The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.  

The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice. 

Back To Map
Download PDF
Rapid Response Hotline 877.382.2724

South Africa

International Regulations

South Africa Protection of Personal Information Act of 2013 (POPIA)

Protection of Personal Information 2013, Act No. 37067

Highlights

Territorial Scope:

POPIA applies to the processing of Personal Information processed by a Responsible Party using automated and non-automated means, provided that when using non-automated means information forms part of a filing system, in the context of the activities of an establishment of a Responsible Party in the South Africa, or when a Responsible Party is not established in South Africa but makes use of automated and non-automated means to process Personal Information in South Africa. The Act does not apply to instances when such automated or non-automated means are only used to transfer Personal Information through South Africa.

Excluded from its scope is processing of Personal Information purely for personal or household activities, de-identified information, information processed by or on behalf of a public body in relation to national security or prevention of unlawful activities, or information processed by judicial body or for purpose of journalistic, literary, or artistic purpose.

Principles of Processing:

  • Accountability;
  • Processing limitation;
  • Purpose specification;
  • Further processing limitation;
  • Information quality;
  • Openness;
  • Integrity and confidentiality;
  • Data Subject Participation.

Lawfulness of Processing:

Processing is lawful only if and to the extent that at least one of the following applies:

  • the Data Subject, or a competent person where the data subject is a child, has given consent to the processing of his or her Personal Information for one or more specific purposes;
  • processing is necessary for the performance of a contract;
  • processing is necessary for compliance with a legal obligation;
  • processing protects a legitimate interest of the Data Subject;
  • processing is necessary for the performance of a task carried out in the public interest by a public body; or
  • processing is necessary for the purposes of the legitimate interests pursued by the Responsible Party or by a third party.

Controller and Processor Obligations:

  • Inform Data Subjects of the information being collected, the purpose of collection, applicable laws requiring collection, international transfers, and the rights the Data Subjects are entitled to.
  • Implement appropriate technical and organizational measures to prevent unauthorized destruction or unlawful access to Personal Information and confirm the Operator, to whom the Responsible Party has entrusted Personal Information implements similar measures.
  • Identify all reasonably foreseeable internal and external risks to personal information in its possession or control and regularly verify and update appropriate security safeguards.
  • A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator processing personal information on behalf of the responsible party establishes and maintains the necessary and appropriate security measures.
  • For Operators, not process Personal Information except on instructions from the Responsible Party, unless required to do so by law or in the course of performance of their duties.
  • For Responsible Parties, in the case of a security compromise, notify the Regulator and the data subject (unless their identity cannot be established) as soon as reasonably possible after the discovery of the compromise.
  • For Operators, notify the Responsible Party immediately where there are reasonable grounds to believe the Personal Information has been accessed or acquired by an unauthorized person.
  • A Responsible Party may only process special categories of Personal Information or information of children, pursuant to a general or specific authorization as proscribed by the law.
  • Each public and private body must designate an information officer responsible for encouraging compliance with the law, dealing with requests and working with the Regulator, and otherwise ensuring compliance with the law.
  • Obtain prior authorization for processing certain categories of information such as information on criminal behavior, for purposes of credit reporting, for a different purpose than originally intended or for aligning it with other information processed by other third parties, and to transfer special personal information or information of children to a third party in a foreign country.

Data Subject Rights:

The Responsible Party shall respond to the Data Subject within a reasonable time of the receipt of the request.

  • Right to know and access;
  • Right to correct;
  • Right to erasure;
  • Right to object to processing of Personal Information;
  • Right to not have their Personal Information processed for purposes of direct marketing through unsolicited electronic communications;
  • Right not to be subject to a decision based solely on automated processing, which produces legal effects concerning him or her or similarly significantly affects him or her;
  • Right to submit a complaint to the Regulator regarding interferences with the processing of their Personal Information;
  • Right to institute proceedings regarding alleged interference with the protection of their Personal Information.

Cross-border Data Transfers to Third Parties:

A transfer of Personal Information to a third party in a foreign country may only be undertaken if:

  • The third-party recipient is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection substantially similar to the principles for lawful processing of POPIA, and includes provisions similar to the restrictions on further transfers of Personal Information.
  • The Data Subject Consents to the transfer.
  • The transfer is necessary for the performance of a contract.
  • The transfer is necessary for the conclusion of a contract between Responsible Party and a third party that is in interest of the Data Subject.
  • The transfer is for the benefit of the Data Subject and it’s not reasonable to obtain consent.

Security Compromise Notification:

  • Timeline for Notification: The Responsible party must notify the Regulator and the Data Subject, as soon as reasonably possible, after the discovery of the compromise, taking into account law enforcement needs or any measures necessary to determine the scope of the compromise or restore the information. The Operator shall notify the Controller immediately where there are reasonable grounds to suspect a compromise. The Responsible party may only delay notification to the Data Subject if a public body responsible for investigations or the Regulator determines that notification may impede a criminal investigation.
  • Requirements for Notification: The notification must be in writing and be communicated to the data subject via mail, email, displayed prominently on the website, news media or as directed by the Regulator. The notification shall at least:
    • Describe the likely consequences of the security compromise;
    • Describe the measures taken or proposed to be taken by the Responsible Party to address the security compromise;
    • A recommendation regarding measures to be taken by the Data Subject to mitigate the possible adverse effects of the security compromise; and
    • If known, the identity of the unauthorized person who may have accessed or acquired the Personal Information.

More Details

Definitions:

  • Consent: A voluntary, specific, and informed expression of will giving permission to the processing of Personal Information.
  • Data Subject: The person, either natural or juristic, to whom the personal information relates.
  • Regulator: Also known as the Information Regulator, is an independent and impartial person assigned to promote the lawful processing of personal information and monitor and enforce compliance of the POPIA.
  • Personal Information: Any information relating to an identifiable living natural person, and in certain cases information of an identifiable legal person. Personal Information may include, but not limited to, information about race, gender, sex, pregnancy, health, wellbeing, religion, culture of the person; information about education, medical, criminal, financial or employment history; any identifying number or information such as email, address, online identifier; biometric information; personal opinions and views; private correspondence; opinions about a person; name or any other information that would identify a person.
  • Processing: Any operation or activity, whether or not by automatic means, concerning personal information, including but not limited to, the collection, recording, organizing, modifying, use, distribution, and destruction of personal information.
  • Operator: A person who processes Personal Information for a Responsible Party based on a contract or mandate, not subject to the direct authority of the Responsible Party.
  • Special Personal Information: Personal Data revealing religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, biometric information, information concerning health or a natural person’s sex life, and information on criminal behavior.
  • Responsible Party: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Information.

Penalties:

Any person convicted of an offence for violation of certain obligations can be subject to a fine of imprisonment for a period not exceeding ten (10) years in addition to a fine, or for certain offences subject to a fine of imprisonment for a period not exceeding twelve (12) months and a fine.

Further, infringements of certain provisions can be subject to administrative fines up to 10 million South African Rand.

Remedies, Liability, and Complaints:

  • Right to Lodge a Complaint with the Regulator: Every Data Subject has the right to lodge a complaint with the Regulator if the Data Subject considers that the processing of Personal Data relating to him or her infringes POPIA.
  • Right to an Effective Judicial Remedy against the Regulator’s enforcement: A Responsible Party to whom an enforcement notice has been served has the right to an effective judicial remedy against a legally binding decision of the Regulator concerning them.
  • Right to Civil Remedies: A Data Subject, or at their request the Regulator may institute civil action for damages in a court against a Responsible Party for breach of the provisions of the law.

Effective Date:

July 1, 2020

Back to Page