Support Centre
POPIA
workspace-icon
Back

POPIA

Comply with POPIA

South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') was promulgated into law on 26 November 2013, following the President's signature. A period of relative stasis then followed for several years while a commencement date for the key provisions was decided upon. The Information Regulator ('the Regulator'), the data protection authority provided for by POPIA was established during this time and held its first meeting late in 2016, although its operations were limited.

The Regulator announced, on 1 July 2021, that its enforcement powers under POPIA are into effect from 1 July 2021, following the conclusion of the 12-month transition period for compliance as provided under Section 110 of POPIA.

POPIA is further supported by the Regulations Relating to the Protection of Personal Information (2018), which establish additional provisions on the application of POPIA and contain several template forms.

OneTrust DataGuidance's POPIA Portal provides you with the ability to track developments regarding POPIA and understand its obligations.

POPIA v. GDPR

OneTrust DataGuidance have produced a POPIA v. GDPR report which you can download here, and which assists organisations in understanding and comparing key provisions of the POPIA comparative to the GDPR. You can also leverage this information through our GDPR v. POPIA Comparison in the tab above.

South Africa Privacy Landscape Overview

Watch our South Africa Overview video to understand the state of privacy in South Africa today.

See all South Africa News
06 September 2023

South Africa: Regulator issues enforcement notice to Dis-Chem for POPIA violations following vendor's data breach

The Information Regulator (the Regulator) announced, on September 1, 2023, that it had issued, on August 31, 2023, an enforcement notice to Dis-Chem Pharmacies Ltd for violations of the Protection of Personal Information Act (POPIA).

Background to the decision

Enforcement Actions, Breach Notification, Incident and Breach, Vendor Management
11 July 2023

South Africa: Regulator fines Department of Justice and Constitutional Development ZAR 5 million for failure to comply with previously issued enforcement order

The Information Regulator (the Regulator) announced, on July 4, 2023, that it had issued, on July 3, 2023, an Infringement Notice in which it imposed a fine of ZAR 5 million (approx. $267,813) to the Department of Justice and Constitutional Development, for failure to comply with the Enforcement Notice issued by the Regulator on May 9, 2023.

Fines, Supervisory Authority
04 July 2023

South Africa: Regulator extends deadline for submission of annual reports

The Information Regulator announced, on June 30, 2023, that it had extended the deadline for the submission of an annual report for the 2022-23 financial year in line with the Promotion of Access to Information Act (PAIA).

Supervisory Authority, Transparency, Public Sector
11 April 2023

South Africa: Regulator publishes report on investigations relating to POPIA and PAIA for 2022-2023

The Information Regulator ('the Regulator') announced, on 5 April 2023, that it had published a report on the outcomes of complaints investigated in relation to the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') and Promotion of Access to Information Act 2 of 2000 ('PAIA').

Investigations, Supervisory Authority
24 February 2023

South Africa: Regulator refers NDoH to Enforcement Committee over data processing during COVID-19 pandemic

The Information Regulator ('the Regulator') announced, on 20 February 2023, that it has decided to refer the National Department of Health ('NDoH') to the Enforcement Committee over the issue of certain personal information that the NDoH had collected as part of the management of the spread of COVID-19 during the pandemic, following numerous uns

Investigations, Health and Pharmaceutical, Public Sector
23 February 2023

South Africa: Information Regulator publishes draft rules of procedure for Enforcement Committee

The Information Regulator ('the Regulator') published, on 16 February 2023, Protection of Personal Information Act 4 of 2013 ('POPIA') Rules of Procedure Relating to the manner in which a complaint or any matter in terms of the POPIA must be referred to and considered for a finding, and recommendation by the Enforcement Committee, 2023, 

Enforcement Actions, Privacy Law Reform
25 November 2022

South Africa: Regulator assesses Department of Basic Education for POPIA compliance

The Information Regulator ('the Regulator') published, on 24 November 2022, a media statement in which it welcomed action taken by the Department of Basic Education ('DBE') to align its processes on the publication of matric results with the requirements of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'), notably Secti

Enforcement Actions, Education
31 October 2022

South Africa: Regulator confirms Enforcement Committee fully in force and reviews POPIA Regulations

The Information Regulator ('the Regulator') provided, on 26 October 2022, via Twitter, an update of the Regulator's recent activity and status. In particular, the Regulator outlined that the Enforcement Committee is in full force and complaints have been referred to it.

Enforcement Actions, Privacy Law Reform, Supervisory Authority
12 October 2022

South Africa: Regulator approves codes of conducts for BASA and CBA

Notices in terms of Section 62(1) of the Protection of Personal Information Act, Act No.

Certification, Financial Services
30 August 2022

South Africa: Regulator issues summons to Police Service

The Information Regulator ('the Regulator') announced, on 29 August 2022, that it had issued a summons to the South African Police Service ('SAPS'), following failure to provide details related to the release of personal information of Krugersdorp victims by 24 August 2022.

Enforcement Actions, Law Enforcement, Incident and Breach
15 August 2022

South Africa: Regulator publishes guidelines and form for security compromise notifications

The Information Regulator ('the Regulator') announced, on 12 August 2022, that it had published guidelines on how the security compromise notification form to the Regulator in terms of Section 22 of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') must be completed by responsible parties.

Breach Notification, Cybersecurity
08 August 2022

South Africa: Regulator initiates investigation into possible violations of POPIA by members of Police Service

The Information Regulator ('the Regulator') released, on 5 August 2022, a media statement in which it announced that it had initiated an investigation into possible violations of the Protection of Personal Information Act (Act No. 4 of 2013) ('POPIA') by members of the South Africa Police Service ('SAPS').

Investigations, Public Sector
04 August 2022

South Africa: Information Regulator establishes Enforcement Committee under POPIA

The Information Regulator ('the Regulator') announced, on 28 July 2022, that it had established an Enforcement Committee in accordance with Section 50 of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'), which will be chaired by Advocate Helen Fourie Senior Counsel. In particular, the Regulator specified that the Commit

Law Enforcement, Data Subject Rights, Public Sector
17 May 2022

South Africa: Information Regulator monitors National Department of Health for POPIA compliance

The Information Regulator ('the Regulator') published, on 22 April 2022, a media statement in which it announced that it would monitor the National Department of Health's ('NDoH') compliance with the Protection of Personal Information Act, 2013 ('POPIA'), following the decision from President Cyril Ramaphosa to lift the national state of disaste

Investigations, Privacy Law Concepts, Health and Pharmaceutical, Public Sector
30 March 2022

South Africa: Regulator dissatisfied with Trans Union security compromise notification

The Information Regulator ('the Regulator') released, on 25 March 2022, a media statement in which it expressed its dissatisfaction with the security compromise notification from Trans Union LLC., following a security compromise affecting millions of data subjects.

Investigations, Financial Services, Breach Notification, Incident and Breach
20 January 2022

South Africa: Regulator addresses Department of Basic Education's publication of matric results on public platforms

The Information Regulator ('the Regulator') released, on 12 January 2022, a media statement addressing the Department of Basic Education ('DBE') regarding the processing of personal information in the form of matric results to ensure compliance with the Protection of Personal Information Act, 2013 ('POPIA').

Privacy Law Principles, Education
See all South Africa Insights
Jun 2023

South Africa: What to expect from the Information Regulator in 2023

Since the inception of the Protection of Personal Information Act, 4 of 2013 (POPIA), the Information Regulator has achieved some significant milestones in terms of POPIA and the Promotion of Access to Information Act, 2 of 2000 (PAIA).

Privacy Law Concepts, Privacy Law Principles
Nov 2022

South Africa: Unpacking consent under the GDPR and POPIA

Personal data is one of the most sought-after commodities of the 21st century1, and as a result, consent has, in recent years, become increasingly prevalent as a codified legal mechanism intended to enable the informational self-determination2 of data subjects.

Consent, Standards and Frameworks
Oct 2022

South Africa: Processing of children's personal information in the modern age of technology

Sections 34 and 35 of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') deals with the processing of children's information.

Children's Data, Consent, Privacy Law Concepts, Privacy Law Principles, Apps, Internet
Sep 2022

South Africa: Contact tracing and its aftermath

In 2013, after a period of nine years and 11 iterations of a data protection bill being mulled over by the government, South Africa's legislature passed the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA').

Privacy Law Concepts, Health and Pharmaceutical
Jul 2022

South Africa: Cloud regulation and POPIA - what remote computing services need to know

While cloud services had seen small-scale uptake within South Africa prior to 2020, the national working environment was fundamentally challenged by the onset of lockdown regulations following the COVID-19 pandemic.

Vendor Management, Data Transfers
Jun 2022

South Africa: The Cybercrimes Act, its relationship with POPIA, and compliance

During December 2021, the South African President signed the Cybercrimes Act, 2020 (Act 19 of 2020) ('the Cybercrimes Act') into law. This legislation is the first in South Africa to consider cybercrimes explicitly, and forms part of South Africa's growing legislative framework on data management.

Cybersecurity
Mar 2022

South Africa: Practical guidelines in applying for prior authorisation in terms of POPIA

In order to process certain categories of data, South African organisations require 'prior authorisation' from the national Information Regulator ('the Regulator') in terms of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA').

Certification, Privacy Impact Assessments, Privacy Law Reform
Feb 2022

South Africa: Data Protection in the Automotive Sector

Automotive
Oct 2021

South Africa: The revised CBA code of conduct and its impact on credit bureaus

The South Africa Credit Bureau Association ('CBA') has published a Code of Conduct1 ('the Code') governing the Conditions for Lawful Processing of Personal Information by credit bureaus who are members of the CBA under the Protection of Personal Information Act, No.4 of 2013 ('POPIA').

Accountability, Privacy Law Principles, Retention and Storage, Data Subject Rights, Financial Services
Sep 2021

South Africa: An overview of Vendor Privacy Contracts

Vendor Management
Jul 2021

South Africa: Cybersecurity

Cybersecurity
Jun 2021

EU - South Africa: GDPR v. POPIA

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and South Africa's

Data Subject Rights, Privacy Law Principles

POPIA v GDPR

Request a jurisdiction

GDPR Benchmark

This Chart aims at assisting organisations in understanding and comparing key provisions of the GDPR with relevant data protection law from around the globe. This Chart provides a comparison of the following key provisions:

  1. Scope
  2. Definitions and legal basis
  3. Rights
  4. Enforcement

Each topic includes relevant articles and sections from the law compared, a summary of the comparison, and a detailed analysis of the similarities and differences. The degree of similarity for each section can be identified using the key.

Request a jurisdiction

Scope Benchmark

    title
  • Personal scope
  • Territorial scope
  • Material scope
  • Argentina

    • Fairly inconsistent

    • Fairly inconsistent

    • Fairly consistent

  • Australia

    • Fairly inconsistent

    • Fairly consistent

    • Fairly consistent

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Request a jurisdiction

Rights Benchmark

    title
  • Right to deletion
  • Right to be informed
  • Right to object
  • Right to access
  • Right not to be subject to discrimination
  • Right to data portability
  • Argentina

    • Inconsistent

    • Fairly consistent

    • Fairly inconsistent

    • Fairly consistent

    • Fairly consistent

    • Inconsistent

  • Australia

    • Inconsistent

    • Fairly consistent

    • Inconsistent

    • Fairly consistent

    • Consistent

    • Inconsistent

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Request a jurisdiction

Enforcement Benchmark

    title
  • Monetary penalties
  • Supervisory authority
  • Civil remedies
  • Argentina

    • Fairly consistent

    • Fairly consistent

    • Fairly consistent

  • Australia

    • Fairly consistent

    • Fairly consistent

    • Fairly inconsistent

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Company

Our Policies

Your Rights

© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.