The Protection of Personal Information Act, 2013 (POPIA) is South Africa’s comprehensive data protection law, designed to ensure that personal information is processed lawfully, transparently, and securely. The Act was enacted in 2013, with full enforcement starting on July 1, 2021.

Key Objectives of POPIA

The Act seeks to:

• Promote the protection of personal information processed by public and private bodies.
• Establish minimum requirements for the lawful processing of personal data.
• Create the Information Regulator, an independent body tasked with overseeing and enforcing compliance.
• Regulate the flow of personal information across South Africa’s borders to ensure international protection.

Key Definitions Under POPIA

• Personal Information: Refers to any information that can identify an individual, such as their name, contact details, race, gender, ID number, and biometric data.
• Processing: Includes all operations involving personal information, such as collection, storage, use, modification, dissemination, and destruction.
• Responsible Party: The public or private body that determines the purpose and means of processing personal data.

Conditions for Lawful Processing

POPIA sets out eight key conditions that must be followed by organisations when processing personal data:

1. Accountability: The responsible party must ensure compliance with all processing principles.
2. Processing Limitation: Personal data must be processed in a lawful and non-intrusive manner.
3. Purpose Specification: Data must be collected for a specific, legitimate, and lawful purpose.
4. Further Processing Limitation: Data must only be processed for purposes consistent with the original purpose of collection.
5. Information Quality: The responsible party must ensure that the data is accurate, complete, and up-to-date.
6. Openness: The data subject must be informed about the processing of their personal information.
7. Security Safeguards: Appropriate technical and organisational measures must be taken to protect data from loss, unauthorised access, and misuse.
8. Data Subject Participation: Individuals have the right to access and correct their personal data.

Rights of Data Subjects

Under POPIA, individuals (data subjects) have the following key rights:

1. Right to be Notified: Data subjects must be notified when their personal information is being collected.
2. Right to be Notified of Unauthorised Access: Data subjects must be notified if an unauthorised person accesses their personal information.
3. Right to Access: Data subjects can request access to their personal information held by an organisation.
4. Right to Request Correction, Destruction, or Deletion: Data subjects can request the correction, destruction, or deletion of their personal information if it is inaccurate or no longer needed.
5. Right to Object: Data subjects have the right to object to the processing of their personal information on reasonable grounds.
6. Right to Object to Direct Marketing: Data subjects can object to the processing of their information for direct marketing purposes.
7. Right to Not Be Subject to Automated Decision-Making: Data subjects have the right not to be subjected to decisions based solely on automated processing of their data.
8. Right to Submit Complaints: Data subjects have the right to submit complaints to the Information Regulator if they believe their rights under POPIA have been violated and can pursue civil proceedings.

Obligations of Responsible Parties

Organisations must fulfil several obligations to ensure compliance with POPIA, including:

• Obtaining Consent: Data subjects must provide consent before their personal data is processed, unless another lawful basis for processing exists.
• Implementing Security Measures: Responsible parties must take reasonable steps to ensure the security of personal data.
• Notifying Data Breaches: In the event of a data breach, responsible parties must notify both the Information Regulator and the affected data subjects.
• Appointing an Information Officer: Organisations are required to designate an Information Officer responsible for ensuring compliance with POPIA and for handling data protection matters.

Cross-Border Data Transfers

POPIA regulates the transfer of personal data outside South Africa to ensure that data remains protected. Personal data can only be transferred abroad if:

• The recipient country ensures an adequate level of protection for personal information.
• The data subject consents to the transfer.
• The transfer is necessary for the performance of a contract between the data subject and the responsible party.

Enforcement and Penalties

The Information Regulator is responsible for enforcing POPIA. Non-compliance can result in significant penalties, including:

• Administrative fines of up to R10 million.
• Criminal penalties, including imprisonment of up to 10 years for serious violations.

These penalties serve as a strong deterrent to encourage organisations to take data protection seriously and ensure compliance with the Act.

POPIA plays a crucial role in protecting personal information and fostering trust between businesses and individuals in South Africa. Organisations must comply with the Act by ensuring that they handle personal data responsibly, maintain transparency, and implement robust data security measures. Data subjects, on the other hand, are empowered with numerous rights to ensure their personal information is processed fairly and securely.

POPIA Solutions

Advoke International provides comprehensive solutions tailored to support your organisation in achieving compliance with the POPIA.

• POPIA Gap Analysis
• Privacy Framework Implementation
• POPIA Readiness Assessment
• Complete POPIA Compliance Review

Frequently Answered Questions

Who does POPIA apply to?

POPIA applies to all public and private entities (including businesses, government agencies, and non-profits) that process personal information within South Africa, as well as any foreign organisations processing data of South African residents.

Does POPIA apply to small businesses and startups?

Yes, POPIA applies to all organisations, regardless of size. Even small businesses and startups must comply if they process personal data, such as customer contact details or employee records.

What should I do if a company refuses to give me access to my personal data?

If a company denies your request to access your personal information, you can file a complaint with the Information Regulator, which has the authority to investigate and enforce compliance.

Do businesses need to appoint a Data Protection Officer (DPO) under POPIA?

Yes. Organisations must appoint an Information Officer, responsible for ensuring compliance with POPIA and managing privacy-related concerns. This role is similar to a Data Protection Officer (DPO) in other privacy laws.

How does POPIA affect online shopping and e-commerce?

E-commerce businesses must ensure they obtain consent before collecting customer data, securely store personal information, and allow users to opt out of marketing communications.