South Africa Protection of Personal Information Act (POPIA)

South Africa Protection of Personal Information Act (POPIA)  - Mandatly Inc.

South Africa’s Protection of Personal Information Act (POPIA) took effect on July 1, 2020, and enforcement began on July 1, 2021. South Africa’s POPIA is one of the major data privacy laws in the world to be modeled closely after the EU’s GDPR.

The purpose of this Act is to give effect to the constitutional right to privacy, regulate the manner in which personal information may be processed and provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act.

Important Definitions Under POPIA(Section 1)

  1. Personal information

    Personal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable existing juristic person.

  2. Consent

    Consent means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.

  3. Data Subject

    Data Subject means the person to whom personal information relates.

  4. Processing

    Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:

    • The collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;
    • Dissemination by means of transmission, distribution or making available in any other form; or
    • Merging, linking, as well as restriction, degradation, erasure or destruction of information.

POPIA Applicability (Section 3)

  1. This Act applies to the processing of personal information
    • Entered in a record by or for a responsible party by making use of automated or non-automated means, and
    • Where the responsible party is
      • Domiciled in the Republic; or
      • Not domiciled in the Republic but makes use of automated or non-automated means in the Republic unless those means are used only to forward personal information through the Republic.

Rights of Data Subject Under POPIA

  1. Right to be notified (Section 18)

    The responsible party has to notify the data subjects about the personal information about him, her or it is being collected or his, her or its personal information has been accessed or acquired by an unauthorized person.

  2. Right to access (Section 23)

    A data subject, having provided adequate proof of identity, has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject.

  3. Right to deletion (Section 24)

    A Data Subject can request the responsible party to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.

  4. Right to objection (Section 11)

    Data Subject has the right to object, on reasonable grounds relating to his, her or its situation to the processing of his, her or its personal information.

  5. Right to Complaint (Section 74)

    Right to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data. A responsible party or data subject may, in terms of section 63(3), submit a complaint to the Regulator in the prescribed manner and form if he, she or it is aggrieved by the determination of an adjudicator.

  6. Right to Civil Action (Section 99)

    A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act.

Information Officer (Section 55)

Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of

  1. Such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of this Act; and
  2. Any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.

Enforcement (Section 107)

Serious POPIA Offences

The responsible party will be liable to fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment, if you have committed the following offences:

  • Obstruct the regulator (section 100)
  • Fail to comply with an enforcement notice (section 103(1))
  • Give false evidence before the regulator under oath (section 104(2))
  • Fail to comply with the conditions when processing account numbers (section 105(1))
  • Knowingly or recklessly obtain or disclose an account number (section 106(1))
  • Sell (or offer to sell) an account number (section 106(3) and (4))

Minor POPIA Offences

The responsible party will be liable to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment, if you have committed the following offences:

  • Fail to get prior authorisation from the regulator if you need to (section 59)
  • If a person acting for (or under the direction of) the regulator does not keep personal information confidential (section 101)
  • Obstruct a person executing a warrant or fail to give assistance to the person (section 102)
  • Make a statement knowing it to be false (or recklessly) (section 103(2))
  • Fail to give evidence when summonsed to do so by the regulator (section 104(1))

Conclusion

With close alignment to EU General Data Protection Regulation, POPIA ensures that South African citizens’ data privacy rights are protected thoroughly, paving the way for an EU adequacy decision, allowing privacy-sensitive information to be transferred safely between the EU and South Africa.

POPIA (South Africa’s data protection law) came into force about eight years after it was enacted in 2013. POPIA is now well positioned to influence privacy legislation in Africa and around the globe as a well-established privacy law.

Mandatly Privacy Management - Mandatly Inc.

Related Blogs

Cookie Consent Solutions for GDPR & CCPA Compliance20240708043627

Cookie Consent Solutions for GDPR & CCPA Compliance

The Role of Cookie Consent Solutions in GDPR and CCPA ComplianceIn today's digital landscape, data privacy regulations like t...
GDPR Compliance Made Easy: Tips for Updating Your Privacy Policy20240524035956

GDPR Compliance Made Easy: Tips for Updating Your Privacy Policy

GDPR Compliance Made Easy: Tips for Updating Your Privacy PolicyIntroductionIn an era where data privacy is paramount, ensuri...
Navigating GDPR Compliance: A Comprehensive Guide to Cookie Policies20240513042210

Navigating GDPR Compliance: A Comprehensive Guide to Cookie Policies

Navigating GDPR Compliance: A Comprehensive Guide to Cookie PoliciesIn an era marked by increasing concerns over data privacy...
Data Mapping Requirement for CPRA & CCPA Compliance20240501045009

Data Mapping Requirement for CPRA & CCPA Compliance

Data Mapping Requirement for CPRA & CCPA ComplianceWhat are the CPRA Data Mapping Requirements?The California Consumer Pr...
The Role of Employee Training in GDPR Compliance and Data Security20240205100131

The Role of Employee Training in GDPR Compliance and Data Security

The Role of Employee Training in GDPR Compliance and Data SecurityOverview: GDPR Training For EmployeesIn today's rapidly evo...
Explore the Link Between Cybersecurity and GDPR Compliance20240201044003

Explore the Link Between Cybersecurity and GDPR Compliance

The Intersection of GDPR & CybersecurityWhat is GDPR?Enforced since May 2018, GDPR is a comprehensive set of regulations ...
International Data Transfers: Understanding Legal Frameworks20240125043450

International Data Transfers: Understanding Legal Frameworks

Cross Border Data Transfer & Legal FrameworkA Legal Framework For Data ProtectionBefore delving into the legal mechanisms...
EU-U.S. Data Privacy & GDPR: A Symbiotic Bond20240110045117

EU-U.S. Data Privacy & GDPR: A Symbiotic Bond

The GDPR and the EU-US Data Privacy Framework: A Symbiotic RelationshipEU-US Data Privacy Shield FrameworkThe EU US Data Priv...
PIA Software: Streamlining Privacy Impact Assessments20231229045248

PIA Software: Streamlining Privacy Impact Assessments

Conducting Privacy Impact Assessments with PIA Software: Benefits and Best PracticesAbout Privacy Impact AnalysisIn today's d...
Getting Started with Privacy Impact Assessment (PIA) Software20231221064257

Getting Started with Privacy Impact Assessment (PIA) Software

Getting Started with PIA Software: Step-by-Step Implementation GuideIntroductionPrivacy Impact Assessment (PIA) software has ...
LGPD Compliance: Checklist & Best Practices20231109071852

LGPD Compliance: Checklist & Best Practices

Preparing for LGPD: Compliance Checklist and Best PracticesOverview Of LGPDThe LGPD, or Brazil's General Data Protection Law,...
Brazilian Data Protection Law (LGPD)20231030043222

Brazilian Data Protection Law (LGPD)

Data Subject Rights Under LGPD Access, Rectification, and ErasureIntroductionThe LGPD, or the Brazilian General Data Protecti...
Brazils’ LGPD Compliance Guide You Must Read20231025062215

Brazils’ LGPD Compliance Guide You Must Read

Everything You Need to Know About Brazil LGPD: Penalty For Non-Compliance of LGPDWhat is Brazil’s LGPD?The LGPD, or Lei Geral...
Key GDPR Compliance Privacy Software Features20230906043009

Key GDPR Compliance Privacy Software Features

5 Key Features to Look for in Privacy Management Software for GDPR ComplianceAbout The Features Of GDPR Management Compliance...
Virginia Consumer Data Protection Act – All about CDPA20230104044820

Virginia Consumer Data Protection Act – All about CDPA

Virginia Consumer Data Protection Act – All about CDPAWhat is VCPDA?The Virginia Consumer Data Protection Act CDPA is a...
Difference between CDPA, CCPA, CPRA and CPA20210722111718

Difference between CDPA, CCPA, CPRA and CPA

Difference between CDPA, CCPA, CPRA and CPAUnderstanding CDPA, CPA, CCPA & CPRAOn March 2, 2021, Governor Ralph Northam s...
Colorado Privacy Act (CPA)20210713052349

Colorado Privacy Act (CPA)

Colorado Privacy Act (CPA)Colorado is officially the third U.S state to adopt privacy legislation, after California and Virgi...
CDPA, CCPA and CPRA : Key Difference & Similarities20210705113837

CDPA, CCPA and CPRA : Key Difference & Similarities

CDPA, CCPA and CPRA : Key DifferencesAll About California’s CDPA, CPRA VS CCPAOn March 2, 2021, Governor Ralph Northam signed...