The Protection of Personal Information Act (PoPIA or the PoPI Act) is a piece of legislation which governs the law of data protection and privacy in South Africa. The PoPI Act sets out several core obligations.  Some of the key requirements include:
- Personal information can only be processed:
- with the consent of the data subject; or
- if it is necessary for the conclusion or performance of a contract that a data subject is a party to; or
- it is required by law; or
- it protects a legitimate interest of a data subject; or
- if processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
- Private and public entities must report data leaks to the affected people and the Information Regulator.
- Organisations must appoint a responsible person who must ensure compliance to the PoPI Act.
- Cross-border transfers of personal data are restricted.
- Organisations that process personal information must ensure they satisfy minimum security obligations.
- Direct marketing, the sale and use of electronic directories and automated decision making are also severely curtailed.
- The act elevates the obligations placed on entities that process information regarding children, religious beliefs, race, ethnic origin, trade union membership, health, sex life, criminal behaviour and biometric information.