Data & Privacy - South Africa

POPIA (Act 4 of 2013) is an omnibus data-protection law applying to public and private 'responsible parties' processing personal information; key sections commenced 1 July 2020 and full compliance was required by 1 July 2021.

The Information Regulator, an independent body established under section 39 of POPIA (operational from December 2016), monitors and enforces both POPIA and PAIA across public and private bodies.

Lawful processing rests on eight conditions: accountability, processing limitation, purpose specification, further-processing limitation, information quality, openness, security safeguards, and data-subject participation.

Data subjects have rights to be notified, to access, correct or delete their data, and to object to processing/direct marketing; responsible parties must appoint and register an Information Officer (sections 55-56) and notify the Regulator and affected parties of security compromises.

Section 72 restricts transfers of personal information outside South Africa unless the recipient is bound by adequate-protection rules (law, binding corporate rules or contract), the data subject consents, or the transfer is necessary for/benefits the data subject.

Non-compliance can attract administrative fines up to R10 million and/or imprisonment up to 10 years. The Regulator has issued enforcement/infringement notices including a R5m fine to the Department of Basic Education and a September 2024 enforcement notice against WhatsApp over differential privacy terms for South African vs. European users.