8 Conditions of The PoPI Act

8 Conditions of The PoPI Act (PoPIA)

Condition 1 > Accountability


> Responsible party to ensure conditions for lawful processing

a company/entity/person must take overall responsibility to ensure that it processes personal information lawfully.


Condition 2 > Processing Limitation


> Lawfulness of processing
> Minimality
> Consent, justification and objection
> Collection directly from data subject

a company/entity/person may only process information that it reasonably needs upon obtaining consent directly from a data subject. It therefore follows that companies/entities/people may not obtain personal information from data brokers or through applications that generate personal information (such as telephone numbers) automatically. A data subject may at any stage object to the processing of his or her personal information. If a data subject objects, then the company/entity/person may no longer process that data subject’s personal information.

Condition 3 > Purpose Specification


> Collection for specific purpose
> Retention and restriction of records

a company/entity/person can only process the personal information of a data subject for purposes directly related to the object and purpose of that company/entity/person mandate.

Condition 4 > Further Processing Limitation


> Further processing to be compatible with purpose of collection

Any further processing of the personal information of data subject must be compatible with the purpose for which the information was originally obtained.

Condition 5 > Information Quality


> Quality of information

A company/entity/person must take practical reasonable steps to ensure that personal information it processes is correct, up to date and complete.

Condition 6 > Openness


> Documentation
> Notification to data subject when collecting personal information

A data subject must be notified that his or her personal information is being processed by a company/entity/person.

Condition 7 > Security Safeguards


> Security measures on integrity and confidentiality of personal information
> Information processed by operator or person acting under authority
> Security measures regarding information processed by operator
> Notification of security compromises

A company/entity/person must put in place adequate security measures and controls to safeguard the personal information of data subject against loss, damage and misuse. A company/entity/person must notify the Information Regulator (Regulator) and an affected data subject of any security breach.

Condition 8 > Data Subject Participation


> Access to personal information
> Correction of personal information
> Manner of access

A company/entity/person must, upon request by a data subject confirm whether it is processing the personal information of that data subject. It must also correct, destroy and/or delete the personal information of a data subject upon request.

Scroll To Top