Data privacy laws in South Africa

July 1st, 2021

By Peter Desmond

In this information age, customer data is an important resource for any organisation. Due to the sensitive nature of personal information, organisations are required to take measures to ensure the data entrusted to them is safe from breaches or exposure to unauthorised parties. In South Africa (SA), the Protection of Personal Information Act 4 of 2013 (POPIA) offers the regulations and guidelines surrounding the collection and processing of personal information.

Initially, the right to data privacy and protection was covered under s 14 of the Constitution and common law. In both instances, the right to privacy was limited, and it was fairly difficult to prove infringement. Established under the European Union (EU) directive, POPIA was enacted to provide clear guidelines that organisations are required to follow, making it easier to prove non-compliance.

POPIA applies to all organisations and businesses collecting and processing of personal information of South African customers. This article discusses the main principles of POPIA that businesses are required to follow to ensure compliance and how these apply across borders.


In recognition of the right of privacy enshrined in the Constitution, POPIA provides the mandatory mechanisms and procedures for handling and processing personal information in SA. Since the Act was formulated under the EU directive, it is similar to the General Data Protection Regulation (GDPR), lubricating the cross-border handling and processing of personal information between the EU and SA.

POPIA provides eight main principles to govern the processing of personal information regarding direct marketing, automated decision making, and how the cross-border flow of data is regulated.

The eight principles of POPIA

1. Lawful collection: The collection of personal information should be done in a manner that is lawful and fair to the subject.

2. Limited use: The information collected should only be used for the purpose for which it was originally intended, and for which the subject has given consent.

3. Limited processing: Further processing of personal information is limited by POPIA. Processing more information than that which the data subject agreed to is thereby prohibited.

4. Information quality: It is the responsibility of the party collecting information to ensure it is of quality by taking steps to ensure the data they get is not misleading, complete, accurate, and up to date.

5. Transparency: There should be openness where the processing of personal information is involved. As such, both the Information Regulator and the data subject should be aware – and agree – to the collection of the data.

6. Security: The party collecting the information should take measures to prevent the loss, destruction, damage, and unauthorised access or processing of the data. To prevent data from falling into unauthorised hands, organisations should embrace information technology asset disposition (ITAD) as part of their data security measures. The ITAD protocols set in place are aimed at ensuring that organisations protect their information technology assets to prevent the breach or exposure of personal information and to ensure regulatory compliance.

7. Participation: The data subject should have a way of accessing the data stored on them and be able to correct the information if need be.

8. Compliance with regulation: It is the responsibility of the party processing personal information to take measures to ensure their activities comply with the principles of POPIA.

Data flow and privacy across borders

POPIA limits the transfer of information across borders to prevent organisations from circumventing the set data protection legislation. The cross-border transfer of data is only permitted if the recipient country is governed by data regulation similar to the POPIA principles.

If the recipient country is not subject to such regulations, a contractual relationship can be drafted, laying down the duties of the recipient party as required by the POPIA principles. The organisation wishing to transfer the data across the border should also obtain the consent of the data subject.

Data privacy offences and penalties in SA

There are not a lot of penalties and offenses listed in POPIA. The two major offenses are:

  • Obstructing or preventing the Information Regulator – the South African supervisory authority – from performing its duties and obligation as outlined in Part A of Chapter 5 of POPIA.
  • Failing to protect the account number of a data subject.

If convicted of the offenses above, the person will face a fine or an imprisonment period of no more than ten years, or both a jail term and a fine.

It is an international consensus that the collection, processing, and use of personal information should be regulated by a governing body. The presence of uniform regulations for the handling of personal information will not only protect individuals and organisations from costly breaches, but also makes it easier for international trade since information privacy concerns can be a major barrier to cross-border trade.

Peter Desmond MSc in Market Research (National University of Ireland Cork) is a Digital Content and Marketing Specialist at Wisetek in Cork.

This article was first published in De Rebus in 2021 (July) DR 10.