South Africa

International Regulations

South Africa Protection of Personal Information Act, 4 of 2013 (POPIA)

Protection of Personal Information Act 4 of 2013

Highlights

Territorial Scope:

POPIA applies to the processing of all Personal Information entered into a record by or for a Responsible Party making use of automated or non-automated means, provided that when the recorded Personal Information is processed by non-automated means, it forms part of a filing system, where the Responsible Party is domiciled in South Africa, or where a Responsible Party is not domiciled in South Africa but makes use of automated and non-automated means to process Personal Information through South Africa.   

POPIA does not apply to the processing of Personal Information:

  1. in the course of a purely personal or household activity;
  2. that has been de-identified and cannot be re-identified;
  3. by or on behalf of a public body in a matter which involves national security or the prevention or detection of unlawful activities;
  4. to the extent that adequate safeguards have been established in other legislation for the protection of Personal Information by the Cabinet or Executive Council of a province, or relating to judicial functions of the court; or
  5. for journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.

POPIA is a principle-based law, which opens the law to interpretation.

There are 8 Conditions for the Processing of Personal Information:

POPIA contains 8 Conditions for the lawful processing of Personal Information. Briefly, these Conditions are:

  1. Accountability (the Responsible Party is required to ensure the conditions for lawful processing);
  2. Processing limitation (this relates to the lawfulness of processing, minimality of processing, consent, justification and objection, and collection directly from the data subject);
  3. Purpose specification (the collection of Personal Information needs to be for a specific purpose, and there are rules about the retention and restriction of records); 
  4. Further processing limitation (any further processing of Personal Information needs to be compatible with the purpose of the collection); 
  5. Information quality (steps need to be taken to ensure that the Personal Information is complete, accurate, not misleading and updated where necessary);
  6. Openness (there needs to be records of processing, and ensuring that the data subject knows that the Personal Information is being collected, for what purpose, and how it is to be used); 
  7. Security safeguards (there must be security safeguards in place, to ensure the integrity and confidentiality of the Personal Information, processing is done with the knowledge of the Responsible Party, and if there is a suspected breach, the Responsible must be notified); and 
  8. Data Subject Participation (this includes the rights of data subjects to access, correct or delete their Personal Information).

There is also a general prohibition on the processing of Special Personal Information, which is information concerning:

  1. Religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, or biometric information of a data subject;
  2. The criminal behavior of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence or the disposal of such proceedings. 

The general prohibition does not apply if:

  1. The processing is carried out with the data subjects consent; 
  2. The processing is necessary for the establishment, exercise or defence of a right or obligation in law;
  3. The processing is necessary to comply with an obligation of international public law;
  4. The processing is for historical, statistical or research purposes to the extent that it serves a public interest or appears impossible to obtain consent;
  5. The information is made public by the data subject.

Responsible Party and Operator Obligations: 

A Responsible Party is a public body, private body or any other person ‘which, alone or in conjunction with others, determines the purpose of and means for processing personal information’.

The ultimate responsibility vests with the Responsible Party to ensure that the 8 Conditions, and all measures to give effect to the 8 Conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.  If there are reasonable grounds to believe that the Personal Information of a data subject has been accessed or acquired by an unauthorized third party, the ultimate duty to notify the Information Regulator and data subject of the possible security compromise vests with the Responsible Party

The Responsible Party will be held accountable even if the non-compliance with POPIA is caused by the operator. 

The Operator is the public body, private body or any other person who processes the Personal Information for a Responsible Party in terms of a contract or mandate.  POPIA requires there to be a written agreement between the Responsible Party and the Operator, to ensure that the operator establishes and maintains the appropriate security measures.  In addition:

  1. The Operator can only process Personal Information with the knowledge and authorization of the Responsible Party;
  2. The Operator must treat all Personal Information as confidential and not disclose any of the Personal Information; and
  3. The Operator must immediately notify the Responsible Party when there are reasonable grounds to believe that the Personal Information under its control may have been accessed by any unauthorized person. 

Cross-border Data Transfers to Third Parties:

A transfer of Personal Information to a third party in a foreign country may only be undertaken if: 

  • The third-party recipient is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection substantially similar to the principles for lawful processing of POPIA, and includes provisions similar to the restrictions on further transfers of Personal Information. 
  • The Data Subject Consents to the transfer. 
  • The transfer is necessary for the performance of a contract between the data subject and the Responsible Party.
  • The transfer is necessary for the conclusion of a contract, in the interest of the data subject, between the Responsible Party and a third party. 
  • The transfer is for the benefit of the Data Subject and it’s not reasonably practical to obtain consent, and it is likely that, nonetheless, consent would be given.

Security Compromise Notification:

  • Timeline for Notification:  The Responsible party must notify the Information Regulator and the Data Subject, as soon as reasonably possible, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, taking into account law enforcement needs or any measures necessary to determine the scope of the compromise or restore the information.  The terms “as soon as reasonably possible” has been interpreted in practice to mean within 72 hours of the potential security compromise.  The Responsible Party may only delay notification to the data subject if a public body responsible for investigations or the Information Regulator determines that notification may impede a criminal investigation. 
  • Requirements for Notification:  The notification must be in writing and be communicated to the data subject via mail, email, displayed prominently on the website, news media or as directed by the Regulator.  The notification shall at least:
    • Describe the likely consequences of the security compromise; 
    • Describe the measures taken or proposed to be taken by the Responsible Party to address the security compromise;
    • A recommendation regarding measures to be taken by the Data Subject to mitigate the possible adverse effects of the security compromise; and
    • If known, the identity of the unauthorized person who may have accessed or acquired the Personal Information. 

More Details

Definitions:

  • Consent:  A voluntary, specific, and informed expression of will giving permission to the processing of Personal Information.
  • Data Subject:  The person, either natural or juristic, to whom the personal information relates.
  • Regulator or Information Regulator:  is an independent and impartial juristic person established in terms of POPIA, with jurisdiction throughout South Africa, to exercise powers under POPIA and the Promotion of Access to Information Act, accountable to the National Assembly. 
  • Personal Information:  Any information relating to an identifiable living natural person, and in certain cases information of an identifiable legal person.  Personal Information may include, but not limited to, information about race, gender, sex, pregnancy, health, wellbeing, religion, culture of the person; information about education, medical, criminal, financial or employment history; any identifying number or information such as email, address, online identifier; biometric information; personal opinions and views; private correspondence; opinions about a person; name or any other information that would identify a person.
  • Processing:  Any operation or activity, whether or not by automatic means, concerning personal information, including but not limited to, the collection, recording, organizing, modifying, use, distribution, and destruction of personal information.
  • Operator:  A person who processes Personal Information for a Responsible Party based on a contract or mandate, not subject to the direct authority of the Responsible Party.
  • Special Personal Information:  Personal Data revealing religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, biometric information, information concerning health or a natural person’s sex life, and information on criminal behavior. 
  • Responsible Party:  The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Information.

Penalties: 

Any person convicted of an offence for violation of certain obligations can be subject to a fine or imprisonment for a period not exceeding ten (10) years or to both a fine and imprisonment, or for certain offences subject to a fine of imprisonment for a period not exceeding twelve (12) months and a fine.  

Further, infringements of certain provisions can be subject to administrative fines up to 10 million South African Rand.

Remedies, Liability, and Complaints: 

  • Right to Lodge a Complaint with the Regulator:  Every Data Subject has the right to lodge a complaint with the Regulator if the Data Subject considers that the processing of Personal Data relating to him or her infringes POPIA.
  • Right to an Effective Judicial Remedy against the Regulator’s enforcement:  A Responsible Party to whom an enforcement notice has been served has the right to an effective judicial remedy against a legally binding decision of the Regulator concerning them.
  • Right to Civil Remedies:  A Data Subject, or at their request the Regulator may institute civil action for damages in a court against a Responsible Party for breach of the provisions of the law.  

Effective Date:  July 1, 2020

Cybercrime Act 19 of 2020

The primary cybercrime law of South Africa is the Cybercrime Act 19 of 2020, which commenced on 1 December 2021. 

Purpose: 

The purpose of this Act is to create offences which have a bearing on cybercrime; to criminalise the disclosure of data messages which are harmful and to provide for interim protection orders; to further regulate jurisdiction in respect of cybercrimes; to further regulate the powers to investigate cybercrimes; to further regulate aspects relating to mutual assistance in respect of the investigation of cybercrimes; to provide for the establishment of a designated Point of Contact; to further provide for the proof of certain facts by affidavit; to impose obligations to report cybercrimes; to provide for capacity building; to provide that the Executive may enter into agreements with foreign States to promote measures aimed at the detection, prevention, mitigation and investigation of cybercrimes; to delete and amend provisions of certain laws; and to provide for matters connected therewith.

The Cybercrime Act must be read with the Protection of Personal Information Act 4 of 2013 and the Electronic Communications and Transactions Act 25 of 2002. 

Other Cybercrime Legislation

There are also other pieces of legislation in South Africa that can potentially be applied to combat the unlawful interference of information and cybercrime, including:

  • Promotion of Access to Information Act
  • Financial Intelligence Centre Act 30 of 2001
  • Prevention and Combatting of Corrupt Activities Act 12 of 2004
  • Prevention of Organized Crime Act 121 of 1998
Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek