Support Centre

South Africa


Law: Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'), Commencement of Section 1, Part A of Chapter 5 and Sections 112 and 113 of POPIA (April 2014), and Regulations Relating to the Protection of Personal Information (2018) ('the Regulations')

Regulator: The Information Regulator ('the Regulator') 

Summary: In 2013, POPIA was signed into law by the President of South Africa, and the Information Regulator was established as the supervisory authority. In 2018, the Regulator published the Regulations, which mostly clarify administrative provisions and practical requirements. POPIA is expected to have a significant impact and regulates a wide range of data protection related activities. Moreover, POPIA provides a broad understanding of personal information, not only by specifying that personal information might include information relating to the biometric information, employment history, personal correspondence, personal opinions, pregnancy, mental health, and even the language of a person, but also by including juristic person's personal information within its scope.

However, several Sections from POPIA and the Regulations, such as those regulating the processing of personal data and data subject rights, did not become operational until 1 July 2020. Furthermore, Regulation 4 entered into effect on 1 May 2021, while Regulation 5 become effective on 1 March 2021, and the residual Regulations entered into effect on 1 July 2021.


The past month has witnessed a surge in the number of allegations regarding the infringement of intellectual property (IP) rights by artificial intelligence (AI) models. In this Insight article, Tasmiya Patel, Davin Olën, and Amaarah Kapdi, from Dentons, unpack the broad international legal framework that is applicable in such cases, the potential defenses available, and discuss the remedies accessible to parties claiming the infringement of their IP rights.

To navigate this landscape, the article first articulates the methods used by AI to develop neural networks. It then proceeds to address the applicable international IP rights regime, which is subsequently developed, and concludes with an examination of the likely relief that a court may grant in such cases.

There have been radical developments in various artificial intelligence (AI) models, with ChatGPT being the most prominent. ChatGPT serves as a language-based AI chatbot that uses a set of techniques referred to as deep learning that has continuous learning capabilities. As a result of these revolutionary AI developments, businesses have acknowledged the valuable insights that AI platforms can provide. It facilitates the generation of contracts, marketing content, CVs, articles, essays, and much more. It does so by gathering and processing data sourced from the internet, encompassing large sets of data derived from books, articles, and other online resources. PR de Wet and Jako Fourie, from VDT Attorneys Inc., examine the impact of POPIA on AI developments, with a specific focus on the processing of data by automated means through AI.

Since the inception of the Protection of Personal Information Act, 4 of 2013 (POPIA), the Information Regulator has achieved some significant milestones in terms of POPIA and the Promotion of Access to Information Act, 2 of 2000 (PAIA). In this Insight Article, PR de Wet and Mishka Cassim, from VDT Attorneys Inc, analyze the milestones accomplished in 2022 and the expectations for 2023.

Personal data is one of the most sought-after commodities of the 21st century1, and as a result, consent has, in recent years, become increasingly prevalent as a codified legal mechanism intended to enable the informational self-determination2 of data subjects. Whilst consent is only one of various lawful bases upon which controllers3 can process personal data4, consent notices have become ubiquitous. The efficacy of consent as a privacy-preserving mechanism, however, is not so straightforward, as the manner in which it is defined, interpreted, and applied can have a significant impact upon numerous rights that data subjects are afforded under current data protection laws. Alon Lev Alkalay, assisted by Mahir Ahmed and Mudda Sulaiman, from Lighthouse Law, compare and analyse how consent is defined under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')5 and South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'), as well as what constitutes valid, binding consent.

Sections 34 and 35 of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') deals with the processing of children's information. PR de Wet and Jako Fourie, from VDT Attorneys Inc., provide a brief overview of the aforementioned sections and requirements with specific emphasis on the higher degree of protection afforded by POPIA with regard to the processing of personal information of children. As a first in a series of articles to follow, this article will explain some practical implications for valid consent being one such requirement, especially in relation to the modern technical age that we find ourselves in today.

While cloud services had seen small-scale uptake within South Africa prior to 2020, the national working environment was fundamentally challenged by the onset of lockdown regulations following the COVID-19 pandemic. As staff members were required to stay at home, many organisations were obliged to shift their data onto cloud platforms for staff members to continue working. In many instances, this emergency operational modification did not consider the legislative implications of data migrations and, following the relaxation of lockdown regulations, companies have been forced to consider the risk and compliance aspects of their migration.

In this Insight article, PR De Wet and Davin Olën, from VDT Attorneys Inc., unpack the regulatory position of cloud service providers and organisations making use of cloud services. To shed light on the phenomenon, this article commences with an overview of the most relevant legislative provisions regarding cloud storage facilities, followed by the applicable operational aspects of the regulatory framework.

During December 2021, the South African President signed the Cybercrimes Act, 2020 (Act 19 of 2020) ('the Cybercrimes Act') into law. This legislation is the first in South Africa to consider cybercrimes explicitly, and forms part of South Africa's growing legislative framework on data management. But what impact does the Cybercrimes Act have on organisations operating in South Africa? In this Insight, the first on the topic of cybercrimes, PR de Wet and Davin Olën, from VDT Attorneys Inc, provide an overview and unpack how the new legislation slots into the existing South African regulatory universe, with specific reference to the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'). The article also provides an overview of the applicable business processes which South African companies would need to consider in ensuring compliance with the Cybercrimes Act.

In order to process certain categories of data, South African organisations require 'prior authorisation' from the national Information Regulator ('the Regulator') in terms of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'). This regulatory restriction is established by Section 57(1) of POPIA and applies to a list of data categories which is detailed further within that Section. While some organisations are exempted from applying for prior authorisation, many are not1. In this insight, the second on the topic of prior authorisations2 in accordance with POPIA, PR de Wet and Davin Olën, from VDT Attorneys Inc, provide an overview of the applicable process which South African companies must follow to receive prior authorisation approval.

The South Africa Credit Bureau Association ('CBA') has published a Code of Conduct1 ('the Code') governing the Conditions for Lawful Processing of Personal Information by credit bureaus who are members of the CBA under the Protection of Personal Information Act, No.4 of 2013 ('POPIA'). Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, explains the key provisions of the Code and what credit bureaus must now consider when processing personal information.

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPIA).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of POPIA with the  GDPR.

You can access the latest version of the report here.

The Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') requires a responsible party to apply for and obtain authorisation prior to processing certain identified categories of personal information. With POPIA compliance deadlines fast approaching PR de Wet and Hayley Levey, from VDT Attorneys Inc, analyse the POPIA prior authorisation regime.