Coming to terms with the protection of Personal Information Act

by Marianne Mokken | January 19, 2021

coming to terms with the protection of personal information act

In terms of the highest law of South Africa, the Constitution, every person has the right to privacy. This right is protected through, amongst others, the Protection of Personal Information Act (POPIA) that seeks to protect personal information when processed by a third party.

Generally speaking, POPIA establishes the Information Regulator, regulates how public and private entities deal with our personal information and gives consumers certain rights and remedies. This article seeks to explore these three topics briefly.


The Who

Section 39 of POPIA establishes the Information Regulator (IR). The IR derives its powers not only from POPIA but also from the Promotion of Access to Information Act (PAIA).

The IR has, amongst others, the following duties in terms of POPIA:

  • Provide education by making public statements about matters affecting the protection of personal information.
  • Monitor and enforce compliance by public and private bodies with POPIA.
  • Submitting reports to Parliament on its activities within five months of their financial year end.
  • Receive and investigate complaints about violations of the protection of personal information and reporting back to complainants.
  • Resolving complaints through dispute resolution.
  • Conducting research and report to Parliament on, for example, legislative changes.
  • Issuing codes of conduct and making guidelines to assist with the application of the codes.
  • Facilitate cross-border cooperation in enforcement of privacy laws.
  • In general, to do anything related to any of its functions listed in POPIA.

The regulator fulfilled some of these duties in a practical way when it issued a guidance note during April 2020 providing guidelines on the processing of personal information during the management and containment of COVID 191. During the second part of 2020, the IR also worked closely with Experian when they had a data breach2 where a suspect was identified and was to be arrested3. 2021 has already called for the IR to react. The regulator is currently assessing the compliance of the revised WhatsApp Privacy Policy with POPIA4.

[1] InfoRegSA-GuidanceNote-PPI-Covid19-20200403.pdf (
[2] ms-20200820-Experian.pdf (; ms-20200903-ExperianUpdate.pdf (
[3] Experian data breach: Suspect identified, hardware impounded, personal info secured (
[4] ms-20210113-Whatsapp.pdf (


The What

POPIA seeks to protect our constitutional right to privacy through the protection our of personal information. So, what is personal information?

Personal information is any information that relates to a distinguishable, living, natural person and distinguishable, existing legal persons. For individuals this can be your name, ID number, e-mail address, telephone number, biometric information, medical records, bank details and many more. From this list alone it should be clear that POPIA has far reaching effects and that most, if not all, companies will have to comply with the requirements of the act. For example, if a company employs an individual, it will obtain the name of the employee, their bank details to pay over a salary and a tax number. The employee’s name, bank details and tax number are personal information, and the employer will therefore have to comply with the requirements of POPIA.

POPIA protects our personal information by prohibiting public and private entities from processing any of your personal information (with certain exceptions). Entities are seen to process information when they, for example, collect information, record it in any format, store that information, transmit it or erase it.

Obviously certain exceptions to the non-processing rule had to be created. For example, the birth of a child has to be registered in terms of the Births and Deaths Registration Act within 30 days of the birth with the Department of Home Affairs (DHA). Necessarily the child’s name as well as those of the parents and other information such as the parents’ ID numbers must be provided to DHA to enable them to issue a birth certificate and update the population register. Names and ID numbers are personal information, but in this instance a lawful reason exists for the processing of this information, that is, it is required by legislation. DHA, as a public body, is also subject to compliance with POPIA.

Other justifications for processing of personal information includes:

  • Consent is given by the individual whose personal information it is (called a data subject in the act).
  • Processing is necessary for conclusion or performance in terms of a contract.
  • Processing protects a legitimate interest of the data subject.
  • Processing is required to pursue the legitimate interest of the person to whom the information is provided or a third party.

Once an entity is in possession of your personal information, the entity must comply with certain duties. The entity is, for example, not allowed to keep your information for longer than necessary. They are also obliged to keep your information safe from access by unauthorized parties, or loss or damage thereof. Any unauthorized access must be reported to the IR and the data subject. The entity should also ensure that the personal information is complete, accurate and up to date.


The How

POPIA affords certain rights and remedies to data subjects.

The data subject can request an entity to confirm, free of charge, whether it holds his/her personal information. If the entity does have personal information of the data subject on record, the data subject can request, on payment of a fee, a copy of the information. A data subject can also request an entity to correct or delete his/her personal information. Data subjects also have the right to object against the processing of their personal information and the use of his/her personal information for purposes of direct marketing. Entities must make sure they have an internal process in place and a designated individual to deal with these queries and requests. POPIA provides for the appointment of an information officer and deputy information officers to fulfill this task. These officers also have other duties in terms of the act (refer section 55 of POPIA and section 4 of the draft Regulations).

Where a data subject is of the opinion that one of his/her rights in terms of POPIA was infringed, they can approach the IR and submit a written complaint. The IR will then deal with the complaint in one of the following ways:

  • Conduct a pre-investigation;
  • Act as a conciliator and convene a settlement meeting;
  • Take no further action;
  • Conduct a full investigation;
  • Refer the complaint to the Enforcement Committee;
  • Refer the matter to another Regulatory Body; or
  • Take any other action.

A data subject also has a right to institute a civil claim for damages in a court with appropriate jurisdiction for breaches relating to certain sections of POPIA.

In conclusion, it should be noted that the commencement date for most of the sections of POPIA was announced as 1 July 2020.  Entities therefore have to ensure that they comply with these sections by 30 June 2021. The penalty for non-compliance with the act can be payment of a fine of up to R10 million and/or imprisonment for up to 10 years.

*DISCLAIMER: The article is not intended to constitute legal or other professional advice and is written simply to raise awareness of the Act. You should consult your professional advisor for legal or other advice.


Submit a Comment

Your email address will not be published. Required fields are marked *