If you operate in South Africa or have customers in the country, you are subject to the Protection of Personal Information (POPI) Act. Until now, the law has not been enforced but that is likely to change in the foreseeable future.

The POPI Act broadly requires businesses to limit their use of personal data, get consent before using it, and let users withdraw their consent later on. To make sure the consent is "informed," you must publish several details, which is best done in a Privacy Policy.


Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.


POPI's Background

The POPI Act was signed into law in 2013 but enforcement has, to say the least, been a slow process. This is largely because of delays in setting up a body called the Information Regulator to oversee regulation and enforcement. The body is now in place and has published some details of its specific regulations. This makes it likely that full enforcement will begin soon, meaning businesses need to be prepared to start fully complying with the law.

POPI's Scope

The POPI Act covers personal information, which means any information that relates to a specific person. The law notes that this isn't limited to a "natural person" (that is, a human being) but also a "juristic person" which means an independent legal entity such as a company.

The law gives a non-exhaustive list of examples of personal information. Some that might not seem obvious include the person's own views and opinions, and the opinions of others about the person. Any information about the person's criminal, education, employment, financial or medical history is also covered.

The law applies to any data processor that is domiciled (legally based) in South Africa. It also applies if the data processor is outside of South Africa "but makes use of automated or non-automated means in the [country]."

While some data privacy laws distinguish between the location of the data subject and the physical location of any data processing, this section of the law is widely interpreted as covering online activity where the data subject is in South Africa, even if the website's servers are outside the country. This is consistent with the law's stated intent of protecting the constitutional right to privacy of South African citizens.

Although the law does allow for some exclusions (such as national security and journalism), these generally won't apply to businesses processing personal information.

Terminology

The POPI Act defines the person or organization that decides what personal information is processed and why as the "responsible party." This is roughly equivalent to the "data controller" in the European Union's General Data Protection Regulation.

The Act refers to the person (or other legal entity) that the personal information is about as the "data subject."

POPI Requirements

POPI Requirements

The POPI Act is based around meeting eight conditions to make processing of personal information lawful. We'll run down the key points here and then cover what this means in detail for Privacy Policies later in this guide.

Accountability

In simple terms, this condition says that you must make sure to comply with all eight conditions, not only when processing personal information but when deciding what data to process and why.

Basically, accountability is important through all stages of interaction with personal information.

Processing Limitation

This condition sets out a principle of minimality, meaning only processing personal information that is relevant and only to the point needed for the stated purpose.

It also says you must get prior consent to process personal information unless doing so is a legal requirement. The burden of proof is on you to demonstrate the consent. The data subject can withdraw consent at any time.

Typically, personal information can only be collected directly from the data subject or from public records. The key exceptions (avoiding prejudicing criminal investigations) won't usually apply to businesses.

This example from TransUnion's Privacy Policy explains an exception to the consent and direct collection principles:

TransUnion Privacy Policy: Ensuring that required consent is obtained clause

Purpose Specification

You must give a specific, lawful purpose for collecting personal information. You must make the data subject aware of this reason and must only retain the personal information for as long as needed to meet this purpose.

This example from Interchange explains why it will collect and use different information depending on the purpose:

Interchange Privacy Policy: Collection of your personal information clause

Further Processing Limitation

After collecting the personal information, you can only process it in a way that's necessary for, and relevant to, the original stated purpose.

Information Quality

You must make sure the personal information is "complete, accurate, not misleading and updated where necessary."

Openness

You must keep adequate records of your personal information processing. You must make the data subject aware of a range of details about the processing, which we've detailed below in the section titled "Privacy Policy" The data subject must be able to see these details before consenting to data collection.

Security Safeguards

You must make sure data isn't lost, damaged, destroyed or accessed without authorization. Complying with this rule will involve auditing security, putting safeguards in place and then maintaining and updating those safeguards. If you use a third party to process personal information, you must make sure the third party follows this rule.

If a data breach happens, you must inform the Information Regulator and, if known, the relevant data subjects as soon as possible unless law enforcement officials ask you to delay doing so.

Data Subject Participation

Data subjects have the right to ask whether you store data about them. If so, the data subject has the right to either the details or a description of the personal information along with details of any third party who has had access to it.

You must provide these details in a reasonable time and any access fee must be reasonable.

The data subject then has the right to ask for any errors in the data to be corrected or, if relevant, destroyed. They can also object to you processing data for a specific purpose or for direct marketing.

What is "Special Personal Information"

The POPI Act classes some data as "special personal information," namely:

"the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject"

This category also covers alleged criminal offenses and related court proceedings.

As a general rule, you must get consent from the individual to process "special personal information." To avoid doubt, this should be specific consent that explicitly covers this particular information.

Some key exceptions to this rule that are relevant to business include the following:

  • You have to process the data to comply with the law
  • The Information Regulator has given specific permission for you to do so
  • You are processing race or ethnic origin data to comply with anti-discrimination or positive discrimination laws

The POPI Act also says you cannot process personal information about a child unless it's a legal requirement or you have the consent of a competent person (such as a parent or guardian.) Again, this should be specific and explicit consent to avoid legal doubt.

Your POPI Privacy Policy

Your POPI Privacy Policy

Although the POPI Act does not explicitly require a Privacy Policy, publishing one is by far the most efficient way to comply with the requirements for openness and getting consent.

To make your Privacy Policy compliant, it should follow both a principle and some specific requirements, both of which are laid down in the act.

The principle is that any consent a data subject gives is "voluntary, specific and informed." This means the data subject must know exactly what they are consenting to, including the details of what data you use, how and why.

All of this information can be included in your Privacy Policy.

The specific requirements are that you must make the data subject aware of the following points as soon as practical, which usually means before collecting the data:

  • The information you are collecting
  • Where you got the information (if not directly from the data subject)
  • Your contact details
  • Why you are collecting the information
  • Whether or not the data subject has a choice whether to supply the information
  • What happens if the data subject doesn't collect the information
  • Which (if any) laws say you can or must collect the data
  • Whether you plan to transfer the data outside the country and if so what safeguards will apply

This example from Vodacom's Privacy Policy clearly details the personal information it collects:

Vodacom Privacy Policy: Excerpt of Personal information we collect clause

This example from Ecommerce Forum Africa covers potential transfers of data:

Ecommerce Forum Africa Privacy Policy: How will Ecommerce Forum Africa Store My Personal Information clause

You should also make sure the data subject knows about the following rights:

  • To access the information and correct it
  • To object to you processing the information
  • To complain to the Information Regulator

This example from Novartis explains these privacy rights:

Novartis Privacy Policy: What are your rights and how can you exercise them clause

This example from Zambia Tourism covers similar points and provides clear contact details:

Zambia Tourism Privacy Policy: How do we protect your information clause

Later in the Privacy Policy, a clause specifically addresses how users can access their personal information. Again, contact information for doing so is included:

Zambia Tourism Privacy Policy: Access to and retention of information clause

Many of these points may already be covered by your existing Privacy Policy if you operate in other countries. One approach is to simply update your existing Privacy Policy and double-check that it covers all the points required by the POPI Act. Another is to add a new section to your existing Privacy Policy that specifically applies to users in South Africa.

This example from Maitland highlights a key difference that applies in South Africa and actually states the difference in the definition of "personal information" in this clause:

Maitland Privacy Policy: What is Personal Information clause

Whether you're starting a new Privacy Policy from scratch or have one you'll need to update to address POPI, it won't be difficult to get compliant.

Official Forms For Exercising Data Subject Rights

Official Forms For Exercising Data Subject Rights

The precise way in which you inform data subjects about the information you collect and their rights is up to you. However, the Information Regulator has produced several standard forms for data subjects who want to exercise their rights. The forms are as follows, with their noted pages where they can be found in the linked PDF above:

  • Form 1 (page 12 of 144): Objecting to processing of personal information
  • Form 2 (page 14 of 144): Requesting that you correct or delete personal information
  • Form 5 (page 20 of 144): Complaining to the Information Regulator

You could either make these forms available on your site or link to the Information Regulator.

Another document, Form 4 (page 18 of 144), is for you to use when asking a data subject for consent to direct marketing by electronic communication (such as email newsletters.) This is the only situation where you must use a prescribed form to get consent.

Penalties For Violating POPI

The Information Regulator has the power to:

  • Issue an enforcement notice that legally requires a business to change its operations to comply with the POPI Act
  • Take civil action in the courts to claim for damages caused by a breach of the law, even if it was unintentional or did not involve neglect. This can cover patrimonial (directly measurable financial) loss, non-patrimonial loss (such as emotional harm from a breach of privacy) and aggravated damages (a term not fully defined in South African law and thus untested in POPI Act cases).

The Act also creates several criminal offenses which can lead to prison sentences including:

  • Failing to comply with an enforcement notice (maximum penalty of 10 years)
  • Obstructing or hindering the Information Regulator's activities (maximum penalty of 10 years)
  • Breaching the Act's requirements when handling an account number (maximum penalty of 10 years)
  • Making a false statement to the Information Regulation in response to an information request (maximum penalty of 1 year)

POPI vs GDPR

POPI vs GDPR

If you operate in, serve customers in, or process data in the European Union you should already comply with the General Data Protection Regulation (GDPR).

The good news is that the required measures you must take to comply are broadly the same and in some cases are more stringent for the GDPR. You must always take responsibility for checking that you comply with applicable laws, including the POPI Act, but if you've already taken steps to comply with the GDPR the changes to your procedures will often be minimal.

Instead the big difference is scope, specifically that unlike the GDPR, the POPI Act covers "juristic persons." This means that businesses have the same privacy rights (where applicable) as individuals. While this may seem unintuitive and confusing, the key is that any data that applies to a specific, identifiable business must be treated in the same way as personal data about individuals.

Even if you comply with the GDPR, you may need to rethink your privacy procedures and data handling to cover data about businesses. You'll also need to make sure your Privacy Policy extends to such data.

Summary

Here's what you need to know and do to comply with the POPI Act:

  • The Act is already law but enforcement and regulation has not yet started. This may happen relatively soon so you need to prepare.
  • The law covers both information about humans and, in some cases, businesses in South Africa. It applies even if the "responsible party" (data processor) is located outside of South Africa
  • You must meet eight conditions to lawfully process personal information:

    • Comply fully with the Act
    • Get prior consent to collect and process personal information
    • Give a specific, lawful purpose for collecting the data
    • Only process the data to serve the stated purpose
    • Keep the information accurate and up to date
    • Make sure the data subject is fully informed about your data use before they consent to collection and processing
    • Keep the data secure
    • Respond to data access requests in a reasonable time and without charging an unreasonable access fee
  • Some types of data are classed as "special personal information." You should normally get specific and clear consent to collect this information. To avoid doubt, don't assume general consent covers this.
  • Publishing a Privacy Policy is the easiest way to make sure consent is truly informed. The policy must cover several points set out in the POPI Act.
  • The Information Regulator has produced several official forms for data subjects to make requests and objections. Point data subjects towards these forms or put them on your site.
  • The Information Regulator can order you to change your practices to comply with the POPI Act. Failing to comply with this order can lead to a maximum prison sentence of 10 years.
  • The Information Regulator can take civil action for a breach. This could mean you have to pay financial damages that go beyond covering direct financial losses.
  • If you already comply with the GDPR, it shouldn't take too much extra work to comply with the POPI Act. The biggest change is that POPI Act covers data about juristic persons (such as companies) rather than just humans.