The PoPI Act (PoPIA) stands for the Protection of Personal Information Act, Act No. 4 of 2013 or PoPI Act. This is the new law and is something that most (if not all companies) will need to follow. Source

The Protection of Personal Information Act 4 of 2013 (PoPIA) is the comprehensive data protection legislation enacted in South Africa. PoPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests, particularly the right of access to information. Source

The PoPI Act is a new legislation that safeguards the integrity and sensitivity of private information. Organisations & Corporations are required to carefully manage the data capture and storage process of Personal Information within the lawful framework as set out in the PoPI Act.
Source

The PoPI Act applies to everybody who processes any type of records that contain personal information of people. It therefore lays down the minimum standards for the protection of personal information. Processing comprises the collection, receipt, recording, organising, retrieval or use of such information. Source

A guideline to comply to PoPIA

Section 37 >The Regulator may, by notice in the Gazette, grant an exemption to a responsible party to process personal information, even if that Processing is in breach of a condition for the Processing of such information, or any measure that gives effect to such condition, if the Regulator is satisfied that, in the circumstances of the case—

The PoPI Act describes consent “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information“. The PoPI Act Consent Letter is required should you need to get consent from a data subject. Source

The Protection of Personal Information Act (PoPIA Act) 4 of 2013 aims:
> to promote the protection of personal information processed by public and private bodies;
> to introduce certain conditions so as to establish minimum requirements for the processing of personal information;
> to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000;
> to provide for the issuing of codes of conduct;
> to provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
> to regulate the flow of personal information across the borders of the Republic; and
> to provide for matters connected therewith.

PoPIA stands for Protection of Personal Information Act or PoPI Act

The PoPI Act Consent Form is required should you need to get consent from a data subject. The PoPI Act describes consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information“. Source

It is a criminal offence not to have an Access to Information manual if you are required to do so, and you could face some hefty fines if you do not comply. Currently, the Information Regulator is not issuing fines for non-compliance, but whether this will remain the case is unknown. Source

In so far as any pictures or video taken or views shared are disseminated on social media or any other platform in a personal capacity, PoPIA arguably does not apply. Source

What is it anyway? The Promotion of Access to Information Act (PAIA) says that all public and private bodies in South Africa need to create a manual that contains, amongst other things: The postal and street address, phone and fax number and, if available, e-mail address of the head of the body. Source

The Act applies to any person or organisation who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently. It therefore sets the minimum standards for the protection of personal information. Source

Although “purely personal” and “household” are not defined in the Act, we can take their ordinary meanings and apply them to the WhatsApp context. Where a WhatsApp group is created to facilitate family related or personal matters, as in between family, friends or acquaintances, then POPIA will not apply. Source

Can You Sue Someone for Defamation on Social Media? Yes, you can sue for social media defamation. However, while it may seem natural to want to sue the social media platform for defamation, your best option is to file a defamation lawsuit against the individual poster or commenter. Source

The Protection of Personal Information Act (POPIA or POPI) came into effect on 1 July. The act affects how business WhatsApp groups function but has no impact on personal groups. The POPIA promotes the protection of personal information processed by public and private bodies. Source

However, there is an exception to this rule saying that you do not need to collect information directly from a person if the person has made the information publically available and accessible. This doesn’t mean that the rules of POPI won’t apply to the information once it’s been collected. Source

On the 7th September, the National Assembly voted in favour of Advocate Pansy Tlakula being appointed as the National Information Regulator. This enables the President to proclaim the Protection of Personal Information Act (POPI) effective and operational. Source

The good news for telemarketers and consumers (in some cases) is: Yes, cold calling is still allowed under POPIA! Of course, there are rules that regulate the practice under the Protection of Personal Information Act in addition to other legislation that was in place before POPIA was introduced. Source

The Information Regulator

The Act was partially enacted in 11 April 2014. We are awaiting the commencement date of the other sections of the Act whereby the Information Regulator will start enforcing PoPI one year after this commencement date. Source

The Protection of Personal Information Act, 2013 (PoPIA Act) aims to promote the protection of personal information processed by public and private bodies by, among others, introducing certain conditions for the lawful processing of personal information so as to establish minimum requirements for the processing of such information.
The Information Regulator (South Africa) is, among others, empowered to monitor and enforce compliance by public and private bodies with the provisions of the PoPIA Act. Source

The PoPI Act aims to protect South Africans’ right to privacy by regulating how personal information is processed by marketing companies and others. Failure to comply with the Act will result in a hefty fine of up to R10 million, or jail time. Source

All business and legal entities, whether owned by individuals, companies, partners, sole proprietors, close corporations, NGOs/PBOs, associations and business trusts, including dormant entities, are required to comply with POPIA. Source

POPIA requires all companies, organisations, legal entities and websites, irrespective of their physical location, that processes the personal information of a South African to comply with the data processing law of obtaining the correct consent from their users or customers to use their information. Source

The mandate of South Africa’s Protection of Personal Information Act (POPIA, formerly known as PoPI) is to regulate the processing of personal information. With this Act, data breaches need to be reported by law. Source

The GDPR defines a data processor as a ‘natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. ‘ The GDPR applies to data controllers and data processors who may be public bodies. PoPIA only protects living individuals. Source

The GDPR is an EU regulation. It does not have general effect in South Africa and is not a local law in this country. Source

PoPIA applies to the personal data of any individual—regardless of their nationality. So while the GDPR is only designed to protect EU citizens, the PoPIA covers anyone whose personal data is processed within South African territory or by a South African undertaking. Source

The GDPR applies to any data processing activities that are done by a controller (called a responsible party under PoPIA) in the EU. It also applies to all processing of personal data of data subjects residing in the EU even if the entity processing the data is not in the EU. Source

Data collection (type of data, purpose, consent, legal aspects, minimality, and transparency) Data access and accuracy (correct, complete, reliable and process of updating information) Data usage and restrictions (purpose, relevance, restrictions, legality, permission, limitations). Source

However, POPIA also includes in its definition of data subjects companies, organizations and other legal entities, while the GDPR strictly limits its definition to human individuals. Source

For the more serious offences the maximum penalties are a R10 million fine or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment. Source