PoPI Act

Protection of Personal Information Act

The PoPI Act Explained

Protection of Personal Information Act (PoPI Act) provides data privacy rights and information protection for South Africa. The PoPI Act took effect on Jul 1, 2020. The Information Regulator started the enforcement of PoPI Act and PAIA on July 1, 2021. Every public or private entity must register an information officer and/or deputy information officer by March 31, 2021.

South African businesses, public entities, non-profit organizations, and any other entities must address PoPIA compliance in a short time, and with minimal impact on the budget. Large companies have teams already working on the Protection of Personal Information Act.

Most mid-size and small businesses are unaware of the law. They need to engage their legal and IT teams to implement The Protection of Personal Information Act. Nearly all entities believe that PoPI Act means prevention of spam, calls from telemarketers, and the ability to opt-out of digital marketing.

This is one of the rights in the Protection of Personal Information Act, and so are several other rights including delete my data, correct my data, objection to processing, and many others.

PoPI Act Summary

With Data Protection & Information Security in mind;

The Protection of Personal Information Act (PoPI Act) 4 of 2013 aims:

  • to promote the protection of personal information processed by public and private bodies;
  • to introduce certain conditions so as to establish minimum requirements for the processing of personal information;
  • to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act (PAIA), 2000;
  • to provide for the issuing of codes of conduct;
  • to provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
  • to regulate the flow of personal information across the borders of the Republic; and
  • to provide for matters connected therewith.
Meaning of The PoPI Act


Recognising That—

  • Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;
  • the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;
  • the State must respect, protect, promote and fulfill the rights in the Bill of Rights;

And Bearing In Mind That—

  • consonant with the constitutional values of democracy and openness, the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information;

And In Order To—

  • regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests,
PoPI Act Guarantee

Protection of Personal Information Act (PoPIA) provides the main protection of personal information & privacy in South Africa. PoPIA & Constitution of South Africa guarantees the most general right to privacy for all its citizens.

The PoPI Act (PoPIA) of 2013 was signed into act, focusing on data privacy. Minimum requirements are presented in PoPI Act for the of processing personal data, like the fact that the data subject must provide consent and that the data will be beneficial, and PoPI Act will be harsher when related to cross-border international data transfers, specifically with personal information. PoPI Act will be in full effective from 1 July 2020.

The recording of conversations over phone and internet is not allowed without the consent of both parties with the Regulation of Interception of Communications and Provision of Communications Related Act (2002).

In addition, South Africa is part of the Southern African Development Community and the African Union.

PoPI Act Compliance

The Information Regulator South Africa is an independent body established in terms of Section 39 of The Protection of Personal Information Act (PoPI Act) 4 of 2013. It is subject only to the Law and the Constitution and it is accountable to the National Assembly

The Information Regulator is among others, empowered to monitor and enforce compliance by Public and Private bodies with the provisions of the Promotion of Access to Information Act (PAIA), 2000 (Act 2 of 2000), and the Protection of Personal Information Act (PoPI Act), 2013 (Act 4 of 2013)

PoPI Act Compliance & Certification Portal
  • Our Compliance Certification Portal will help you manage your whole PoPI Act Compliance journey.
  • It will guide you through what you need to do to become compliant.
  • It will also generate the documentation, declarations, policies, forms and registers you will need.
  • It will keep you up to date as the Law and/or Regulations change, and as you progress with your own compliance journey.
  • The portal will take you through 25 Sections of the PoPI Act asking you simplified relevant questions to your entity to determine your compliance status, building customised documentation for your entity, and giving you a plan of things to work on to become PoPI Act Compliant where necessary
PoPI Act Commencement
PoPI Act Consent

PoPI Act Consent Letter > PDF Download

PoPI Act > Chapter 6
  • Section 57 > Processing subject to prior authorisation
  • Section 58 > Responsible party to notify Regulator if processing is subject to prior authorisation
  • Section 59 > Failure to notify processing subject to prior authorisation
PoPI Act > Chapter 8

PoPI Act Index