
Frequently Asked Questions (FAQ) & Answers Section
The PoPI Act (PoPIA) stands for the Protection of Personal Information Act, Act No. 4 of 2013 or PoPI Act. This is the new law and is something that most (if not all companies) will need to follow. Source
The Protection of Personal Information Act 4 of 2013 (PoPIA) is the comprehensive data protection legislation enacted in South Africa. PoPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests, particularly the right of access to information. Source
The PoPI Act is a new legislation that safeguards the integrity and sensitivity of private information. Organisations & Corporations are required to carefully manage the data capture and storage process of Personal Information within the lawful framework as set out in the PoPI Act.
Source
The PoPI Act applies to everybody who processes any type of records that contain personal information of people. It therefore lays down the minimum standards for the protection of personal information. Processing comprises the collection, receipt, recording, organising, retrieval or use of such information. Source
A guideline to comply to PoPIA
Section 37 >The Regulator may, by notice in the Gazette, grant an exemption to a responsible party to process personal information, even if that Processing is in breach of a condition for the Processing of such information, or any measure that gives effect to such condition, if the Regulator is satisfied that, in the circumstances of the case—
It is a criminal offence not to have an Access to Information manual if you are required to do so, and you could face some hefty fines if you do not comply. Currently, the Information Regulator is not issuing fines for non-compliance, but whether this will remain the case is unknown. Source
In so far as any pictures or video taken or views shared are disseminated on social media or any other platform in a personal capacity, PoPIA arguably does not apply. Source
What is it anyway? The Promotion of Access to Information Act (PAIA) says that all public and private bodies in South Africa need to create a manual that contains, amongst other things: The postal and street address, phone and fax number and, if available, e-mail address of the head of the body. Source
The Act applies to any person or organisation who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently. It therefore sets the minimum standards for the protection of personal information. Source
Although “purely personal” and “household” are not defined in the Act, we can take their ordinary meanings and apply them to the WhatsApp context. Where a WhatsApp group is created to facilitate family related or personal matters, as in between family, friends or acquaintances, then POPIA will not apply. Source
Can You Sue Someone for Defamation on Social Media? Yes, you can sue for social media defamation. However, while it may seem natural to want to sue the social media platform for defamation, your best option is to file a defamation lawsuit against the individual poster or commenter. Source
The Protection of Personal Information Act (POPIA or POPI) came into effect on 1 July. The act affects how business WhatsApp groups function but has no impact on personal groups. The POPIA promotes the protection of personal information processed by public and private bodies. Source
However, there is an exception to this rule saying that you do not need to collect information directly from a person if the person has made the information publically available and accessible. This doesn’t mean that the rules of POPI won’t apply to the information once it’s been collected. Source
On the 7th September, the National Assembly voted in favour of Advocate Pansy Tlakula being appointed as the National Information Regulator. This enables the President to proclaim the Protection of Personal Information Act (POPI) effective and operational. Source
The good news for telemarketers and consumers (in some cases) is: Yes, cold calling is still allowed under POPIA! Of course, there are rules that regulate the practice under the Protection of Personal Information Act in addition to other legislation that was in place before POPIA was introduced. Source
The Information Regulator
The Act was partially enacted in 11 April 2014. We are awaiting the commencement date of the other sections of the Act whereby the Information Regulator will start enforcing PoPI one year after this commencement date. Source
The Protection of Personal Information Act, 2013 (PoPIA Act) aims to promote the protection of personal information processed by public and private bodies by, among others, introducing certain conditions for the lawful processing of personal information so as to establish minimum requirements for the processing of such information.
The Information Regulator (South Africa) is, among others, empowered to monitor and enforce compliance by public and private bodies with the provisions of the PoPIA Act. Source
The PoPI Act aims to protect South Africans’ right to privacy by regulating how personal information is processed by marketing companies and others. Failure to comply with the Act will result in a hefty fine of up to R10 million, or jail time. Source
All business and legal entities, whether owned by individuals, companies, partners, sole proprietors, close corporations, NGOs/PBOs, associations and business trusts, including dormant entities, are required to comply with POPIA. Source
POPIA requires all companies, organisations, legal entities and websites, irrespective of their physical location, that processes the personal information of a South African to comply with the data processing law of obtaining the correct consent from their users or customers to use their information. Source
The mandate of South Africa’s Protection of Personal Information Act (POPIA, formerly known as PoPI) is to regulate the processing of personal information. With this Act, data breaches need to be reported by law. Source
The GDPR defines a data processor as a ‘natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. ‘ The GDPR applies to data controllers and data processors who may be public bodies. PoPIA only protects living individuals. Source
The GDPR is an EU regulation. It does not have general effect in South Africa and is not a local law in this country. Source
PoPIA applies to the personal data of any individual—regardless of their nationality. So while the GDPR is only designed to protect EU citizens, the PoPIA covers anyone whose personal data is processed within South African territory or by a South African undertaking. Source
The GDPR applies to any data processing activities that are done by a controller (called a responsible party under PoPIA) in the EU. It also applies to all processing of personal data of data subjects residing in the EU even if the entity processing the data is not in the EU. Source
Data collection (type of data, purpose, consent, legal aspects, minimality, and transparency) Data access and accuracy (correct, complete, reliable and process of updating information) Data usage and restrictions (purpose, relevance, restrictions, legality, permission, limitations). Source
However, POPIA also includes in its definition of data subjects companies, organizations and other legal entities, while the GDPR strictly limits its definition to human individuals. Source
Frequently Asked Questions (FAQ) & Answers, including sources from Google search