POPIA
Comply with POPIA
South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') was promulgated into law on November 26, 2013, following the President's signature. A period of relative stasis then followed for several years while a commencement date for the key provisions was decided upon. The Information Regulator (the Regulator), the data protection authority provided for by POPIA, was established during this time and held its first meeting late in 2016, although its operations were limited. The Regulator announced, on July 1, 2021, that its enforcement powers under POPIA would be in effect from July 1, 2021, following the conclusion of the 12-month transition period for compliance as provided under Section 110 of POPIA.
POPIA is further supported by the Regulations Relating to the Protection of Personal Information (2018), which establish additional provisions on the application of POPIA and contains several template forms.
Visit our South Africa Jurisdiction Dashboard for further information on South Africa's Data Protection Landscape.
POPIA v. GDPR
OneTrust DataGuidance has produced a POPIA v. GDPR report which you can download here, and which assists organizations in understanding and comparing key provisions of the POPIA to the GDPR. In the tab above, you can also leverage this information through our GDPR v. POPIA Comparison.
On March 26, 2024, the Information Regulator (the Regulator) held a press conference in which it shared the outcomes of its investigations and assessment into compliance with the Protection of Personal Information Act (POPIA) and Promotion of Access to Information Act (PAIA).
On February 27, 2024, the Information Regulator (the Regulator) announced that it had issued an enforcement notice to FT Rams Consulting for a violation of the Protection of Personal Information Act (POPIA) following a direct marketing complaint.
The Information Regulator (the Regulator) announced, on September 1, 2023, that it had issued, on August 31, 2023, an enforcement notice to Dis-Chem Pharmacies Ltd for violations of the Protection of Personal Information Act (POPIA).
Background to the decision
The Information Regulator (the Regulator) announced, on July 4, 2023, that it had issued, on July 3, 2023, an Infringement Notice in which it imposed a fine of ZAR 5 million (approx. $267,813) to the Department of Justice and Constitutional Development, for failure to comply with the Enforcement Notice issued by the Regulator on May 9, 2023.
The Information Regulator announced, on June 30, 2023, that it had extended the deadline for the submission of an annual report for the 2022-23 financial year in line with the Promotion of Access to Information Act (PAIA).
The Information Regulator ('the Regulator') announced, on 5 April 2023, that it had published a report on the outcomes of complaints investigated in relation to the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') and Promotion of Access to Information Act 2 of 2000 ('PAIA').
The Information Regulator ('the Regulator') announced, on 20 February 2023, that it has decided to refer the National Department of Health ('NDoH') to the Enforcement Committee over the issue of certain personal information that the NDoH had collected as part of the management of the spread of COVID-19 during the pandemic, following numerous uns
The Information Regulator ('the Regulator') published, on 16 February 2023, Protection of Personal Information Act 4 of 2013 ('POPIA') Rules of Procedure Relating to the manner in which a complaint or any matter in terms of the POPIA must be referred to and considered for a finding, and recommendation by the Enforcement Committee, 2023,
The Information Regulator ('the Regulator') published, on 24 November 2022, a media statement in which it welcomed action taken by the Department of Basic Education ('DBE') to align its processes on the publication of matric results with the requirements of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'), notably Secti
The Information Regulator ('the Regulator') provided, on 26 October 2022, via Twitter, an update of the Regulator's recent activity and status. In particular, the Regulator outlined that the Enforcement Committee is in full force and complaints have been referred to it.
Notices in terms of Section 62(1) of the Protection of Personal Information Act, Act No.
The Information Regulator ('the Regulator') announced, on 29 August 2022, that it had issued a summons to the South African Police Service ('SAPS'), following failure to provide details related to the release of personal information of Krugersdorp victims by 24 August 2022.
The Information Regulator ('the Regulator') announced, on 12 August 2022, that it had published guidelines on how the security compromise notification form to the Regulator in terms of Section 22 of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') must be completed by responsible parties.
The Information Regulator ('the Regulator') released, on 5 August 2022, a media statement in which it announced that it had initiated an investigation into possible violations of the Protection of Personal Information Act (Act No. 4 of 2013) ('POPIA') by members of the South Africa Police Service ('SAPS').
The Information Regulator ('the Regulator') announced, on 28 July 2022, that it had established an Enforcement Committee in accordance with Section 50 of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'), which will be chaired by Advocate Helen Fourie Senior Counsel. In particular, the Regulator specified that the Commit
The Information Regulator ('the Regulator') published, on 22 April 2022, a media statement in which it announced that it would monitor the National Department of Health's ('NDoH') compliance with the Protection of Personal Information Act, 2013 ('POPIA'), following the decision from President Cyril Ramaphosa to lift the national state of disaste
The past month has witnessed a surge in the number of allegations regarding the infringement of intellectual property (IP) rights by artificial intelligence (AI) models.
There have been radical developments in various artificial intelligence (AI) models, with ChatGPT being the most prominent. ChatGPT serves as a language-based AI chatbot that uses a set of techniques referred to as deep learning that has continuous learning capabilities.
Since the inception of the Protection of Personal Information Act, 4 of 2013 (POPIA), the Information Regulator has achieved some significant milestones in terms of POPIA and the Promotion of Access to Information Act, 2 of 2000 (PAIA).
Personal data is one of the most sought-after commodities of the 21st century1, and as a result, consent has, in recent years, become increasingly prevalent as a codified legal mechanism intended to enable the informational self-determination2 of data subjects.
Sections 34 and 35 of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') deals with the processing of children's information.
In 2013, after a period of nine years and 11 iterations of a data protection bill being mulled over by the government, South Africa's legislature passed the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA').
While cloud services had seen small-scale uptake within South Africa prior to 2020, the national working environment was fundamentally challenged by the onset of lockdown regulations following the COVID-19 pandemic.
During December 2021, the South African President signed the Cybercrimes Act, 2020 (Act 19 of 2020) ('the Cybercrimes Act') into law. This legislation is the first in South Africa to consider cybercrimes explicitly, and forms part of South Africa's growing legislative framework on data management.
In order to process certain categories of data, South African organisations require 'prior authorisation' from the national Information Regulator ('the Regulator') in terms of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA').
The South Africa Credit Bureau Association ('CBA') has published a Code of Conduct1 ('the Code') governing the Conditions for Lawful Processing of Personal Information by credit bureaus who are members of the CBA under the Protection of Personal Information Act, No.4 of 2013 ('POPIA').
OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and South Africa's Protection of Personal Information Act (POPIA). The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of POPIA with the GDPR.
You can access the latest version of the report here.
Key highlights
POPIA and the GDPR share some similarities, both laws:
- share similar definitions and concepts of 'personal data' and 'personal information;'
- have comparable concepts of data controllers and processors, known as responsible parties and operators in POPIA;
- provide almost identical legal grounds for the processing of personal data; and
- specify accountability as a central principle.
However, despite their similarities, POPIA and the GDPR also differ sometimes in their approach, such as:
- POPIA includes juristic persons under its scope of application;
- POPIA does not require impact assessments;
- unlike the GDPR, POPIA does not refer to a right to data portability; and
- their approaches on how to respond to a data breach.