Frequently Asked Questions about the PoPI Act2021-05-26T19:47:12+02:00


Do you have a question about the PoPI Act?

We’ve compiled a list of the most frequently asked questions we’ve encountered in our years of experience in PoPI Act implementations. If you can’t find the answer you are looking for, please contact our PoPIA team directly. One of our privacy experts will get in touch with you soon.

What is the PoPI Act2021-01-04T08:19:00+02:00

The Protection of Personal Information Act, Act No.4 of 2013. 

What is the purpose of the PoPI Act?2021-01-04T08:20:54+02:00

The purpose is to regulate the processing of Personal Information. It is aimed to encourage the flow of information in a secure and responsible manner. The spirit of the Act is to ensure that organisations that hold and process personal information do so carefully and with respect for the rights and interests of the people to whom it pertains. 

Who does the PoPI Act apply to?2021-01-04T08:21:08+02:00
  • Public and Private Sector 
  • Natural and Juristic persons (meaning registered companies and organisations) 
  • Paper and electronic records 
What is considered personal information (“PI”)?2021-01-04T08:21:24+02:00

PI is information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing, juristic person. Therefore, any information about an identifiable human being or an identifiable company. 

Examples of PI include:  

 Race, Gender, Sex, Marital Status, Nationality, Sexual Orientation, Age, Physical or Mental Health, Disability, Religion, Language, Education, Medical, Financial, Employment, ID, Email, Address, Telephone Number, Location information, Blood Type, Biometric Information, Personal Opinions, Preferences, Private or Confidential Correspondence, Views or Opinions of another person 

Why did the PoPI Act come into effect?2021-01-04T08:21:39+02:00

In the rapid evolving technology and information age, it is becoming more difficult to protect the privacy of information, as it becomes increasingly more vulnerable to new threats that keep emerging. Worldwide data protection (e.g General Data Protection Regulation or GDPR of Europe) is becoming more recognised as a fundamental business practice which cannot be ignored. Failure to do so could have fatal consequences for our brand and reputation. 

By when do we have to comply to the PoPI Act?2021-01-04T08:21:52+02:00

The the bulk of the PoPI Act went into effect on 1 July 2020. The Information Regulator has granted a grace period of 12 months for organisations to become compliant. This means everybody must be compliant by 1 July 2021, or else face prosecution form the Information Regulator when the final clauses of the Act comes into effect.  

What is the definition of the Responsible Party?2021-01-04T08:22:01+02:00

A person or company who collects, processes, stores and uses personal information. 

Who is the Operator?2021-01-04T08:22:09+02:00

A person or company who processes personal information on behalf of the responsible party. 

What laws are linked to the PoPI Act?2021-01-04T08:22:25+02:00

There are various other laws that also protect personal information. The key ones are: 

  • Consumer Protection Act (CPA) 
  • National Credit Act (NCA) 
  • Regulation of Interception of Communications Act (RICA)  Promotion of Access to Information Act (PAIA) 
  • Electronic Communication Act 
  • Cybercrime Bill 
  • your Constitutional Right to Privacy as defined in the Bill of Rights 
Who is the Data Subject?2021-01-04T08:22:33+02:00

A person who provides information about himself/herself. These can be individuals or businesses. 

How much information about a person can I collect, process and use?2021-01-04T08:22:59+02:00

As stated in the condition of processing limitation, the PoPI Act requires you to apply the principle of minimality and only collect PI that you absolutely need to be able to service a customer, staff member or third party. Since the PoPI Act also requires that you specify the reasons for the collection of PI, if you don’t have a valid reason for why you need certain personal information, you shouldn’t be collecting it. 

What is the role of the Information Officer?2021-01-04T08:23:08+02:00

The Information Officer is responsible for ensuring that the organisation complies with PAIA and the PoPI Act. They must be registered with the Information Regulator. 

Why must I worry about personal information leaving South Africa?2021-01-04T08:23:18+02:00

Not all countries have adequate data protection or privacy legislation. Transferring personal information to such countries without taking appropriate measures will render the transfer illegal. It is important to have a contract in place with the other party where they agree to abide by the PoPI Act. 

Can I transfer personal information into and out of South Africa?2020-10-13T10:25:42+02:00

You may, when the recipient in the other country is subject to a law, binding corporate rules or agreements that provide an adequate level of protection that effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject in South Africa. If the other country does not have such rules in place, you can copy the PoPI Act stipulations into the contract agreement and ensure the other third party complies with it. 

What does “consent” mean?2021-01-04T08:23:31+02:00

Consent means any voluntary, specific and informed expression of will in terms of which a data subject agrees to the processing of personal information relating to him or her or it. 

What is “processing”?2021-01-04T08:23:37+02:00

Processing means any operation or activity, whether or not by automatic means, concerning personal information including: 


Collection, Receipt, Recording, Organisation, Collation, Storage, Updating, Modification, Retrieval, Alteration  


Transmission, Distribution, Making available  


Merging, Linking, Restriction, Erasure, Destruction 

What are common examples of breach of the PoPI Act?2021-01-04T08:23:49+02:00
  • Loss of personal information due to inadequate security safeguards 
  • Collecting personal information without having obtained the necessary consent 
  • Sending personal information to people who are not supposed to have it  
  • Breach of security safeguards (network with personal information is hacked) 
  • Not complying with an enforcement notice issued by the Information Regulator  
  • Processing special personal information without there being a necessity 
What can I not do with personal information?2021-01-04T08:24:00+02:00

Use it for any purpose other than the purpose for which it was authorised.  

Who can I send personal information to?2021-01-04T08:24:12+02:00

Only people and organisations authorised by the data subject or those people and organisations allowed under the PoPI Act. Once you have established justification for forwarding the PI you must ensure that those people or organisations also comply with the PoPI Act and have appropriate security safeguards.

What are the PoPI Act conditions of protecting personal information?2021-01-04T08:24:27+02:00

There are eight (8) conditions and four (4) special conditions. The eight conditions are AccountabilityProcessing LimitationPurpose SpecificationFurther Processing LimitationInformation QualityOpennessSecurity Safeguards and Data Subject Participation 

 The four special conditions are Secure Cross Border FlowPermission for Direct MarketingSecure Special Personal Information and Automatic Decision Making. 

Can I keep personal information for longer than the legally prescribed period?2021-01-04T08:24:41+02:00

Your Records Retention Policy will inform retention periods for all types of PI you collect from your data subjects. If there is a valid business reason as to why you should keep the information beyond the prescribed retention periods, you can do so, provided that you have informed the Regulator and the Data Subject of the intention and purpose

When am I exempt from following the prescripts of the PoPI Act?2021-01-04T08:24:54+02:00

Where certain permissions were obtained from the Information Regulator. Certain laws may trump certain PoPI Act rules, for example data subject requests in the insurance industry where the only information available on a person is that they are a beneficiary on a person’s policy. In this instance, the Insurance Act forbids that a company disclose to a person if they are a beneficiary on someone’s policy. There may be other scenarios that emerge that could justify certain exemptions to the PoPI Act (these may typically be fraud-related issues where disclosing to data subjects the use of their information for investigations could be detrimental to the case). 

How should we get consent?2021-01-04T08:25:04+02:00
  • A person must have a choice whether to consent or not (it must be voluntary) 
  • The consent must relate to a specific purpose and you must specify your purpose. 
  • You must notify the data subject of various things as set out in section 18 of the PoPI Act. 
  • You must inform the person sufficiently to enable them to make a decision.
  • The person must express their will in some form.  
Who can have access to personal information?2021-01-04T08:25:20+02:00

Authorised people using the specific personal information for its intended purpose. 

How does the PoPI Act apply to company information?2021-01-04T08:25:31+02:00

A juristic person (non-natural) is regarded as an entity covered by the PoPI Act. Therefore, organisations also have personal information and special personal information as defined by the Act. 

What happens if we don’t comply to the PoPI Act?2021-01-04T08:25:43+02:00

There are significant consequences for non-compliance, including up to R10 million in fines per offence and/or up to 10 years in prison per offence 

How long must I retain Personal Information?2021-01-04T08:25:52+02:00

This must be defined in the Records Retention Policy on how long you retain PI and other confidential information for all data subjects. Only for as long as to fulfil the intended purpose for which the information was collected or processed. Keep in mind other legislative requirements. 

I hear a lot of talk about changing behaviour. Why is it so important?2021-01-04T08:26:05+02:00

The challenge and success of becoming PoPI Act compliant will depend largely on people’s adoption of various data protection practices. If you don’t bring your people on board, you will fail to achieve the desired behaviours you are trying to achieve (i.e. people taking personal accountability for protecting personal information). 

Am I responsible for the security of documents that I store at a storage company?2021-01-04T08:26:21+02:00

Absolutely. You have the responsibility to ensure that we have a contract in place with your storage vendor to ensure that they have the appropriate controls in place to ensure all physical documents stored on their premises will be safeguarded and protected. 

What do I have to do to be a lawful processor of personal information?2021-01-04T08:26:32+02:00

You must be registered with the Informational Regulator as a lawful processing entity.

Is anyone exempt from complying with the PoPI Act?2021-01-04T08:26:45+02:00

No, although there are all sorts of exemptions in the Act for specific scenarios and everyone must be aware of what they are as they need to comply with certain criteria to then be able to invoke the exemption. 

Can the PoPI Act be compared to the Secrecy Bill?2021-01-04T08:27:43+02:00

No as they are designed for two very different reasons. The Secrecy Bill is not actually a wellfavoured piece of legislation as it is designed to classify certain pieces of data as “secret” which then means there is the concern that bodies with a vested interest can declare the detail “secret” and then conduct their activities in “secret” without being obliged to inform Joe Public. They are expressly protected by making it a crime if the data or information is divulged. The PoPI Act is the opposite as it protects our right to privacy and puts the accountability on the responsible parties to ensure they apply practical and reasonable measures to protect data subjects’ information from being comprised. 

Does the PoPI Act put an end to Direct Marketing?2021-01-04T08:27:57+02:00

No. The PoPI Act is not going to put an end to direct marketing. Direct marketing happens all over the world in many countries that have had data protection laws for decades. Direct marketing is a legitimate interest that organisations can pursue to find new customers. The big change or implication of the PoPI Act is that in future direct electronic marketing to prospects will be on an opt-in basis. 

Can we email or SMS someone to sell them something?2021-01-04T08:28:14+02:00

Yes, you can. The PoPI Act will have a big impact on email and SMS marketing. You can currently email market on an opt-out basis. This means you can send anyone emails until the person asks you to stop. Under the PoPI Act, you will only be able to direct market on an opt-in basis – you can email someone only once to get their consent to send them more emails. 

Can I store job applicants’ CVs indefinitely, even after their application have failed?2021-01-04T08:29:09+02:00

No, unless you have obtained their specific consent for this.

Can I keep personal information about employees that have left our employment?2021-01-04T08:28:58+02:00

You are required by certain laws to keep records of staff (even when they leave) for certain periods of time. Beyond this retention period, you should dispose of the information. The retention period for employees that have left the organisation should be defined in the Records Retention Policy. 

Can employees keep customer information on desktops?2021-01-04T08:29:21+02:00

For the purposes on Business as Usual (BAU) and BAU only, with respect to the PoPI Act, employees may keep electronic records on their desktops and hard copies on their desks. The Record Retention Policy will shed more light on the retention of information held on desktops and local drives. 

Can employees exchange customers’ personal details?2021-01-04T08:29:34+02:00

Yes and no. It depends on the context of the situation. If it is business-related, i.e. for the intention of servicing the customer (e.g. resolving a query or complaint) then yes, it is normal that a customer’s information would need to be shared across departments to get an issue resolved. If the employee is sharing customer’s information with a friend or relative to assist their business in finding customers or for example is sending a customer list to a competitor, then no that is strictly forbidden. 

What’s in it for me?2021-01-04T08:29:43+02:00

Your privacy is protected. 

How does the PoPI Act apply to supplier information?2021-01-04T08:30:01+02:00

As the responsible partyyou share certain personal information with suppliers that you interact with. It is important to have formal thirdparty agreements with all your suppliers, especially the ones that make use of your data subject’s personal information to provide services on your behalf. This contract between you and your supplier prescribes the privacy and requirements that you can hold your suppliers accountable to with regards to the processing of personal information. 

Will I be held liable if I get a third party to process personal information on my behalf?2021-01-04T08:30:15+02:00

Yes, if a third party or supplier breaches any of your customer, employee or other suppliers information, you will still remain accountable and liable to the data subject. You can be found to be in breach of the PoPI Act and will be liable for the penalties.

If we are ISO 9000 – 2001 compliant, does that mean we’re PoPI Act compliant?2021-01-04T08:30:42+02:00

No. ISO 9000 – 2001 is an international standard and the PoPI Act is legislation. Being ISO 9000 – 2001 compliant will certainly assist you in meeting security compliance. You can have security without privacy, but you can’t have privacy without security. There are specific privacy requirements as laid down in the principles of the PoPI Act that you as an organisation needs to comply to, to become PoPI Act compliant.

What happens when a third party breaches the PoPI Act?2021-01-04T08:30:56+02:00

A third party is held to be Operator in terms of the Act. That means they are still responsible for what happens by way of the contract they would have concluded with you before they started to act on your behalf. Your Head of Privacy will then have to deal with the breach according to your Incident and Breach Management procedures.

Do cloud solutions have to be PoPI Act compliant?2021-01-04T08:31:02+02:00

Absolutely. There is a vast array of concerns. While in transit, the PI must be protected (encrypted, de-identified if possible). The cloud environment, if in another country, must provide the same if not more protection as is required in South Africa.

Do cross-border cloud solutions have to be compliant?2021-01-04T08:45:22+02:00

Absolutely. If your cloud service is based in another country, it is your responsibility to ensure that the contracted provider, meet certain privacy requirements. You should also ensure that, if you enter into a relationship with them, they will uphold the same principles as prescribed in the PoPI Act.


Go to Top