What is POPIA?

POPIA is the acronym for the Protection of Personal Information Act, 4 of 2013. It finally came in to effect, finally on 1 July 2021.

What is POPIA?

POPIA is the acronym for the Protection of Personal Information Act, 4 of 2013. It finally came in to effect, finally on 1 July 2021.

Why does it matter?

Every organization, who processes personal information, within South Africa is required to be POPIA compliant, regardless of its size or nature.

What is personal information and what is processing?

Personal information relates to any information which relates to a natural or juristic person who is living or identifiable, where ever they are located.

The definition of “processing” refers to any act which touches the personal information of a data subject, which is conducted with in South Africa, save for the mere passing through of personal information and certain defined exceptions. The exceptions are:

  • Personal or household activity;
  • Data that has been de-identified to the extent that it cannot be re-identified again;
  • Processing Personal Information by or on behalf of a public body—
    • which involves national security;
    • for the purpose of prevention, detection, and assistance in the identification of the proceeds of unlawful activities;
  • By the Cabinet and its committees or the Executive Council of a province;
  • Judicial functions of a court; or
  • Terrorist and related activities.
What are the sanctions for non-compliance?

Sanctions for non-compliance, may include, a fine not exceeding R10 million and imprisonment of not more than ten years, which would be imposed by the relevant authorities. However, non-compliance could also result in civil liability and reputational damage for organisations. It is a serious threat in the data driven society that we live in.

What should we do if we havent started or did a quick copy and paste job of a privacy policy?

Let us help you to establish your needs, as not everyone has the same requirements. From there we can agree a plan with you to get you where you need to be in terms of data protection compliance. You can complete our short two minute questionnaire here and we will get back to you or contact us directly.


What does GDPR stand for?

General Data Protection Regulation.

What does GDPR stand for?

General Data Protection Regulation.

What is the purpose of the GDPR?

It was enacted by the EU in order to ensure that organizations (located not only in Europe, but anywhere in the world) that process the data of EU state citizens and residents comply with a strict set of data privacy rules. The provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period and therefore, UK citizens and residents are provided the same protection over the processing of their data as their EU counterparts.

How is ‘personal data’ defined in the GDPR?

GDPR defines personal data as any data that relates to, identifies, describes, or could be associated with a person (the ‘data subject’) and includes the following: a person’s name, his/her ID number, a customer code created by the company that processes the data, online information such as IP addresses and/or cookies, GPS or other map data, and any reference to a person’s biographical information such as their race, sexuality, philosophical beliefs or religion, economic background etc.

Would South African companies be expected to comply with both POPI and the GDPR?

Yes. If a company that is based in South Africa processes the data of EU/UK citizens and residents, it would be expected to comply with both the local legislation (POPI) as well as the GDPR. It is therefore very important that companies are aware of what both sets of legislation require from them.

How much time does the GDPR afford a company to notify all affected data subjects of a data breach?

72 hours from the moment the company becomes aware of the data breach.

What are the consequences of non-compliance?

The GDPR accounts for hefty fines for non-compliance (up to 4% of the company’s worldwide total annual turnover – capped at €20 million).


What does PAIA stand for?

The Promotion of Access to Information Act No. 2 of 2000.

What is the purpose of PAIA?

PAIA refers to Section 32 of the Constitution, which stipulates that everyone has the right to access information that is held by the State, as well as information held by another person (or private body), when such privately-held information is required for the exercise and protection of one’s human rights.

Which organizations are required to compile a PAIA manual?

All public companies, and any private companies that do business in any of the specified industries or sectors and have 50 or more employees, are required to compile a PAIA manual (unless they have been exempted by the Minister of Justice and Correctional Services).

What information must be included in the PAIA manual?

The manual must contain the following information:

  • the postal and street address, phone and fax number, and e-mail address of the head of the body
  • a description of, and how to obtain access to, a guide on how to use the Act to get information from bodies
  • what records are available to an interested party without having to request access in terms of PAIA
  • a description of the records of the body, which are available in accordance with any other legislation
  • how to request records from the body in terms of the Act
  • other information as may be prescribed by the Minister
    Does POPI require a company to add additional informational into its PAIA manual?

    Yes. POPI requires a responsible party to maintain a record of all the company’s processing operations (or activities or functions) under its responsibility in a PAIA manual.

    What is the deadline for compiling my company’s PAIA manual?

    The Minister has extended the PAIA manual exemption period until 30 June 2021; so if your organisation is not exempt from having a PAIA manual, your PAIA manual would be expected to be published by such time.

    What are the consequences of non-compliance?

    A head of a private body who wilfully or in a grossly negligent manner fails to comply with the PAIA provisions commits an offence and is liable on conviction to a fine, or to imprisonment for a period of up to two years.

    Privacy Policies, Cookies and T’s & C’s

    What is a Privacy Policy and why must I include one on my website?

    A Privacy Policy is a policy that is required to appear on a company’s website and that must be drafted in such a way as to make the following clear to a data subject browsing the website:
    ●   what personal data is collected
    ●   why and how the private data is being stored and processed
    ●   what the legal basis for that data usage is
    ●   if the data is being shared with third parties and if so, who they are

    Privacy Policies are legally required in terms of various legislations enacted throughout the world in circumstances where organizations process personal information from individuals.

    What is a Cookie?

    HTTP cookies, or internet cookies, are built specifically for internet web browsers to track, personalize, and save information about each user’s session. Cookies are created to identify you when you visit a new website.

    Does POPIA apply to the personal information collected by Cookies?


    Is a Cookie Policy required?

    Yes. If a responsible party uses cookies for the purpose of direct marketing and the data subject is not a customer of the responsible party, the responsible party must obtain the data subject’s consent. It would be problematic for any website owner to obtain the consent of each and every visitor to its website and thus, for POPI compliance and practicality purposes, this necessitates a cookie notice and policy.

    Even if the purpose behind the collection of personal data is not direct marketing, a cookie notice and policy is still important, considering that a cookie collects personal information and therefore, a responsible party must take reasonably practicable steps to ensure that the data subject is aware of the collection.

      Is prior consent required?

      Cookies are not often used “for a purpose other than the one for which the identifier was specifically intended at collection” and therefore, a responsible party is not required to obtain prior authorisation to use cookies.

      Why is it important to have your Terms and Conditions (Ts&Cs) on your website?

      It is a legal requirement in terms of section 43(1) of the Electronic Communications and Transactions Act 25 of 2002 (“ECTA”) to place your company’s Ts&Cs on the company’s website.

      In addition to being legally mandated by ECTA to do so, it is important to have your Ts&Cs on your company’s website for the following reasons:

      • the Ts&Cs act as a legally binding contract between the company and website users, and set the rules and guidelines that users must agree to and follow in order to use and access the website and/or mobile app;
      • the Ts&Cs can inform website users that all intellectual property in the form of logos, taglines, photos etc. included on the website are the property of the company;
      • the Ts&Cs can limit the company’s liability in situations where errors are found in the content that is presented on the website; and
      • the Ts&Cs set the jurisdiction and thus the law that would govern any disputes.