The Act controls the transfer of personal information from South Africa to foreign countries and prohibits this unless: (section 71)

  • the person receiving the information is subject to similar laws;
  • the subject has agreed to the transfer of information;
  • such transfer is part of the performance of a contract which the subject is a party; or
  • transfer is for the benefit of the subject and it is not reasonably practicable to obtain their consent and that such consent would be likely to be given. (section 72)

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013

Section 69 of the Act outlaws direct marketing by means of any form of electronic communication unless the data subject has given their consent. Such an electronic communication obviously includes emails, SMSs and automatic calling machines.  A subject can only be approached once to obtain such a consent. Once such consent is refused, it is refused forever.

Slightly different rules apply if the subject is a customer.  Here the customer’s contact details must have been obtained in the context of the sale of a product or a service, the direct marketing by electronic communication can only relate to the suppliers own similar products or services, and the customer must have been given the right to opt out at the time that the information was collected and each time such a communication is sent.

The Act covers Direct Marketing restrictions in great  detail and should be consulted before any direct marketing campaign is considered.

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013

Information Regulator

An Information Regulator has been appointed by the President on the recommendation of the National Assembly and is answerable to the National Assembly.  There will be a large body of staff working under the Information Regulator.

The Information Regulator’s duties are varied and he/she has the power and authority to handle all matters relating to the POPIA Act.

The Information Regulator must immediately be advised in the event of a breach which resulted in Personal Information falling into the wrong hands.

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013

How Personal Information Needs to be Handled

Any organisation or person who keeps personal information must take steps to prevent the loss, damage, and unauthorized destruction of the personal information.  In terms of Section 19, they are also required to prevent unlawful access to, or unlawful processing of this personal information.

All risks have to be identified and then safeguards must be established and maintained against these risks.  Regular verification that the safeguards are being effectively implemented is required. Safeguards are to be updated in response to any new risks or identified deficiencies in existing safeguards.

Any person processing personal information on behalf of an employer must have the necessary authorization from the employer to do so.  They must also treat the personal information as confidential and not share this information without the following the required processes. (section 20). The person must have a written contract with their employer in which they are specifically obliged to maintain the integrity and confidentiality of the personal information and to implement the established safeguards against identified risks.

Data Subject Rights

Everyone has the right to be informed if someone is collecting their personal information, or if their personal information has been accessed by an unauthorized person. In addition, they have the right of access to their personal information and to require that personal information be corrected or destroyed, or they may object to their personal information being processed.

The Act does not apply to personal information processed

  • in the course of a personal or household activity,
  • or where the processing authority is a public body involved in national security, defense, public safety, anti-money laundering,
  • or the Cabinet or Executive Council of the Province
  • or as part of a judicial function.

Personal information can only be processed: (Section 11)

  • with the consent of the “data subject”; or
  • if it is necessary for the conclusion or performance of a contract to which the “data subject” is a party; or
  • if it is required by law; or
  • if it protects a legitimate interest of the “data subject”; or
  • if it is necessary to pursue your legitimate interests or the interest of a third party to whom the information is supplied.

Everyone has the right to object to having their personal information processed.  They have the right to withdraw their consent, or object if they can show legitimate grounds for their objection.

The POPIA Act Applies to Everyone

The Act applies to any person or organisation who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently.

It therefore sets the minimum standards for the protection of personal information. It regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organizing, retrieving, or using such information; or disseminating, distributing or making such personal information available. 

The Act will also relate to records which are already in the possession of the entity or person doing the processing.  

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013

What POPIA means for business

The POPI Act ensures that the right to privacy is taken seriously and includes a data subject's right to be protected against any unlawful collection, retention, dissemination and use of their personal information.

Companies are required to receive consent from individuals before they can obtain, retain and process personal information for communication or any other purpose. As per "Conditions for lawful processing" the definition of "Personal Information" includes contact details, demographic information, personal history, as well as communication records.

The POPI Act highlights the need for a greater understanding of the manner in which personal information is stored and processed.  This means that the systems, processes and how logical and physical access is maintained and managed for the systems and areas housing personal information al need to be considered.

Protection of Personal Information requires extra vigilance in all aspects of physical and information security.  The basis of the POPI Act is to protect personal information and prevent information from being exposed to unauthorised persons.  As a result, this implies an obligation to protect information relating to individuals and juristic entities from any damage, including financial fraud, identity theft, misuse and the abuse of personal information.

The POPI Act requires that a set of streamlined processes and systems must be established that can easily identify where personal information is stored, understand how this information is processed physically and electronically, who has access to this information, as well as for what purpose it is required.

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013


Page 2 of 3