top of page
  • karien846

POPI: What you need to know right now

The Protection of Personal Information Act 4 of 2013 (“POPI”) was initially implemented in April 2014. It was however implemented incrementally as only certain sections came into force.

The President has announced that remaining sections will now be implemented as follows:

  • Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) shall commence on 1 July 2020; and

  • Sections 110 and 114(4) shall commence on 30 June 2021.

POPI protects the rights of individuals to privacy as it restores the autonomy of the client allowing them to decide whether they want to share or receive information as the POPI regulates the collection, retention, dissemination and use of personal information.

The sections which will commence on 1 July 2020 are essential parts of the Act and are summarised as follows:

1.The following 8 conditions set out the requirements for the lawful processing of personal information:

  • Accountability- Responsible parties (a public or private body who determines the purpose of processing personal information) must ensure that the conditions set out in POPI are complied with.

  • Processing limitation- Personal information must be processed lawfully and in a reasonable manner i.e. data collection must be proportionate to the purpose and the data subject must give consent to the information processing.

  • Openness- The data subject must be aware of the collection of the data and must be provided with the name and address of the responsible party.

  • Data subject participation- A data subject must be provided with access to the personal information and may request that personal information be corrected.

  • Purpose specifications- Personal information must be collected for a specifically defined and lawful purpose related to a function of the responsible party. The data subject must be aware of this purpose.

  • Security safeguards- The responsible party must ensure compliance with the regulations of the Information Regulator by ensuring integrity and confidentiality of personal information.

  • Further processing limitations- If the information is shared with third parties, it must be a continuation of the original purpose only.

  • Information quality- The responsible party must ensure the accuracy of the personal information by taking steps to ensure that personal information is complete, updated and not misleading.

2. The regulation of the processing of special personal information:

A higher degree of protection is given to special personal information under POPI, given the highly sensitive nature of such information. Special personal information includes the following:

  • Religious or philosophical beliefs

  • race or ethnic origin

  • trade union membership

  • political persuasion

  • health or sex life

  • criminal behaviour or biometric information

3. Codes of Conduct issued by the Information Regulator:

If a code of conduct is issued by the Information Regulator it must be published in the Government Gazette, as soon as reasonably practicable after the code is issued. The code of conduct will come into force on the 28th day after the date of its notification in the Gazette or on such later date as may be specified in the code and is binding on every class or classes of body, industry, profession or vocation referred to therein.

4. Procedures for dealing with complaints:

A code of conduct may prescribe procedures for making and dealing with complaints alleging a breach of the code. The code of conduct will provide for the appointment of an independent adjudicator to whom complaints may be made.

5. Provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of POPI:

The processing of personal information for the purpose of direct marketing by any form of electronic communication, including automatic calling machines, SMS or e-mail is prohibited unless the data subject has given consent to the processing; or has not previously withheld such consent. The requirement of consent in cases where the data subject is not a customer of the responsible party, would be better served by an opt-in or opt-out provision.

6. Section 114(1) is of particular importance as it states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the Act. This means that entities (both in the form of private and public bodies) will have to ensure compliance with the Act by 1 July 2021.

Non-compliance with POPI can potentially lead to claims for civil damages, administrative fines, or criminal prosecution where fines and imprisonment of between 1 and 10 years are prescribed.

For more information or assistance, contact our offices on 041 363 6044 or

299 views0 comments



This article is not intended to constitute legal advice and is produced for information purposes only and to provide a general understanding of the legal position relating to the topic. It is recommended that advice relating to the specific circumstances of your situation be sought from our attorneys before acting upon the content of this article. This article was written at a particular point in time and accordingly may not always reflect the most recent legal developments, if any, applicable to the relevant topic. Kaplan Blumberg and its partners and/or employees, are not responsible for any consequences which may follow upon any decision taken to act upon the information provided in this article.

bottom of page