PoPIA Summary


PoPIA Summary

What is PoPIA?

To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to information Act,2000;

  • to provide for the issuing of codes of conduct;
  • to provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
  • to regulate the flow of personal information across the borders of the Republic;
  • and to provide for matters connected therewith,

The protection of personal information Act (PoPIA) 4 of 2013 aims:





  • consonant with the constitutional values of democracy and openness, the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information;


  • regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests,

PoPIA Summary

What is the meaning of PoPIA & why do we need the PoPI Act?

Essentially, the purpose of the protection of personal information Act (PoPIA) is to protect people from harm by protecting their personal information. To stop their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right.

To achieve this, the protection of personal information Act sets conditions for when it is lawful for someone to process someone else’s personal information.

Who are the Role Players?

The protection of personal information Act (PoPIA) involves three parties (who can be natural or juristic persons):

  • The data subject: the person to whom the information relates.
  • The responsible party: the person who determines why and how to process. For example, profit companies, non-profit companies, governments, state agencies and people. Called controllers in other jurisdictions
  • The operator: a person who processes personal information on behalf of the responsible party. For example, an IT vendor. Called processors in other jurisdictions.

The protection of personal information Act places various obligations on the responsible party, which is the body ultimately responsible for the lawful processing of personal information. Responsible parties should only use operators that can meet the requirements of lawful personal information processing prescribed by the protection of personal information Act.

Source : Michalsons