The key legislation is the Protection of Personal Information Act, 2013 ("POPIA"), together with its regulations, including the Regulations Relating to the Protection of Personal Information, 2018 (as amended in 2025). The Information Regulator (Regulator) also publishes guidelines from time to time, to assist responsible parties in interpreting and applying POPIA.

While the Information Regulator has issued several enforcement notices and imposed a couple of administrative fines on responsible parties for their non-compliance with POPIA, at the time of writing, there are still very few court decisions applying POPIA. The highest administrative fine imposed to date is ZAR 5 million. 

Personal data is known under POPIA as ‘personal information’ and is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

1. information relating to the race, gender, sex, pregnancy, marital status, nationality, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person; 
2. information relating to the education or the medical, financial, criminal or employment history of the person; 
3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; 
4. the biometric information of the person; 
5. the personal opinions, views or preferences of the person; 
6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; 
7. the views or opinions of another individual about the person; and 
8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.” (see POPIA, s. 1)

Sensitive data is known under POPIA as ‘special personal information’ and is defined as “personal information concerning—

1. the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or 
2. the criminal behaviour of a data subject to the extent that such information relates to— 
   
   1. the alleged commission by a data subject of any offence; or 
   2. any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.” (see POPIA, s. 26)

Personal information is protected in that it may only be processed by a responsible party in line with the eight conditions for lawful processing set out in Chapter 3 of POPIA, including accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.

POPIA applies to any “responsible party”, which is defined as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”. (see POPIA, s. 1).  

POPIA does not have extra-territorial application – in terms of section 3, in order for POPIA to apply to a responsible party, that responsible party must either be domiciled in South Africa, or if not domiciled in South Africa, the responsible party must make use of automated or non-automated means to process personal information in South Africa (the only exception to the latter requirement is where the processing means are used only to forward personal information through South Africa). Further, the personal information must be entered into a record for POPIA to apply.

There are certain exclusions provided for under POPIA, such as processing in the course of a purely personal or household activity, processing of personal information that has been de-identified to the extent that it cannot be re-identified again and processing of personal information solely for the purpose of journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression. (see POPIA, ss. 6 and 7)

“Processing” means “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
2. dissemination by means of transmission, distribution or making available in any other form; or
3. merging, linking, as well as restriction, degradation, erasure or destruction of information” (see POPIA, s. 1).

The principles or conditions for the lawful processing of personal information by or for a responsible party are the following:

1. “Accountability”, as referred to in section 8;
2. “Processing limitation”, as referred to in sections 9 to 12;
3. “Purpose specification”, as referred to in sections 13 and 14;
4. “Further processing limitation”, as referred to in section 15;
5. “Information quality”, as referred to in section 16;
6. “Openness”, as referred to in sections 17 and 18;
7. “Security safeguards”, as referred to in sections 19 to 22; and
8. “Data subject participation”, as referred to in sections 23 to 25.

Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. To be lawful, there must be one of the following justifiable bases for the processing:

• The data subject, or a competent person where the data subject is a child, consents to the processing;
• Processing is necessary for the conclusion or performance of a contract to which the data subject is a party;
• Processing complies with a legal obligation imposed on the responsible party;
• Processing protects a legitimate interest of the data subject;
• Processing is necessary for the proper performance of a public law duty by a public body; or
• Processing is necessary for pursuing the legitimate interests of the responsible party or a third party to whom the information is supplied (see POPIA, s. 11(1)).

When it comes to special personal information, processing is prohibited unless certain conditions are present (as provided in section 27(1)), or the Regulator has granted an authorisation in terms of section 27(2) of POPIA. 

Personal information must also be collected directly from the data subject (subject to certain exceptions), for a specific, explicitly defined and lawful purpose related to the function or activity of the responsible party, and steps must be taken to ensure that the data subject is aware of the purpose for collection (subject to certain exceptions) (see POPIA, ss. 12, 13 and 18).  

The further processing of personal information is also regulated in that any further processing must be in accordance or compatible with the purpose for which it was originally collected (see POPIA, s. 15). 

Personal information must not be retained for any longer than is necessary for achieving the purpose for which it was collected or subsequently processed, unless retention is required or authorised by law or a contract between the parties, the responsible party reasonably requires the record for lawful purposes related to its functions or activities, or with the data subject’s consent (or the consent of a competent person where the data subject is a child). Longer retention is also permitted for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes (see POPIA, s. 14). 

Where a responsible party that has used a record of personal information of a data subject to make a decision about the data subject, it must retain the record for such period as may be required or prescribed by law or a code of conduct; or if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.

Once a responsible party is no longer authorised to retain a record of personal information, such record must be destroyed or deleted. Destruction or deletion must be done in a manner that prevents reconstruction in an intelligible form.

A responsible party must also restrict processing of personal information in certain circumstances. 

In terms of security, both technical and organisational measures (that are appropriate and reasonable) must be implemented to prevent loss, damage, unauthorised destruction, or unlawful access to personal information (see POPIA, s. 19).

Data subjects have the right to have their personal information processed in accordance with the eight conditions for lawful processing, including the right:

• To be notified of collection or unauthorised access of their personal information;
• To establish whether a responsible party holds personal information about them and to request access to their personal information;
• To request correction, destruction, or deletion of their personal information;
• To object to processing of their personal information in certain circumstances, including for purposes of direct marketing; 
• Not to be subject to direct marketing by unsolicited electronic communications, except as provided for in POPIA;
• Not to be subject to automated decision-making in certain circumstances;
• To submit complaints to the Regulator; and 
• To institute civil proceedings regarding alleged interference with the protection of their personal information. 

Where consent is sought, such consent must be a “voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information” (see POPIA, s. 1). The responsible party bears the burden of proof for consent and consent may be withdrawn at any time. 

Subject to any applicable codes of conduct that may be in force in a particular sector, only certain types of processing are subject to the requirement of prior authorisation from the Regulator, namely where the responsible party plans to –

• process any unique identifiers of data subjects (i) for a purpose other than the one for which the identifier was specifically intended at collection; and (ii) with the aim of linking the information together with information processed by other responsible parties;
• process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
• process information for the purposes of credit reporting; or
• transfer special personal information, or the personal information of children, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72 of POPIA.

The Regulator may require other types of information processing to be subject to the requirement of prior authorisation.

Where authorisation is required, it needs to be obtained only once and not each time that personal information is received or processed, except where the processing departs from that which has been authorized (see POPIA, s. 57).  

Yes, cross-border data transfers are regulated under POPIA. Personal information may only be transferred outside South Africa if:

• The recipient is subject to a law, binding corporate rules, or a binding agreement providing an adequate level of protection;
• The data subject consents to the transfer;
• The transfer is necessary for contract performance or the implementation of pre-contractual measures taken in response to the data subject’s request;
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject;
• The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent, but if it were reasonably practicable to obtain such consent, the data subject would likely give it (see POPIA, s. 72).

Data incidents or breaches are referred to under POPIA as ‘security compromises’. A security compromise arises where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person (see POPIA, s. 22(1)).

Yes. The responsible party must notify the Regulator and the data subject (where the identity of the data subject is known) “as soon as reasonably possible” after becoming aware of a security compromise. The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned. The notification to data subjects must be in writing and communicated in one of the prescribed ways and must include sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, as prescribed.

The Information Regulator of South Africa, an independent authority established under section 39 of POPIA, is the primary regulatory body. 

Where a data breach has been reported, this may lead the Regulator to conduct an assessment into the responsible party’s compliance with POPIA. Where the Regulator finds that the responsible party has failed to comply with any requirements of POPIA, including, for example, requirements relating to security measures, it may issue an enforcement notice. Non-compliance with an enforcement notice is an offence and may result in an administrative fine (of up to R10 million) or imprisonment. 

A data breach may also lead to civil liability for damages and often results in serious reputational harm for the responsible party.  

Direct marketing by means of unsolicited electronic communications is prohibited unless the data subject has consented or is an existing customer of the responsible party, subject to strict conditions (see POPIA, s. 69). Where consent is sought, the responsible party may only approach a data subject once to request consent.

Yes. Sector-specific laws or regulations may impose additional requirements; for example, there are specific requirements relating to security measures that apply in the financial services industry. 
In such circumstances, POPIA prevails unless other legislation provides more extensive protection. 

POPIA also makes provision for codes of conduct that may apply to any specified industry or industries. A code of conduct must incorporate all the conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those conditions; and prescribe how the conditions for the lawful processing of personal information are to be applied, or are to be complied with, given the particular features of the sector or sectors of society in which the relevant responsible parties are operating. Currently, there are codes of conduct in force for the Credit Bureau Association and for the Banking Association of South Africa. 

Every public and private body must appoint an “information officer”. The information officer must be registered with the Regulator before taking up duties. Deputy information officers may also be appointed.

Responsible parties must maintain documentation of all processing operations in line with the Promotion of Access to Information Act. Information officers must also ensure that a compliance framework is developed, implemented, monitored, and maintained and continually improved.

The Regulations under POPIA require the information officer to ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information. No detail is provided regarding the form or frequency of such assessments. 

Responsible parties are entitled to make use of operators (commonly known in other jurisdictions as ‘data processors’), defined as “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”. Operators must process personal information only with the knowledge or authorisation of the responsible party and must treat such information as confidential (see POPIA, s. 20). 

Written contracts must be concluded with operators to ensure that operators implement appropriate security measures. Further, the operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

Where a data subject believes that there has been non-compliance with any of the conditions for lawful processing as set out in POPIA, the data subject is entitled to lay a complaint with the Regulator. Upon receipt of a complaint, the Regulator has a number of options, including conducting an investigation. The Regulator may also conduct an investigation on its own initiative where it believes there has been non-compliance with POPIA.  Another avenue available to the Regulator is to conduct an assessment (see further below). 

Following an investigation, the Regulator may refer the matter to the enforcement committee for a recommendation on any actions that should be taken against a responsible party. This may result in an enforcement notice being issued to the responsible party where the Regulator is satisfied that a responsible party has interfered with or is interfering with the protection of personal information of a data subject. A report that is prepared following an assessment has the same legal effect as an enforcement notice.

Non-compliance with an enforcement notice is an offence. There are also a number of other prescribed offences in POPIA, such as knowingly making a false statement or unlawful acts relating to the processing of a data subject’s account number. Where a responsible party is alleged to have committed an offence, the Regulator may deliver an infringement notice which includes, among other things, the amount of an administrative fine that can be paid by the responsible party (up to a maximum of R10 million). A responsible party may then elect to pay the fine, or to be tried in court, in which case they may face criminal liability, including a fine or imprisonment, or both, if found guilty of the offence.  

Information officers must ensure that their organisation’s compliance framework is monitored, maintained and continually improved and that all their processing activities continue to comply with the requirements of POPIA.

While a responsible party is not explicitly required to audit its processing activities, POPIA makes provision for the Regulator to conduct assessments, either on its own initiative or at the request of or on behalf of the responsible party, data subject or any other person, to determine whether an instance of processing of personal information complies with the provisions of POPIA. The Regulator has been conducting a number of assessments in recent years.   

The Regulations Relating to the Protection of Personal Information, 2018, were recently updated in April 2025. The amendments to the Regulations include, among other things, expanded channels for data subjects to assert their rights, broader eligibility for complainants, a more streamlined process for complaint submission, and tighter consent requirements for direct marketing. These amendments follow a guidance note that was issued by the Regulator at the end of 2024 relating to direct marketing. 

The chairperson of the Regulator has also recently expressed the view that the current enforcement mechanisms under POPIA, including the fact that responsible parties are given a ‘grace period’ to comply before a fine is imposed, are not fit for purpose. She indicated that the Regulator will be approaching Parliament to amend the provisions of POPIA in this regard, so that they are more aligned with the practice under the European GDPR, where the regulator can impose a sanction immediately upon non-compliance. We have, however, not yet seen any draft amendment bills come before Parliament.