South Africa’s Protection of Personal Information Act (POPIA)

South Africa began enforcement of the Protection of Personal Information Act 4 on July 1, 2021. It went into effect July 2020 but gave companies a one-year grace period to comply. It’s also referred to as the POPI Act. The Act protects both physical and digital wireframes of data processed, stored, collected, or exchanged. It stresses consent but deviates from GDPR. In the 2019 guidelines, it states that certain industry bodies could apply for an exemption. The guidelines also require that a responsible party register its Information Officer with the Regulator before taking up his or her respective duties in terms of POPIA. Both these guidelines are open for the general public comment and once finalized, published in the Government Gazette. Companies face hefty fines and up to 10 years imprisonment for non-compliance.

Benefits of POPIA

Customers are more open to sharing their personal information with companies due to the enhanced data security measures put in place for companies to be POPIA compliant. In addition, companies are also benefiting by becoming POPIA compliant. In 2019 Cisco conducted a Data Privacy Benchmark study that reported that GDPR-compliant organizations have experienced advantages like streamlined business processes, boost in sales revenue and increased investor appeal.

What’s Included in POPIA

  • DotChapter 1 (Section 1 – 2) covers the definitions and purpose of the Act
  • DotChapter 2 (Section 3 – 7) covers the application provisions, including the interpretation and application, rights of data subjects as well as exclusions
  • DotChapter 3 (Section 8 – 35) includes processing of personal information in general, children, and individuals identified as special persons
  • DotChapter 4 (Section 36 – 38) covers exemption from conditions for processing personal information
  • DotChapter 5 (Section 39 – 56) covers required supervisions
  • DotChapter 6 (Section 57 – 59) includes out prior authorization and notifying individuals or companies
  • DotChapter 7 (Section 60 – 68) includes the Codes of Conduct
  • DotChapter 8 (Section 69 – 71) covers the rights of data subjects regarding direct marketing by means of unsolicited electronic communications, directories, and automated decision-making
  • DotChapter 9 (Section 72) covers laws related to transborder information flows
  • DotChapter 10 (Section 73 – 99) covers enforcement of POPIA
  • DotChapter 11 (Section 100 – 109) includes details about offenses, penalties, and administrative fines
  • DotChapter 12 (Section 110 – 115 covers general provisions
What’s Included in POPIA
Consumer/Subject Rights under POPIA

Consumer/Subject Rights under POPIA

The rights of data subjects are clearly defined in Section 5 of Chapter 2 and include:

  • DotRight to be notified how, where, and by whom his or her information is collected, acquired, and processed.
  • DotRight to establish that someone responsible holds the data subject’s data and requests them to access it
  • DotRight to request the correction, deletion, or destruction of personal data with terms in accordance with Section 24
  • DotRight to object to the processing of his or her information with terms pertaining to Section 11 (3)(a)
  • DotRight to object to the processing of subject’s data for direct marketing purposes or terms mentioned in Section 69(3)(c)
  • DotRight to object to his or her information being processed by unsolicited electronic means as clearly defined in Section 69(1)
  • DotRight to refrain from being a data subject where the information is processed automatically as per the terms defined in Section 71
  • DotRight to approach the Regulator and submit a complaint regarding interference in protecting his or her personal information, as per the terms in Section 74
  • DotRight to institute the necessary civil proceedings in cases of alleged interference with his or her personal information

POPIA Exceptions

POPIA may not protect personal information that is processed, stored, or collected in certain situations. Exceptions or exclusions are covered in Sections 6 and 7 of Chapter 2, and include personal information:

  • DotUsed in household chores or activities
  • DotDe-identified to the maximum extent with no scope to be re-identified further
  • DotBy or on behalf of a public body being processed or used to identify financial terrorist activities jeaopardizing natural security
  • DotBy or on behalf of a public body being processed or used to identify people indulged in unlawful activities like money laundering, or investigation of proofs in South Africa
  • DotUsed by the Cabinet or its members with a Committee belonging to a state or province
  • DotUsed in judicial court for lawful matters
  • DotRelated to terrorist and related activities
What’s Included in POPIA
About Consent

About Consent

Details about consent of data to be processed, used, or collected is covered in Subsection 1 of Section 11 of Condition 2 (Processing Limitation) under Part A of Chapter 3. Consent otherwise refers to personal information to be processed only if:

  • DotData subjects or guardians of the child consent to the data
  • DotProcessing is essential for conclusive actions or completing a contract where the data subject is involved as a party.
  • DotLaw obligates data processing activities on/against the responsible party
  • DotProcessing ensures the data subject’s genuine interest is kept safe
  • DotProcessing is necessary to complete a lawful duty in the public interest or by a public body
  • DotProcessing supports the data subject’s or third party’s interest

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

See Loyalty in Action

Be inspired with endless ways to make every customer interaction rewarding.

GET A DEMO

We Can Help

Let's explore how loyalty can help you become one of your customers' most beloved brands.

CONTACT US

©2021 All Rights Reserved. AnnexCloud