PoPI Act

The Protection of Personal Information Act (PoPIA or the PoPI Act) is a piece of legislation which governs the law of data protection and privacy in South Africa. The PoPI Act sets out several core obligations. [1] Some of the key requirements include:
  1. Personal information can only be processed:
    • with the consent of the data subject; or
    • if it is necessary for the conclusion or performance of a contract that a data subject is a party to; or
    • it is required by law; or
    • it protects a legitimate interest of a data subject; or
    • if processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
  2. Private and public entities must report data leaks to the affected people and the Information Regulator.
  3. Organisations must appoint a responsible person who must ensure compliance to the PoPI Act.
  4. Cross-border transfers of personal data are restricted.
  5. Organisations that process personal information must ensure they satisfy minimum security obligations.
  6. Direct marketing, the sale and use of electronic directories and automated decision making are also severely curtailed.
  7. The act elevates the obligations placed on entities that process information regarding children, religious beliefs, race, ethnic origin, trade union membership, health, sex life, criminal behaviour and biometric information.