Protection of Personal Information Act (POPIA)

What is POPIA?

South Africa’s Protection of Personal Information Act, also known as POPIA will be effective from 1 July, 2021.

The POPIA also requires any information processes by any organization in South Africa must have to protect that data.

South Africa’s POPIA is the newest data privacy law in the world which is designed closely after the EU’s GDPR.

Personal Data and Sensitive Personal Data

South Africa’s POPI Act applies to all companies, industries and organizations processing personal information in South Africa, either they resides in country or not but makes use of automated/non-automated means of processing within South Africa.

Under POPI Act personal information defines broadly as any information related to not only a living person but also a company/organization or legal entity.

The South Africa’s POPI Act law set some inflexible requirements that assign criminal offenses to sensitive and vulnerable data.

Data Processing  

Under POPI Act law data processing defines as the collection, receipt, recording, organization, storage, merging, linking, and many more, of personal information.

POPI Act allows companies, industries and organizations to process data only if it’s deemed in the user’s “legitimate interest,” which can create ambiguity for possible abuse and enforcement difficulties.

Their is eight conditions for lawful data processing, in which the consent of data subject is critical – under POPI Act. It is up to companies, websites, organizations or any responsible parties to prove that their data processing is lawful or the correct consents have been collected from the users. POPI Act defines consent as any voluntary, specific, and informed expression of choice.

Data Transfer & Sharing

Under POPI Act you need to follow the below exceptions in order to transfers the personal information from within to outside of South Africa otherwise its prohibited, the exceptions are:

Data Rights

Their is Nine actionable rights for South African citizen under POPI Act. Which includes but not limited to the right to access, right to correct, and right to delete.

Unlike GDPR Data Collection Rules, the POPIA allows organizations/companies to charge an amount as a like; fee for providing individuals with a copy of the information a company holds on them. Organizations that choose to do so must give a written estimate of the cost/amount beforehand.

POPIA also requires that, organizations must respond to any such Data Subject Access Request (DSAR) within a reasonable time.

Fines, Penalties, and Prison

The financial consequences for a POPIA violation have a maximum penalty of $10 million ZAR i.e.South African rands, which is much smaller than a GDPR fine.

But there is an another layer in the South African legislation, and that is individuals can be held criminally responsible and sentenced to prison for up to 10 years in more severe cases.

GDPR penalty focus more directly on non-compliance. But, POPIA penalty apply to non-compliance and a range of other offenses such as; including hindering, obstructing, or unlawfully influencing enforcement officials failing to attend court hearings lying under oath.

POPIA Compliance Challenges


Any company or organization processing the personal data of South African residents should must ensure that they are in compliance with POPIA. Also regularly check for Regulators advice for next few months.

Follow Us