South Africa’s Protection of Personal Information Act (POPIA)
Data privacy in South Africa began by enforcing the Protection of Personal Information Act 4 on July 1, 2021. It went into effect July 2020 but gave companies a one-year grace period to comply. It’s also referred to as the POPI Act. The Act protects both physical and digital wireframes of data processed, stored, collected, or exchanged to protect data privacy in South Africa. It stresses consent but deviates from GDPR. In the 2019 guidelines, it states that certain industry bodies could apply for an exemption. The guidelines also require that a responsible party register its Information Officer with the Regulator before taking up his or her respective duties in terms of POPIA. Both these guidelines are open for the general public comment and once finalized, published in the Government Gazette. Companies face hefty fines and up to 10 years imprisonment for non-compliance.
Benefits of POPIA
Customers are more open to sharing their personal information with companies due to the enhanced data security measures put in place for companies to be POPIA compliant with data privacy in South Africa. In addition, companies are also benefiting by becoming POPIA compliant. In 2019 Cisco conducted a Data Privacy Benchmark study that reported that GDPR-compliant organizations have experienced advantages like streamlined business processes, boost in sales revenue and increased investor appeal.
What’s Included in POPIA
- Chapter 1 (Section 1 – 2) covers the definitions and purpose of the Act
- Chapter 2 (Section 3 – 7) covers the application provisions, including the interpretation and application, rights of data subjects as well as exclusions
- Chapter 3 (Section 8 – 35) includes processing of personal information in general, children, and individuals identified as special persons
- Chapter 4 (Section 36 – 38) covers exemption from conditions for processing personal information
- Chapter 5 (Section 39 – 56) covers required supervisions
- Chapter 6 (Section 57 – 59) includes out prior authorization and notifying individuals or companies
- Chapter 7 (Section 60 – 68) includes the Codes of Conduct
- Chapter 8 (Section 69 – 71) covers the rights of data subjects regarding direct marketing by means of unsolicited electronic communications, directories, and automated decision-making
- Chapter 9 (Section 72) covers laws related to transborder information flows
- Chapter 10 (Section 73 – 99) covers enforcement of POPIA
- Chapter 11 (Section 100 – 109) includes details about offenses, penalties, and administrative fines
- Chapter 12 (Section 110 – 115 covers general provisions
Consumer/Subject Rights under POPIA
The rights of data subjects are clearly defined in Section 5 of Chapter 2 and include:
- Right to be notified how, where, and by whom his or her information is collected, acquired, and processed.
- Right to establish that someone responsible holds the data subject’s data and requests them to access it
- Right to request the correction, deletion, or destruction of personal data with terms in accordance with Section 24
- Right to object to the processing of his or her information with terms pertaining to Section 11 (3)(a)
- Right to object to the processing of subject’s data for direct marketing purposes or terms mentioned in Section 69(3)(c)
- Right to object to his or her information being processed by unsolicited electronic means as clearly defined in Section 69(1)
- Right to refrain from being a data subject where the information is processed automatically as per the terms defined in Section 71
- Right to approach the Regulator and submit a complaint regarding interference in protecting his or her personal information, as per the terms in Section 74
- Right to institute the necessary civil proceedings in cases of alleged interference with his or her personal information
POPIA Exceptions
POPIA may not protect personal information that is processed, stored, or collected in certain situations. Exceptions or exclusions are covered in Sections 6 and 7 of Chapter 2, and include personal information:
- Used in household chores or activities
- De-identified to the maximum extent with no scope to be re-identified further
- By or on behalf of a public body being processed or used to identify financial terrorist activities jeaopardizing natural security
- By or on behalf of a public body being processed or used to identify people indulged in unlawful activities like money laundering, or investigation of proofs in South Africa
- Used by the Cabinet or its members with a Committee belonging to a state or province
- Used in judicial court for lawful matters
- Related to terrorist and related activities
About Consent
Details about consent of data to be processed, used, or collected is covered in Subsection 1 of Section 11 of Condition 2 (Processing Limitation) under Part A of Chapter 3. Consent otherwise refers to personal information to be processed only if:
- Data subjects or guardians of the child consent to the data
- Processing is essential for conclusive actions or completing a contract where the data subject is involved as a party.
- Law obligates data processing activities on/against the responsible party
- Processing ensures the data subject’s genuine interest is kept safe
- Processing is necessary to complete a lawful duty in the public interest or by a public body
- Processing supports the data subject’s or third party’s interest
The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.