The Information Regulator has produced a number of media statements in the first half of 2025, which can be found at Media statements  

1. Media Statement: Regulator launches online reporting platform for security compromises 7 APRIL 2025
2. MEDIA ALERT: Public and Private bodies invited to submit PAIA annual reports for 2024- 2025 17 MARCH 2025.
3. Media Statement: Information Regulator calls for the submission of PAIA annual reports 12 March 2025.
4. Media Statement: The Regulator welcomes the Justice Minister’s decision on publication of the Sex offenders register 4 March 2025.
5. Media Invitation: Information Regulator hosts a stakeholder consultative session on it’s annual plans for the 2025/2026 financial year 3 March 2025.
6. Media Invitation: Information Regulator & Naspers to host International Data Privacy Day dialogue 21 January 2025.
7. Media Statement: The Regulator acts on alleged security compromise incident suffered by the Department of Basic Education regarding Matric Results 13 January 2025.
8. Media Statement: Information Regulator’s reaction to Matric results court decision 8 January 2025.

 

A summary of the aspects you need to know follows:

Any security incident or breach should now be reported on the Information Regulators portal. This is mandatory, and must be used instead of sending e-mail to the Regulator. The page providing guidance can be found at Reporting Security Compromises and you can report the incident from links on that page.

Private and Public bodies are invited to submit their PAIA Annual reports for the year 2024-2025 on any information requests received or processed. 

The submission period is from April 1, 2025, to June 30, 2025.

Key points include:

  • Public Bodies: Information Officers must submit reports on access to information requests.
  • Private Bodies: Heads or Deputy Information Officers must submit similar reports.
  • Compliance: The reports help determine compliance with the Promotion of Access to Information Act (PAIA).
  • Online Submission: An online platform is available for submitting these reports. You can submit your annual report directly on the eServices portal-PAIA Anual reporting. It is important to note that you will only be able to submit your report if the organisation and Officers are registered on the portal.
  • Support: Technical support and step-by-step guides are provided to assist with the submission process.

Amendment to POPIA Regulations

In addition to the media statements, an amendment to the POPIA regulations were published in January 2025, which can be found at POPIA Regulations amendments 2025.

Key changes are:

Definitions

New or revised definitions have been introduced for key terms, namely, “complainant” and “complaint”, “day”, “office hours”, “relevant body/bodies”, and “writing.” These definitions clarify terms used in the Regulations, helping businesses to understand and comply with POPIA more effectively and efficiently.

Office hours have been clarified to include opening hours of the Information Regulator, and operating hours of organisations included in the regulations.

The definition of Writing is as per the ECT Act.

Objection to processing, and request for correction or deletion, of personal information

Regulations regarding

  • Objection to Processing of Personal Information, and
  • Requests for correction or deletion of personal information or destruction or deletion of record of personal information

These have updated to improve and broaden the process for data subjects to:

  • object to the processing of, and
  • request the correction or deletion of, or destruction or deletion of record of, their personal information.

Such objections and requests can now be submitted:

  • by hand,
  • fax,
  • post,
  • email,
  • telephone (provided that the objection or request is recorded (by the responsible party) and made available on request.)
  • SMS, and
  • WhatsApp,

The strict requirement to use the prescribed forms has been removed, provided that the objection or request is on a form substantially similar to the templates.

Any objection or request must be free of charge.

Responsible parties are required to notify data subjects of their right to object when collecting personal information.

Responsible parties must notify data subjects of the action taken in respect of a request for correction or destruction within 30 days of receiving the outcome of the request.

Consent for direct marketing

Requests for a data subject’s consent to process personal information for direct unsolicited electronic marketing requires businesses to obtain explicit written consent from data subjects for such direct marketing on a form substantially similar to Form 4.

Consent requests can be made by:

  • email,
  • telephone,
  • SMS,
  • WhatsApp,
  • facsimile, or
  • automated calling machines.

Telephonic and automated calling machine requests must be recorded and made available to the data subject upon request, free of charge.

The so-called ‘opt-out’ options, have been clarified –

  • opt-out shall not constitute consent as referred to in the Act.

Lodging complaints

The process for lodging complaints with the Information Regulator have been clarified, including details of:

  • who may lodge a complaint,
  • the process to be followed,
  • the information required, and
  • the assistance that will be provided by the Information Regulator.

Complaints can be submitted

  • online,
  • at designated offices,
  • via fax,
  • post,
  • courier, or

The Regulator will acknowledge receipt of the complaint with a reference number within 14 days and will provide assistance free of charge.

Complaints should contain at least the following information:

  • name(s) and surname/ registered name of a complainant; unique identifier/identity number/ company registration number of a compliant, if required; address of a complainant;
  • the telephone and facsimile numbers of a complainant and e-mail address, if available;
  • reasons for a complaint;
  • name(s) and surname of a responsible party / registered name of a
  • responsible party;
  • address of a responsible party;
  • the telephone and facsimile numbers of a responsible party and e-mail address, if available.

Administrative fines

Administrative fines for non-compliance can be paid in instalments based on the business’s financial circumstances.

Transitional provisions

Actions taken under previous Regulations continue to be recognised under the new amendments.

Continuous improvement

The regulations emphasise that compliance is an ongoing process, and Responsible Parties are expected to continuously improve their processes and compliance status.

 

 

 

This morning (22nd June 2020) the Presidency announced dates for compliance to POPIA.  The dates are as follows:

Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) shall commence on 1 July 2020.
 
Sections 110 and 114(4) shall commence on 30 June 2021.

What does this mean:

Applicable immediately: 1 July 2020:

Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3).
The sections which will commence on 1 July 2020 are essential parts of the Act and comprise sections which pertain to, amongst others, the conditions for the lawful processing of personal information; the regulation of the processing of special personal information; Codes of Conduct issued by the Information Regulator; procedures for dealing with complaints; provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act.

This is the main body of the Act, and although Section 114 (1) (see below) gives a year, in principle, the time to act is now, and all organisations need to become compliant as soon as possible.

Applicable from 30 June 2021

Sections 110 and 114(4) shall commence on 30 June 2021.
Section 114(1) is of particular importance as it states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the Act. This means that entities (both in the form of private and public bodies) will have to ensure compliance with the Act by 1 July 2021.  However, it stands to reason that private and public bodies should attempt to comply with the provisions of the Act as soon as possible in order to give effect to the rights of individuals.

The full press release can be viewed at: http://www.thepresidency.gov.za/press-statements/commencement-certain-sections-protection-personal-information-act%2C-2013 

The Information Regulator published the "Regulations relating to the Protection of Personal Information" in the Government Gazette on 14th December 2018 42110, RG 10897, GoN 1383 (just when we were all going off on holiday.)

Regardless of the timing, in terms of Section 114 (1) of the Act, "All processing of personal information must within one year after the commencement of this section be made to conform to this Act".  In the absence of any further statements or notifications from the Regulator, we must assume that this means we will need to comply by the end of 2019.

I have attached a copy of the Regulations, which can also be downloaded from POPIA Regulations or from:

http://www.justice.gov.za/inforeg/docs.html 

The pressure is now on.  Contact me at This email address is being protected from spambots. You need JavaScript enabled to view it. to see how we can assist you in fast-tracking your POPIA compliance.

Protection of Personal Information (POPI) isn't new in South Africa.  The Protection of Personal Information Bill was around in 2009, which meant that the discussion had been going on for years before that.  We became used to talking about POPI, and the Information Regulator is now prefering to use the term POPIA, or POPI Act. 

Is there a difference?

Much of the Personal Information that is kept will be in the form of data in databases or systems, and the rest will be in form of documents or records.  Managing these correctly is imperative under POPIA.  This article will build on the records management elements that will need to be implemented in order to fully comply with the Protection of Personal Information Act.

More Articles ...

  1. Offences, Penalties and Administrative Fines
  2. Disputes and Breaches
  3. Transfer of Personal Information out of South Africa
  4. Direct Marketing

Subcategories

Page 1 of 3

Recent Articles