Protection of personal information act, 2013 (“POPI act”)

Feb 9, 2021 | News

By just following the news nowadays most people are at least vaguely familiar with the new POPI Act but few are familiar with the finer points of the Act.  One the of most pertinent issues is that all affected by the Act have till the 1st of July 2021 to comply.  Do you know who is affected and how?  Let us dispel some of the mystery.

What is the POPI Act?

The POPI Act enables people to access and enforce their privacy rights on a day-to-day basis with its purpose being to protect people from harm by protecting their personal information.  To this end, the POPI Act sets conditions for when it is lawful for someone to process someone else’s personal information.

Who is affected?

Any natural or juristic person who processes personal information.

What is personal information?

Any information relating to an identifiable living natural person or identifiable existing juristic person.  This includes:

  • race gender, sex pregnancy, marital status national, ethnic or social origin, colour, sexual orientation, age
  • physical or mental health, well being, disability, religion, conscience, belief, culture and birth
  • education or medical, financial criminal or employment history
  • correspondence sent by the person that is implicitly or explicitly of a private/confidential nature
  • any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assigned to the person
  • biometric information (e.g. blood typing, fingerprints, DNA analysis, retinal scanning and voice recognition)
  • personal opinions, views or preferences
  • the views or opinions of another individual about the person
  • the name of the person if it appears with other personal information relating to the person, or if the disclosure of the name itself would reveal information about the person

Who are the key role players?

The POPI Act identifies three role players, who can be natural or juristic persons, in the processing of personal information:

The data subject: the person to whom the information relates
The responsible party the person who determines why and how to process such information and who is ultimately responsible for the lawful processing of the personal information
The operator a person who processes personal information on behalf of the responsible party in terms of a contract or mandate


What does the Act mean by “Processing”?

Any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:

  • the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • dissemination by means of transmission, distribution, or making available in any other form;
  • merging, linking, as well as restriction, degradation, erasure, or destruction of information

The 8 conditions for lawful processing
Accountability data controllers and responsible parties must ensure compliance with the principles in chapter 3 of the POPI Act relating to these conditions for lawful processing
Processing Limitation data may only be processed lawfully and reasonably and should not be excessive or infringe the data subject’s privacy and collected directly from the data subject in certain situations
Purpose Specification collection must be for a specific and explicitly defined purpose and generally only retained for as long as necessary for such purpose
Further Processing Limitation further processing must be compatible with the purpose for which the personal data was collected
Information Quality reasonably practicable steps must be taken to ensure personal information is complete, accurate, not misleading, and updated
Openness the data subject must be notified of certain mandatory information and the documentation must be maintained in terms of the Promotion of Access to Information Act (PAIA)
Security Safeguards the integrity and confidentiality of the personal information must be secured and there must be notified of any breach
Data Subject Participation the data subject has certain access rights, the request of which must be in terms of PAIA, to the personal information including a right to request its correction or deletion



As a general rule, the processing of personal information will only be lawful if consent from the data subject is obtained.  Consent must be voluntary, specific, and informed.  It is not a requirement for consent to be in writing but it is recommended.

When is the deadline for organisations?

The deadline for organisations to comply with the POPI Act is 1 July 2021.

What are the penalties for not complying?

The penalties in terms of the POPI Act for the failure of a responsible party to comply with the provisions of the POPI Act is a fine of between R1 million to R10 million or imprisonment of a period between 1 – 10 years, depending on the contravention, or both.  Other consequences include compensating the data subject for damages suffered, the potential reputation damage to your organisation, and the loss of customers/clients.

What are your next steps?

  1. Every organisation must determine whether it needs to comply before the deadline of 1 July 2021 – If you are domiciled or process personal information in South Africa then you need to comply
  2. Appoint an Information Officer and draft a Data Protection Policy for your organisation
  3. Raise awareness within your organisation
  4. Conduct an assessment of your organisation to determine the impact of the POPI Act
  5. Implement the necessary changes to how your organisation processes personal information

Our experts are ready to assist you:

Cape Town

Gaby Meintjies
M. +27 (0) 76 122 6434
T   +27 (0) 21 405 7345 


Jodi Poswelletski
T   +27 (0) 11 268 0250