.
Right to access
The right to access personal data and to have it available in a clear and readable format, free of cost.
Right to correct
The right to request to correct, update, or complete personal data about them.
Right to object
The right to object and restrict the processing of personal data, and have information on the consequences of refusal.
Right to opt-out of automated processing
The right to not be subject to a decision which is based solely on the automated processing of personal information.
Right to complain
The right to challenge an organization’s compliance with an individual accountable for the organization’s compliance.
Right to civil action
The right to institute a civil action for damages against an organization for breach of any provision of the Act.
What is the penalty for non-compliance?
POPIA outlines penalties for non-compliance, which depend on the nature and severity of the violation. The monetary fines for more serious offences can go up to ZAR10 million (approx. €490,000). Individuals may also face up to 10 years imprisonment for certain violations of the Act.
For less serious offences, the maximum penalty can be imprisonment not exceeding 12 months or a reduced fine. Data subjects who suffer as a result of a violation of POPIA can also initiate civil proceedings for damages.
FAQ on POPI Act Compliance
The Protection of Personal Information Act 4 of 2013 (POPI Act) is a South African law that aims to protect the personal information of individuals. The Act aims to regulate how personal information is processed and provide individuals with rights and remedies to protect their personal information. POPIA highlights eight foundational conditions that organizations must comply with in order to protect personal information.
POPIA or POPI Act took effect on July 1, 2020, and enforcement began after a 1 year grace period on July 1, 2021.
Personal information in POPIA is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” It is important to note that POPIA’s definition of PI also includes a juristic person, i.e. an organization recognized by law to have rights and responsibilities like a natural person.
This information about a person includes but is not limited to demographic details like name, age, race, gender, contact information such as email address, physical address, phone number, financial, employment and educational information, medical history and biometric information.
There are some exceptions to the applicability of POPI Act South Africa. It does not apply if:
- Data processing is carried out for personal or household activity,
- Data is de-identified and cannot be re-identified again
- Data processing is done by or on behalf of a public body
- For national security
- For the purpose of prevention, detection, and assistance in the identification of the proceeds of unlawful activities
- By the Cabinet and its committees or the Executive Council of a province
- Judicial functions of a court or
- Terrorist and related activities
POPIA limits the transfer of personal data outside South Africa unless at least one of the prescribed safeguards set out by the Act is met and the transfer does not put the personal information at risk of breach of confidentiality or security.
Section 72 of POPI Act sets out the conditions for the cross-border transfer of personal information. These include consent from the data subject, the recipient of the PI is subject to Binding Corporate Rules (BCRs) and processing conditions should be established “in harmony with international standards” and if the transfer is necessary to fulfil the terms of a contract.
The Information Regulator is the regulatory authority for POPI Act South Africa. It is the independent statutory body established by the Act and is responsible for monitoring and enforcing POPIA compliance by public and private bodies.
The Information Regulator has the power to investigate complaints, issue fines and take legal action against non-compliant entities. It will regulate both POPIA and the Promotion of Access to Information Act or PAIA.
The GDPR has extra-territorial scope, meaning entities outside of the EU/EEA that collect the personal data of EU/EEA residents can come under the purview of GDPR.
This means businesses in South Africa that process the personal data of EU consumers must ensure that it is adequately protected, in accordance with GDPR standards.
As POPI Act of South Africa shares many similarities to GDPR, compliance with POPIA can also be a step towards compliance with GDPR.
Here are some links you can refer to for additional reading:
Fast-track your POPIA compliance in minutes
Set up a cookie consent banner in 3 simple steps and automate your compliance.