The POPIA or POPI Act upholds individuals’ constitutional entitlement to privacy while simultaneously ensuring the unimpeded exchange of information. South Africa’s extensive legislation concerning privacy, referred to as the Protection of Personal Information Act (POPIA), was enforced on July 1, 2021. Explore our guide to POPIA compliance below and make sure your business stays on the right side of the law.
What is POPIA Legislation?
The Protection of Personal Information Act (POPIA) is designed to safeguard the interests of South African citizens, akin to the data privacy standards set forth by the GDPR in the European Union.
POPIA Act Overview
- Outlines the procedures and guidelines for handling data related to both individuals and legal entities.
- Grants individuals’ specific rights pertaining to their personal data.
- Institutes an autonomous governing body responsible for enforcing these regulations.
Key Definitions Within the POPI Act
- Data subject: Refers to the individual to whom the information pertains.
- Responsible party: Denotes the individual or organisation responsible for processing personal data, encompassing individuals, businesses, non-profit entities, and governmental organisations (similar to the “Controller” in the GDPR).
- Operator: Signifies the individual or organisation processing information on behalf of the responsible party (resembling the “Processor” in the GDPR).
POPIA & Consent
POPIA stipulates that the processing of personal information is permissible only with the consent of the data subject, except in cases where the individual has an existing contractual relationship with an organisation, and data processing is essential as per the contract, or when there exists a legal basis for collecting or processing personal information.
POPIA’s definition of consent aligns with GDPR consent requirements, emphasising that consent must be:
- Voluntary: Data subjects must have the freedom to make an active choice, and consent cannot be tied to the use of a product or service. This means that imposing “cookie walls” is not allowed under the POPI Act.
- Specific: Consent should be obtained for a particular purpose and must not be vague or unclear. POPIA specifies that personal information must be collected for a well-defined, lawful purpose related to the responsible party’s function or activity. For example, if consent is needed for sending marketing emails, it should be explicitly obtained for that sole purpose.
- Informed: Data subjects must be fully informed about what they are consenting to and how their data will be processed upfront.
Exceptions to Consent Requirement in POPIA
- Contract: Processing is necessary to fulfil obligations outlined in a contract to which the data subject is a party.
- Legal obligation: Processing is required to meet legal obligations imposed by law on the responsible party.
- Performance of law: Processing is necessary for carrying out a public law duty by a public body.
- Legitimate interest: Processing is necessary to pursue the legitimate interests of the responsible party or a third party to whom the information is provided.
How to Become POPIA Compliant
To POPIA-proof your website and get valid consent from users or customers, our guide to POPIA compliance includes a checklist you can follow:
And here’s more information regarding the POPI Act for websites:
FAQ on POPIA South Africa
What does POPIA mean in South Africa?
The Protection of Personal Information (POPI) Act or POPIA is a South African privacy law that mandates the set conditions for the lawful processing of personal information processed by public and private bodies, regulates the international flow of personal information, and defines the rights of data subjects.
Is the POPI Act in effect in South Africa?
Yes, the POPIA or POPI Act is currently in effect in South Africa. The POPIA came into effect on July 1, 2020, with a 12-month grace period for businesses to comply. The deadline was July 1, 2021.
Which country does the POPI Act apply to?
POPI Act applies to every business in South Africa, including international companies that do business in South Africa, and that collects, uses, stores, or processes personal information from a data subject (natural or legal entity) in South Africa. Under POPIA, the data subjects include all South Africans (citizens and residents).
What type of personal information is not protected under POPIA?
POPIA protects the processing of personal information, which includes any information relating to an identifiable, living, natural person or juristic person (companies, trusts, etc.).
However, there are certain types of personal information that are not protected under POPIA, including:
- Information that is already in the public domain such as information available on social media, press or other public sources.
- Personal information processed for personal or domestic purposes.
- Personal information granted an exemption by the Regulator (Section 37) in case
Public interest outweighs the interference of privacy, or
The benefit to the data subject (or third party) outweighs the interference of privacy
POPIA cites examples of what public interest entails including the interests of national security, economic and financial interests of a public body and historical, statistical or research.
Can you sue someone for the POPI Act?
Yes, you can sue someone for violating POPIA in South Africa. The POPIA provides for the right to civil action i.e., individuals can face both criminal and civil liability for non-compliance with the provisions of the Act.
Section 99(1) of the Act provides that the data subject, or the Regulator at the request of the data subject, can initiate a civil action for damages in a court against a responsible party for violation of the POPI Act, whether there is intent or negligence on the part of the responsible party. In addition, the Information Regulator may also impose administrative fines, issue compliance notices, or initiate criminal proceedings against the responsible party.
Should I appoint an Information Officer under POPIA?
Every single organisation in South Africa has a default Information Officer as per the Promotion of Access to Information Act or PAIA in South Africa.
Under POPIA, an Information Officer is a person who is responsible for ensuring that the organisation complies with the POPI Act and works with the Regulator in relation to investigations conducted into the organisation.
Please refer to Section 55 of POPIA where the duties and responsibilities of the Information Officer are set out.
Is POPIA and GDPR the same thing?
The POPI Act shares several key resemblances with the GDPR, encompassing principles such as transparency, accountability, security, data minimisation, and the rights afforded to data subjects. If your business falls under the purview of both regulations, here’s a concise comparison to assist you:
POPIA applies to data subjects who are identified or identifiable natural persons.
GDPR applies to data subjects who can be either natural persons or juristic persons.
POPIA applies to organisations based in South Africa or those processing personal data within South Africa.
GDPR applies to any organisation processing personal data of EU residents, regardless of their location.
POPIA establishes an Information Regulator under Section 39.
GDPR allows member states to establish a Supervisory Authority and define its roles and responsibilities.
POPIA imposes a maximum fine of 10 million ZAR (approximately €490,000) and allows for up to 10 years of imprisonment.
GDPR sets penalties of up to 4% of the global annual turnover or €20 million, with no provisions for imprisonment.
POPIA permits cross-border transfers to third countries or organisations with an adequate level of protection determined by the EU Commission.
GDPR prohibits international transfers unless the recipient is subject to a law, binding corporate rules, or a binding agreement providing an adequate level of protection.
Under POPIA, data breaches must be reported to the supervisory authority without undue delay, within 72 hours after discovery.
GDPR mandates that data breaches be reported as soon as reasonably possible following their discovery.