Support Centre
POPIA
Back

POPIA

Comply with POPIA

South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') was promulgated into law on 26 November 2013, following the President's signature. A period of relative stasis then followed for several years while a commencement date for the key provisions was decided upon. The Information Regulator ('the Regulator'), the data protection authority provided for by POPIA was established during this time and held its first meeting late in 2016, although its operations were limited. In June 2020, the President announced that certain essential remaining sections of POPIA would commence on 1 July 2020 and that, following a 12-month transition period, public and private bodies would need to be compliant from 30 June 2021.

POPIA is further supported by the Regulations Relating to the Protection of Personal Information (2018), which establish additional provisions on the application of POPIA and contain several template forms.

OneTrust DataGuidance's POPIA Portal provides you with the ability to track developments regarding POPIA and understand its obligations.

POPIA v. GDPR

OneTrust DataGuidance have produced a POPIA v. GDPR report which you can download here, and which assists organisations in understanding and comparing key provisions of the POPIA comparative to the GDPR. You can also leverage this information through our GDPR v. POPIA Comparison in the tab above.

South Africa Privacy Landscape Overview

Watch our South Africa Overview video to understand the state of privacy in South Africa today.

See all South Africa News
06 April 2021

South Africa: Regulator addresses countdown to POPIA compliance

The Information Regulator ('the Regulator') released, on 24 March 2021, a media statement in which it marked 100 days till the deadline for public and private bodies to ensure compliance with the Protection of Personal Information Act, 2013 ('POPIA') in preparation for the full implementation and enforcement of POPIA on 1 July 2021.

Legal Reform, Supervisory Authority,
06 April 2021

South Africa: Regulator publishes guidance note on registration of information officers

The Information Regulator ('the Regulator') announced, on 1 April 2021, that it had published its guidance note on information officers and deputy information officers in accordance with the Promotion of Access to Information Act, 2000 and the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'), following a 

Accountability, Data Protection Officer Appointment, Data Protection Officer Tasks, Registration,
18 March 2021

South Africa: Regulator releases guidance note on application for prior authorisation

The Information Regulator ('the Regulator') released, on 12 March 2021, its guidance note on applications for prior authorisation, containing the application form for the same, as well as an invitation to responsible parties to submit applications as soon as possible.

Accountability, Prior Consultation, Supervisory Authority,
08 March 2021

South Africa: Regulator provides legal analysis on WhatsApp privacy policy and POPIA compliance

The Information Regulator ('the Regulator') released, on 3 March 2021, a media statement in which it announces that it had provided its legal analysis on the WhatsApp privacy policy to Facebook South Africa, as part of its investig

Investigations, Supervisory Authority,
23 February 2021

South Africa: Regulator publishes guidelines for developing codes of conduct and announces commencement of POPIA regulations

The Information Regulator ('the Regulator') released, on 22 February 2021, a statement noting that it had published its Guideline to Develop Codes of Conduct in terms of Section 65 of the Protection of Personal Information Act, 2013 ('POPIA'), following a

Legal Reform, Supervisory Authority,
18 February 2021

South Africa: Regulator supports amendments to electoral laws

The Information Regulator ('the Regulator') issued, on 9 February 2021, a statement in which it supports key amendments to Section 16 of the Electoral Act, 73 of 1998 through the Electoral Laws Amendment Bill.

Legal Reform, Public Sector,
05 February 2021

South Africa: Constitutional Court finds act on state surveillance unconstitutional

The Constitutional Court issued, on 4 February 2021, its judgment in Amabhunngane Centre for Investigative Journalism NPC and Another V Minister of Justice and Correctional Services and Others; Minister of Police v Amabhungane Centre Investigative Journalism NPC and Others CCT278/19 and CCT279/19, in which it found the Regulation of Int

Communications Interception, Legal Reform, Facilitation of Data Subject Rights, Surveillance,
15 January 2021

South Africa: Regulator announces investigation into WhatsApp privacy policy

The Information Regulator ('Regulator') published, on 13 January 2021, a media statement in which it announced that it was launching an investigation to assess the compliance of the revised WhatsApp privacy policy with the Protection of Personal Information Act, 2013 ('POPIA').

Privacy Notices, Investigations, Apps,
06 January 2021

South Africa: Regulator notes unprecedented number of data breaches in 2020

The Information Regulator ('Regulator') published, on 18 December 2020, a media statement in which it cautioned the public to protect their personal information in the upcoming festive season.

Accountability, Incident and Breach, Personal Data, Cybersecurity,
17 December 2020

South Africa: Regulator releases 2019/2020 annual report

The Information Regulator ('the Regulator') released, on 24 November 2020, its annual report for the 2019/20 financial year.

Supervisory Authority Report, Supervisory Authority,
20 August 2020

South Africa: Experian South Africa announces data incident affecting 24M South Africans and 793,749 businesses

Experian South Africa (Proprietary) Limited announced, on 19 August 2020, that it is investigating an isolated incident involving a fraudulent data inquiry whereby an individual fraudulently requested services from Experian in order to create marketing leads.

Incident and Breach, Direct Marketing, Investigations, Incident Response,
20 July 2020

South Africa: Regulator invites comments on draft Guidelines on Registration of Information Officers

The Information Regulator ('the Regulator') published, on 17 July 2020, its draft Guidelines on the Registration of Information Officers ('the Guidelines') and invited comments on the same.

Accountability, Registration, Supervisory Authority,
22 June 2020

South Africa: President announces commencement of certain sections of POPIA

The President of South Africa announced, on 22 June 2020, the commencement of certain sections of the Protection of Personal Information Act, 2013 ('POPIA').

Right of Action, Legal Basis, Legal Reform, Direct Marketing, Enforcement - Other,
06 April 2020

South Africa: Regulator calls for POPIA promulgation in 2020-2021 financial year plan

The Information Regulator ('the Regulator') published, on 3 April 2020, its annual performance plan for the 2020-2021 financial year ('the Plan'), in which it announced that it had written to the Minister of Justice and Correctional Services and the President to request that the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPI

Accountability, Freedom of Information, Legal Reform, Supervisory Authority,
03 April 2020

South Africa: Regulator publishes guidance note on processing personal information during Coronavirus

The Information Regulator ('the Regulator') published, on 3 April 2020, its Guidance Note ('the Guidance Note') on the Processing of Personal Information in the Management and Containment of the COVID-19 Pandemic in terms of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA').

Consent, Legal Basis, Retention and Storage, Tracking Devices, Health and Pharmaceutical,
30 March 2020

South Africa: Regulator addresses importance of privacy during Coronavirus

The Information Regulator ('the Regulator') addressed, on 19 March 2020, the importance of the right of access to information and the right to privacy in the management and containment of COVID-19 ('Coronavirus').

Right of Access, Cybersecurity, Public Sector, Scientific Research, Supervisory Authority,
See all South Africa Insights
Mar 2021

South Africa: The development of codes of conduct under POPIA

The effective date for South Africa's data privacy law, the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') is fast approaching and in anticipation of D-Day (1 July 2021), organisations need to address their compliance requirements to avoid possible penalties.

Certification, Supervisory Authority,
Feb 2021

South Africa: The role and liability of an operator under POPIA

The Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') defines a number of different persons who may either, in the circumstances, be involved in and/or responsible for the processing and protection of personal data or alternatively, are the persons to whom such personal data relates.

Data Processor, Vendor Contracts, Vendor Management,
Jan 2021

South Africa: POPIA and the regulation of direct marketing

Under South African law, direct marketing is not solely regulated by the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') but is affected by other pieces of legislation too, such as the Consumer Protection Act, 2008 (Act 68 of 2008) ('CPA') and the Electronic Communications and Transactions Act, 2002 (Act 25 of 2002) ('ECTA

Consent, Direct Marketing, Legal Reform, Right to Opt Out,
Nov 2020

South Africa: The role and responsibilities of the information officer under POPIA

By now the news of the commencement date (i.e. 1 July 2020) for the Protection of Personal Information Act No.

Data Protection Officer Appointment, Legal Reform,
Jun 2020

South Africa: President announces commencement dates for certain sections of POPIA

The President of South Africa announced, on 22 June 2020, the commencement dates for certain remaining sections of the Protection of Personal Information Act, 2013 ('POPIA'). Such sections will commence on 1 July 2020 and 30 June 2021.

Legal Reform, Supervisory Authority,
Mar 2020

South Africa: Update on the status of POPIA

The Information Regulator in South Africa, by letter to the President, has requested that the President bring into effect the remaining sections of Protection of Personal Information Act, 2013 ('POPIA') from 1 April 2020, which is the beginning of the Information Regulator's financial year. Tebogo Sibidla, Director in the Media, Communications &

Right of Action, Legal Basis, Legal Reform, Supervisory Authority,
Jan 2020

Interview with: Lebogang Stroom-Nzama, Member Of The Information Regulator, South Africa

In October 2019, OneTrust DataGuidance met with Lebogang Stroom-Nzama, Member of the Information Regulator, South Africa. Lebogang discusses the reasons why the Protection of Personal Data Act, 2013 (Act No.

Right of Action, Consent, Data Subject, Legal Reform, Right to Opt Out, Supervisory Authority,
Sep 2019

South Africa: The use of biometric information

The collection and use of biometric information has gained prevalence across the world, and South Africa is no exception.

Biometric Data, Consent, Facilitation of Data Subject Rights, Photographs, Sensitive Personal Data,
Mar 2019

South Africa: POPIA and the developing privacy framework

The introduction of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') marked the beginning of an extensive period of data protection-related legislation being considered, promulgated and amended in South Africa.

Accountability, GDPR, Human Rights, Legal Reform, Supervisory Authority,

POPIA v GDPR

GDPR Benchmark

Request a jurisdiction

This Chart aims at assisting organisations in understanding and comparing key provisions of the GDPR with relevant data protection law from around the globe. This Chart provides a comparison of the following key provisions:

  1. Scope
  2. Definitions and legal basis
  3. Rights
  4. Enforcement

Each topic includes relevant articles and sections from the law compared, a summary of the comparison, and a detailed analysis of the similarities and differences. The degree of similarity for each section can be identified using the key.

Scope Benchmark

Request a jurisdiction
    title
  • Personal scope
  • Territorial scope
  • Material scope
  • Argentina

    • Fairly inconsistent

    • Fairly inconsistent

    • Fairly consistent

  • Australia

    • Fairly inconsistent

    • Fairly consistent

    • Fairly consistent

To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform

Try Free

Definitions and Legal Basis Benchmark

Request a jurisdiction
    title
  • Personal data
  • Pseudonymisation
  • Controller and processor
  • Children
  • Research
  • Legal Basis
  • Argentina

    • Fairly consistent

    • Fairly inconsistent

    • Fairly inconsistent

    • Fairly inconsistent

    • Fairly inconsistent

    • Fairly consistent

  • Australia

    • Fairly consistent

    • Fairly inconsistent

    • Fairly inconsistent

    • Inconsistent

    • Fairly consistent

    • Fairly inconsistent

To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform

Try Free

Rights Benchmark

Request a jurisdiction
    title
  • Right to deletion
  • Right to be informed
  • Right to object
  • Right to access
  • Right not to be subject to discrimination
  • Right to data portability
  • Argentina

    • Inconsistent

    • Fairly consistent

    • Fairly inconsistent

    • Fairly consistent

    • Fairly consistent

    • Fairly consistent

  • Australia

    • Inconsistent

    • Fairly consistent

    • Inconsistent

    • Fairly consistent

    • Consistent

    • Inconsistent

To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform

Try Free

Enforcement Benchmark

Request a jurisdiction
    title
  • Monetary penalties
  • Supervisory authority
  • Civil remedies
  • Argentina

    • Fairly consistent

    • Fairly consistent

    • Fairly consistent

  • Australia

    • Fairly consistent

    • Fairly consistent

    • Fairly inconsistent

To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform

Try Free

South Africa - Cybersecurity

Cyber Risks and Threats
Cybersecurity
Information Security Officer

South Africa - Data Breach

Breach Notification - To Affected Individuals
Breach Notification - To Authorities
Breach Notification - To Data Controllers
Incident Response

South Africa - Data Processing Notification

Registration

South Africa - Data Protection Officer Appointment

Data Protection Officer Appointment
Data Protection Officer Tasks

South Africa - Data Protection Overview

Legal Reform
Personal Data

South Africa - Data Subject Rights

Facilitation of Data Subject Rights

South Africa - Emarketing

Direct Marketing
Email Marketing

South Africa - Employee Monitoring

Employee Monitoring

South Africa - Postal Marketing

Direct Marketing
Postal Marketing

South Africa - Privacy Impact Assessment

Privacy Impact Assessments

South Africa - SMS/MMS Marketing

Direct Marketing
SMS | MMS Marketing

South Africa - Telemarketing

Direct Marketing
Telemarketing

South Africa - Vendor Privacy Contracts

Vendor Contracts
Vendor Management

EU - South Africa: GDPR v. POPIA

GDPR

Company

Our Policies

Your Rights

© 2020 OneTrust Technology Limited. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.