Support Centre
POPIA
Back

POPIA

Comply with POPIA

South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') was promulgated into law on 26 November 2013, following the President's signature. A period of relative stasis then followed for several years while a commencement date for the key provisions was decided upon. The Information Regulator ('the Regulator'), the data protection authority provided for by POPIA was established during this time and held its first meeting late in 2016, although its operations were limited.

The Regulator announced, on 1 July 2021, that its enforcement powers under POPIA are into effect from 1 July 2021, following the conclusion of the 12-month transition period for compliance as provided under Section 110 of POPIA.

POPIA is further supported by the Regulations Relating to the Protection of Personal Information (2018), which establish additional provisions on the application of POPIA and contain several template forms.

OneTrust DataGuidance's POPIA Portal provides you with the ability to track developments regarding POPIA and understand its obligations.

POPIA v. GDPR

OneTrust DataGuidance have produced a POPIA v. GDPR report which you can download here, and which assists organisations in understanding and comparing key provisions of the POPIA comparative to the GDPR. You can also leverage this information through our GDPR v. POPIA Comparison in the tab above.

South Africa Privacy Landscape Overview

Watch our South Africa Overview video to understand the state of privacy in South Africa today.

See all South Africa News
20 January 2022

South Africa: Regulator addresses Department of Basic Education's publication of matric results on public platforms

The Information Regulator ('the Regulator') released, on 12 January 2022, a media statement addressing the Department of Basic Education ('DBE') regarding the processing of personal information in the form of matric results to ensure compliance with the Protection of Personal Information Act, 2013 ('POPIA').

Fair and Lawful Processing, Education,
14 January 2022

South Africa: Information Regulator announces appointment of members

The Information Regulator ('the Regulator') announced, on 2 December 2021, that the President of South Africa HE., Cyril Ramaphosa, appointed four members to the Regulator, effective from 1 December 2021.

Enforcement - Other, Supervisory Authority,
19 October 2021

South Africa: Regulator publishes rules of procedure on submitting and handling complaints

The Information Regulator ('the Regulator') published, on 13 October 2021, rules of procedure ('the Rules') relating to the manner in which a complaint must be submitted and handled by the Regulator, pursuant to Section 40 of the Protection of Personal Information Act, 2013 ('POPIA'), outlining the Regulator's duties and functions.

Legal Reform, Supervisory Authority,
19 October 2021

South Africa: Regulator publishes revised CBA code of conduct

The Information Regulator ('the Regulator') announced, on 15 October 2021, that it had published, on 12 October 2021, in the Government Gazette, the Code of Conduct governing the Conditions for Lawful Processing of Personal Information by members of the Credit Bureau Association ('CBA'), South Africa, in terms of Section 61(2) of the Protection

Certification, Credit, Financial Services,
18 October 2021

South Africa: Regulator addresses processing of voters' personal data in election campaigns

The Information Regulator released, on 14 October 2021, a media statement addressing political parties and independent candidates campaigning for local government elections, taking place on 1 November 2021, to ensure lawful processing of voters' personal data.

Sensitive Personal Data, Public Sector,
18 October 2021

South Africa: Regulator invites comment on amendments to POPIA Regulations

The Information Regulator ('the Regulator') announced, on 13 October 2021, that it had extended the period for comment on Protection of Personal Information Act, No.4 of 2013 ('POPIA'): Amendment of the Regulations Relating to the Protection of Personal Information, 2018.

Legal Reform, Supervisory Authority, Facilitation of Data Subject Rights,
18 October 2021

South Africa: Regulator announces new email address system

The Information Regulator ('the Regulator') announced, on 15 October 2021, that it had changed its email addresses for service requests and enquiries. In particular, the Regulator noted that its email system will now operate under a new domain to ensure accessibility to the public and to stakeholders.

Registration, Supervisory Authority, Facilitation of Data Subject Rights,
18 October 2021

International: White House issues joint statement following ransomware initiative meeting

The White House issued, on 14 October 2021, a joint statement with world Ministers and Representatives following the ransomware initiative meeting held on 13 and 14 October 2021.

Cyber Risks and Threats, Cybersecurity,
13 October 2021

South Africa: Regulator releases guide on how to use PAIA

The Information Regulator released, on 12 October 2021, its Guide on How to Use the Promotion of Access to Information Act (Act 2 of 2000) ('PAIA').

Data Protection Officer Tasks, Supervisory Authority, Freedom of Information, Right of Access,
27 September 2021

South Africa: Information Regulator publishes CEO pledge on enterprise-wide risk management and compliance

The Information Regulator ('the Regulator') published, on 21 September 2021, the pledge of its Chief Executive Officer, Mr M. Mosala, signed on 14 September 2021, relating to enterprise-wide risk management and compliance.

Supervisory Authority, Policies and Procedures, Risk Treatment,
16 September 2021

South Africa: Information Regulator IT systems affected by ransomware attack on DOJ&CD

The Information Regulator ('the Regulator') released, on 13 September 2021, a media statement in which it announced that its IT systems had been affected by a ransomware attack on the Department of Justice & Constitutional Development ('DOJ&CD').

Supervisory Authority, Public Sector, Breach Notification - To Authorities, Incident and Breach,
13 September 2021

South Africa: Regulator releases PAIA Manual Template and forms for public and private bodies

The Information Regulator ('the Regulator') released, on 2 September 2021, forms relating to the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000) (as amended) ('PAIA'), including Form 5 of the same and PAIA Manual Templates, one for public bodies and one for private bodies. 

Form 5

Privacy Notices, Supervisory Authority, Policies and Procedures, Facilitation of Data Subject Rights, Right of Access,
10 August 2021

South Africa: Regulator gives notice on receipt of code of conduct from PNA

The Information Regulator ('the Regulator') published, on 2 August 2021, in accordance with Section 61(2) of the Protection of Personal Information Act, No. 4 of 2013 ('POPIA'), that it had received a code of conduct from Maktaba Stationery TA PNA, a stationery retail company.

Certification, Fair and Lawful Processing, Cross-Border Data Transfer,
23 July 2021

South Africa: Regulator publishes Form 5 of its Regulations

The Information Regulator ('the Regulator') published, on 22 July 2021, Form 5 of the Regulations relating to the Protection of Personal Information, 2018 which support the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) ('POPIA').

Litigation, Supervisory Authority, Facilitation of Data Subject Rights,
15 July 2021

South Africa: Regulator issues warning on processing personal data without consent

The Information Regulator ('the Regulator') issued, on 13 July 2021, a warning on processing personal data without consent, following the distribution of photographs of former President Jacob Zuma at a facility of the Department of Correctional Services ('DCS') through social media.

Consent, Fair and Lawful Processing, Investigations, Photographs,
01 July 2021

South Africa: Regulator releases guidance note on processing of special personal information

The Information Regulator issued, on 29 June 2021, its guidance note on the processing of special personal information under Sections 26 and 27(1) of the Protection of Personal Information Act, 2013 ('POPIA').

Prior Consultation, Supervisory Authority, Sensitive Personal Data,
See all South Africa Insights
Oct 2021

South Africa: The revised CBA code of conduct and its impact on credit bureaus

The South Africa Credit Bureau Association ('CBA') has published a Code of Conduct1 ('the Code') governing the Conditions for Lawful Processing of Personal Information by credit bureaus who are members of the CBA under the Protection of Personal Information Act, No.4 of 2013 ('POPIA').

Accountability, Data Minimisation, Legal Basis, Retention and Storage, Facilitation of Data Subject Rights, Right of Access, Credit,
Apr 2021

South Africa: POPIA and prior authorisation to process personal information

The Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') requires a responsible party to apply for and obtain authorisation prior to processing certain identified categories of personal information.

Prior Consultation, Legal Reform,
Mar 2021

South Africa: The development of codes of conduct under POPIA

The effective date for South Africa's data privacy law, the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') is fast approaching and in anticipation of D-Day (1 July 2021), organisations need to address their compliance requirements to avoid possible penalties.

Certification, Supervisory Authority,
Feb 2021

South Africa: The role and liability of an operator under POPIA

The Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') defines a number of different persons who may either, in the circumstances, be involved in and/or responsible for the processing and protection of personal data or alternatively, are the persons to whom such personal data relates.

Data Processor, Vendor Contracts, Vendor Management,
Jan 2021

South Africa: POPIA and the regulation of direct marketing

Under South African law, direct marketing is not solely regulated by the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') but is affected by other pieces of legislation too, such as the Consumer Protection Act, 2008 (Act 68 of 2008) ('CPA') and the Electronic Communications and Transactions Act, 2002 (Act 25 of 2002) ('ECTA

Consent, Direct Marketing, Legal Reform, Right to Opt Out,
Nov 2020

South Africa: The role and responsibilities of the information officer under POPIA

By now the news of the commencement date (i.e. 1 July 2020) for the Protection of Personal Information Act No.

Data Protection Officer Appointment, Legal Reform,
Jun 2020

South Africa: President announces commencement dates for certain sections of POPIA

The President of South Africa announced, on 22 June 2020, the commencement dates for certain remaining sections of the Protection of Personal Information Act, 2013 ('POPIA'). Such sections will commence on 1 July 2020 and 30 June 2021.

Legal Reform, Supervisory Authority,

POPIA v GDPR

Request a jurisdiction

GDPR Benchmark

This Chart aims at assisting organisations in understanding and comparing key provisions of the GDPR with relevant data protection law from around the globe. This Chart provides a comparison of the following key provisions:

  1. Scope
  2. Definitions and legal basis
  3. Rights
  4. Enforcement

Each topic includes relevant articles and sections from the law compared, a summary of the comparison, and a detailed analysis of the similarities and differences. The degree of similarity for each section can be identified using the key.

Request a jurisdiction

Scope Benchmark

    title
  • Personal scope
  • Territorial scope
  • Material scope
  • Argentina

    • Fairly inconsistent

    • Fairly inconsistent

    • Fairly consistent

  • Australia

    • Fairly inconsistent

    • Fairly consistent

    • Fairly consistent

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Request a jurisdiction

Definitions and Legal Basis Benchmark

    title
  • Personal data
  • Pseudonymisation
  • Controller and processor
  • Children
  • Research
  • Legal Basis
  • Argentina

    • Fairly consistent

    • Fairly inconsistent

    • Fairly inconsistent

    • Fairly inconsistent

    • Fairly inconsistent

    • Fairly consistent

  • Australia

    • Fairly consistent

    • Fairly inconsistent

    • Fairly inconsistent

    • Inconsistent

    • Fairly consistent

    • Fairly inconsistent

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Request a jurisdiction

Rights Benchmark

    title
  • Right to deletion
  • Right to be informed
  • Right to object
  • Right to access
  • Right not to be subject to discrimination
  • Right to data portability
  • Argentina

    • Inconsistent

    • Fairly consistent

    • Fairly inconsistent

    • Fairly consistent

    • Fairly consistent

    • Inconsistent

  • Australia

    • Inconsistent

    • Fairly consistent

    • Inconsistent

    • Fairly consistent

    • Consistent

    • Inconsistent

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Request a jurisdiction

Enforcement Benchmark

    title
  • Monetary penalties
  • Supervisory authority
  • Civil remedies
  • Argentina

    • Fairly consistent

    • Fairly consistent

    • Fairly consistent

  • Australia

    • Fairly consistent

    • Fairly consistent

    • Fairly inconsistent

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

South Africa - Data Breach

Breach Notification - To Affected Individuals
Breach Notification - To Authorities
Breach Notification - To Data Controllers
Incident Response

South Africa - Data Protection Officer Appointment

Data Protection Officer Appointment
Data Protection Officer Tasks

South Africa - Emarketing

Direct Marketing
Email Marketing

South Africa - Employee Monitoring

Employee Monitoring

South Africa - Postal Marketing

Direct Marketing
Postal Marketing

South Africa - Privacy Impact Assessment

Privacy Impact Assessments

South Africa - SMS/MMS Marketing

Direct Marketing
SMS | MMS Marketing

South Africa - Telemarketing

Direct Marketing
Telemarketing

South Africa - Vendor Privacy Contracts

Vendor Contracts
Vendor Management

EU - South Africa: GDPR v. POPIA

GDPR

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.