What is Africa’s Protection of Personal Information Act (POPIA)?

The Protection of Personal Information Act 4 of 2013 (POPIA) is the comprehensive data protection legislation enacted in South Africa. POPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests, particularly the right of access to information.

The key aspect is the regulation of every step in the processing of personal information. This covers the entire process, from the reason someone handles the personal information, how and when it’s handled, until the time it is destroyed.

POPIA received parliamentary approval in 2013, and the law has gone into effect in 2020. The implementation of the law began 12 months after its entry into force.

The maximum fine for a POPIA offense is ZAR 10 million.

As less popular penalties, we can count the loss of reputation and the loss of existing customers and not attracting new ones, which has a huge impact on revenue!

POPIA compliance – what does it mean?

To be compliant with POPIA implies that any processing of end users’ personal data must be subject to their prior consent for processing.

In doing so, you need to fulfill several requirements for legal processing. Legal processing requirements include documentation, confidentiality, and ensuring the right of end users to manage their personal data, including the right to access, correct, and delete the data.

Who must comply with Africa’s Protection of Personal Information Act (POPIA)?

POPIA applies to responsible parties who are both “resident in the Republic” – or not, i.e., POPIA is extraterritorial. The question is whether the data subjects are located in South Africa, not whether the entity processing their data is located there.

In addition, personal data is defined more broadly here than, for example, under CCPA or GDPR. Data from companies or legal entities is also protected here.

This applies to individuals, companies, and the government. According to the law, a responsible party is “a public or private body or any other person who, together with others or alone, determines the purpose or means of processing personal information”.

Exemptions to South Africa’s personal information protection law exist just as with other data privacy laws.

South Africa’s personal information protection act – exceptions

Exclusions from South Africa’s personal information protection act happen in the following situations:

• during non-commercial data processing, i.e. when the processing is for personal/domestic activity
• there is sufficient anonymization of data
• when there are questions about national, public security
• data processing is in the service of the functions of the Court or the functions of law enforcement authorities
• if government agencies carry the data processing out

POPIA age threshold

POPIA has a higher age threshold compared to other laws of this type. The act does not consider persons under the age of 18 legally competent. The consent of a parent or guardian is required for the processing of their personal data.

Final thoughts:

POPIA as a well-established privacy and influential act applies to any company or organization processing personal information in South Africa. It means that the company or organization is domiciled in the country or not domiciled, but making use of automated or non-automated means of processing in the country.

If your business falls into the above category, make sure that you comply with this privacy act. For easier compliance, there are Jira and Confluence apps, to help companies navigate POPIA requirements and communicate them to users.