Protection of Personal Information Act (POPIA), South Africa [Infographics]

South Africa’s comprehensive privacy law known as the Protection of Personal Information Act (POPIA) came into effect on July 1, 2021. POPIA or POPI Act gives individuals the constitutional right to privacy by safeguarding their personal information at the same time protecting the flow of information. 

According to a recent survey by TPN Credit Bureau on how ready companies are for the Act, only 8% of the businesses scored above 80% for their POPIA readiness. It’s time for businesses in South Africa to brace themselves for POPIA and take appropriate measures to get compliant.

The Protection of Personal Information Act (POPIA) aims to protect the citizens of South Africa similar to the data privacy standards established by the GDPR in the EU.

POPI Act summary

• Sets out the rules and regulations for processing information about individuals and juristic persons
• Provides rights to individuals regarding their personal information
• Establishes an independent regulator to enforce the regulation

Key definitions under POPIA

• Data subject: the person to whom the information belongs.
• Responsible party: the person or organisation that processes personal information such as individuals, businesses, non-profits, and governmental organisations. (Controller in the GDPR).
• Operator: the person or organisation that processes the information on behalf of the responsible party (Processor in the GDPR) 

POPIA or the POPI Act applies to organisations processing (collecting, using or otherwise handling) the personal information of South Africans.

• Under POPIA, personal information can be related to a “natural person” (a human being) and also a “juristic person” i.e. an independent legal entity such as a company.
• The law applies to any data processor that is domiciled (legally based) in South Africa. 
• POPIA also applies to processors outside of South Africa if they “makes use of automated or non-automated means” in the country. 

Exemptions under POPIA

• Personal information processed for personal purposes or household activity.
• The data processor is a public body involved in national security, defence, public safety, anti-money laundering or Cabinet or Executive Council of the Province or as part of a judicial function.

What is personal information in POPIA?   

Personal information is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” This information about a person includes, but is not limited to:

• Name and age
• Race
• Gender/sexual orientation
• Marital status
• National, ethnic, or social origin
• Religion, beliefs, or culture
• Language
• Educational, medical, financial, criminal, or employment history
• ID number
• Email address, contact number
• Physical address
• Location
• Photo, video, voice recordings
• Biometric information

• Right to be notified that the data subject’s personal information is collected (including access by an unauthorized person)
• Right to request access personal information
• Right to request correction, destruction or deletion of personal information
• Right to object (on reasonable grounds) to the processing of personal information
• Right to object (on reasonable grounds) to the processing of personal information 
• Right to object processing for the purpose of direct marketing by means of unsolicited electronic communications 
• Right to not be subject to decisions based solely on automated processing of personal information
• Right to submit a complaint to the Information Regulator
• Right to initiate civil proceedings for any violation

POPIA sets out eight conditions for someone to use and process an individual’s personal information. They are:

1. Accountability: The responsible party is accountable for compliance with the act i.e. they must ensure that the conditions for lawful processing are complied with.
2. Processing limitation: Personal information must be processed lawfully and in a reasonable manner that does not infringe on the privacy of the data subject. 
3. Purpose specification: The responsible party must only collect personal information for a specific, explicitly defined purpose, and must not retain the information for longer than necessary to meet that purpose.
4. Further processing limitation: The responsible party should only process the information they need to adequately fulfil the purpose for which it is being used.
5. Information quality: The responsible party must ensure the personal information collected is complete, accurate, up-to-date and not misleading.
6. Openness: The responsible party must main the documentation of all processing and take steps to ensure information is provided to the data subject transparently.
7. Security safeguards: The responsible party must (i) take reasonable technical and organizational measures to secure personal information and (ii) ensure that the operator who processes personal information for the business establishes and maintains these security measures. (iii) notify the regulator and the data subject as soon as reasonably possible, in case of a data breach or compromise.
8. Data subject participation: The responsible party must allow data subjects to access their personal information, including the identity of any third parties it is shared with. Businesses may also be required to correct, delete or destroy personal information.

POPIA states that personal information may only be processed if the data subject consents unless the individual already has a contract in place with an organisation and where the processing of their personal information is required in terms of the contract, or where there is a reason in law for collecting or processing personal information.

Similar to GDPR consent requirements, consent must be:

• Voluntarily i.e. the data subject must have an active choice and consent should not be made conditional for using a product, service etc. This means cookie walls are not permissible under POPIA.
• Specific i.e. consent should also be taken for a specific purpose and cannot be vague, or ambiguous. POPIA states that the “personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party”. For instance, if consent is required for sending marketing emails, take explicit consent for only that purpose.
• Informed i.e. the data subject should be made aware of what they are consenting to and how their data will be processed upfront. 

• Contract: The processing is necessary to carry out actions as per the contract to which the data subject is a party.
• Legal obligation: The processing is required to fulfil an obligation imposed by law on the responsible party.
• Legitimate interest: The processing is in the interest of the data subject.
• Performance of law: The processing is necessary for the performance of a public law duty by a public body.
• Legitimate interest: The processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

To POPIA-proof your website and get valid consent from users or customers, here’s a POPIA compliance checklist:

• Provide an opt-in mechanism to consent whenever users are asked for their personal information.
• To get consent for direct marketing (email, calls SMS etc.), make a consent request via Form 4 of POPIA (here’s an example).
• Give users an easy method to opt-out or withdraw consent from direct marketing communications, such as an unsubscribe link in an email. 
• Be clear that you are requesting consent for a specific purpose. Consent should not be bundled with other terms and conditions.
• Give consumers a method to exercise their free choice such as by the option to tick a checkbox or click a button.
• Keep records of when and how consent was obtained and the purpose to which the user gave consent.
• Give users the ability to withdraw consent in an easy way.

POPIA does not expressly regulate the use of cookies, but the definition of ‘unique identifier in POPIA includes any information relating to an identifiable person or juristic entity.

This means identifiers like cookie IDs or IP addresses can be used to identify a person, so cookies can be subject to POPIA. In this regard, businesses need to take consent from visitors to deploy cookies on their browsers.

POPIA cookie consent checklist

If you are a website owner with visitors from South Africa, here are the POPIA cookie consent requirements that need to comply with:

• Get consent from visitors through cookie banners before deploying cookies on their browser
• Block third-party scripts from loading till the user gives consent
• Keep a record of visitors’ cookie consent and how it was obtained for proof of compliance
• Have an up-to-date privacy policy on your website available at all points of information collection.
• Create a custom cookie policy and disclose all the cookies used on your website
• Use a cookie consent solution to collect and manage your cookie consent
• Give users an easy method to opt-out of the use of cookies or withdraw the consent they gave

Here’s an example of a cookie banner, created with CookieYes CMP that can help you business stay compliant with POPIA.

The legislation allows for the following penalties:

• A fine between 1 Million and 10 Million ZAR or 
• Imprisonment of 1 to 10 years 
• The payment for damages incurred to the data subject as per POPIA’s private right of action.

POPIA South Africa establishes an Information Regulator, first appointed in December 2016, that has spent close to 5 years preparing for the rollout of the regulation. The office of the Information Regulator will be responsible for enforcing the legislation. 

• POPIA gives the Information Regulator extensive powers to investigate and fine responsible parties. 
• Data subjects can register their complaint with the Information Regulator, who will then initiate action on behalf of the data subjects. 

POPIA or POPI Act shares many similarities with the GDPR, including principles of transparency, accountability, security, data minimisation, and the rights of data subjects. If your business is subject to both regulations, here’s a helpful comparison between the two.

POPIA vs GDPR
	Protection of Personal Information Act (POPIA)	General Data Protection Regulation (GDPR)
Personal scope	Applies to the data subject who is an identified or identifiable natural person.	Applies to the data subject who is a natural person or a juristic person.
Territorial scope	Applies to organizations that are based in South Africa or process personal data in South Africa.	Applies to any organization that processes the personal data of EU residents.
Regulator	Established an Information Regulator under Section 39 of POPIA.	Member states can establish a Supervisory Authority and determine its roles and responsibilities.
Penalties	Maximum fine of 10 million ZAR (approx. €490,000). Provision for up to 10 years of imprisonment.	Up to 4% of global annual turnover or €20 million. The GDPR does not establish provisions for imprisonment.
Data transfer	Cross-border transfers are permitted to a third country or organization party that that has an adequate level of protection as determined by the EU Commission.	Prohibits the international transfer unless the recipient is subject to a law, binding corporate rules, or binding agreement which provide an adequate level of protection
Data breach	Data breach must be notified to the supervisory authority without undue delay within 72 hours after the discovery of the breach.	Data breach must be notified as soon as reasonably possible after the discovery of the compromise.

What does POPIA mean in South Africa?

The Protection of Personal Information (POPI) Act or POPIA is a South African privacy law that mandates the sets conditions for the lawful processing of personal information processed by public and private bodies, regulates the international flow of personal information, and defines the rights of data subjects.

Is the POPI Act in effect in South Africa?

Yes, POPIA or POPI Act is currently in effect in South Africa. The POPIA came into effect on July 1, 2020, with a 12-month grace period for businesses to comply. The deadline was July 1, 2021. 

Which country does the POPI Act apply to?

POPI Act applies to every business in South Africa, including international companies that does business in South Africa, that collects, uses, store or process personal information from a data subject (natural or legal entity) in South Africa. Under POPIA, the data subjects include all South Africans (citizens and residents). 

What type of personal information is not protected under POPIA?

POPIA protects the processing of personal information, which includes any information relating to an identifiable, living, natural person or juristic person (companies, trusts, etc.).

However, there are certain types of personal information that are not protected under POPIA, including:

• Information that is already in the public domain such as information available on social media, press or other public sources.
• Personal information processed for personal or domestic purposes.
• Personal information granted an exemption by the Regulator (Section 37) in case
  • Public interest outweighs the interference of privacy, or
  • The benefit to the data subject (or third party) outweighs the interference of privacy

POPIA cites examples of what public interest entails including the interests of national security, economic and financial interests of a public body and historical, statistical or research.

Can you sue someone for POPI Act?

Yes, you can sue someone for violating POPIA in South Africa. The POPIA provides for the right to civil action i.e. individuals can face both criminal and civil liability for non-compliance with the provisions of the Act.

Section 99(1) of the Act provides that the data subject, or the Regulator at the request of the data subject, can initiate a civil action for damages in a court against a responsible party for violation of the POPI Act, whether or not there is intent or negligence on the part of the responsible party. In addition, the Information Regulator may also impose administrative fines, issue compliance notices, or initiate criminal proceedings against the responsible party.

Should I appoint an Information Officer under POPIA?

Every single organisation in South Africa has a default Information Officer as per the Promotion of Access to Information Act or PAIA in South Africa.

Under POPIA, an Information Officer is a person who is responsible for ensuring that the organisation complies with the POPI Act and works with the Regulator in relation to investigations conducted into the organization.

Please refer to Section 55 of POPIA where the duties and responsibilities of the Information Officer are set out.