Viv Greene Attorneys

POPIA FAQ

  • What is POPIA?

    POPI is a South African law that ensures that any personal information that you give out is protected. The law stipulates a set of rules that organisations have to follow in terms of how they collect, use, keep or remove data.

  • What does POPIA stand for?

    POPIA stands for Protection of Personal Information Act (often called the POPI Act or POPIA)

  • When did POPIA come into effect?

    The law has been effective since 1 July 2020

  • Which country does the POPI Act apply to?

    POPI applies conditions for the lawful processing of personal data of South African citizens and those living in South Africa.

  • Who must comply with the POPI Act?

    Any person or organisation who keeps records relating to personal information, such as an individual's name, signature, address, phone number, credit information or date of birth, unless those records are protected by other legislation more stringently, need to comply with the Popi Act. It sets the minimum standards for the protection of personal information.

  • What is the purpose of POPIA?

    The purpose of Popi Act to is protect personal information, striking a balance between the right to privacy and the need for the free flow of information as well as the access to information, whilst regulating how personal information is processed. It is intended to protect consumers and legitimate businesses from those that don't comply.

  • How do you comply with POPI Act in South Africa?

    Ensure your employees are aware of the POPI Act and adhere to the regulations set out.
    Assess how your clients, and employees’ data is collected, stored, processed, and eventually disposed of.
    Review, create and setup the correct policies and procedures to ensure the compliant processing of personal information.
    Policies and procedures should be assessed or audited by a POPI specialist to make sure it aligns with the requirements of the POPI act.
    Adequate communication and training should be implemented to your staff with regards to all policies and procedures.

  • What are the consequences of non compliance?

    The South African Information Regulator may institute a fine or imprisonment of up to 12 months. (Section 107 of the POPI Act)
    In some cases, depending on the Sections of the Act you do not comply with, or if convicted of an offence in terms of the Act, you may be liable for a fine of up to 10 million or up to 10 years imprisonment. If your clients are impacted by a data breach, POPIA even empowers them to take civil action for damages.

  • POPI or POPIA?

    POPI is the act of protecting Personal Information, implying that all the policies, procedures, processes and practices in the organisation relating to personal information, are in fact doing POPI. POPIA is merely the name of the law, and so you cannot “do” POPIA. To comply with POPIA, you need to implement a POPI programme.

  • Does POPI apply to deceased person?

    POPI does not apply to a deceased person because the definition of 'personal information' requires that the data subject (i.e. the person) be 'living'.

  • What do I need to know about Popia?

    POPI is the South African data privacy law and it stands for the Protection of Personal Information Act, 2013, also referred to as POPIA. It governs when and how businesses, companies or organisations collect, use, store, delete and otherwise handle personal information.

  • Does POPI Act apply to Social Media?

    No, the POPI Act does not apply to social media as it does not protect public information. Any information that you share publicly will automatically fall outside of this Act's protection. If you list your email address or mobile number on your any social media platforms, and that information is publicly available, it is then free for companies to collect and use.

  • Who are the role players in POPIA?

    The role players are :
    The data subject: the person to whom the information relates.
    The responsible party: the person who determines why and how to process, such as profit companies, non-profit companies, governments, state agencies and people. Responsible for the lawful processing of personal information.
    The operator: a person who processes personal information on behalf of the responsible party such as an IT specialist or lawyer.

  • Who would be responsible for POPI in my company?

    The Information Officer of an organisation is the “go to” person when it comes to information. By default, every South African organisation has one. Did you know that the Promotion of Access to Information Act or PAIA automatically designates a person in each organisation as an officer. This person is different to the Chief Information Officer or CIO. That person is specifically called an Information Officer

  • Does my company already have an information officer?

    Every organisation/company, whether public or private bodies have one. The national department, provincial administration, or municipality all have an information officer. Companies, CCs, partnerships, and trusts are not exempt, they all have an information officer by default.

  • What are the roles or responsibilities of the Information Officer?

    The role of the information officer is to encourage compliance by the company with the conditions for the lawful processing of personal information in terms of POPIA

    1. Deal with requests made to the organisation in terms of POPIA;
    2. Work with the Information Regulator in relation to investigations conducted in relation to the body; and
    otherwise ensure compliance by the body with the provisions of POPIA
    3. Make sure a compliance framework is developed, implemented, monitored, and maintained
    4. Develop, monitor, maintain and make available a PAIA manual,
    5. Ensure that a personal information impact assessment is done in the company so that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information
    5. Subject to the exemptions already mentioned, a manual is developed, monitored, maintained, and made available as prescribed in terms of POPIA and PAIA
    6. Develop measures and adequate systems within the organisation to process requests for access to information
    7. Ensure that internal awareness sessions are carried out regarding the provisions of POPIA.

  • Who is the Information Regulator?

    The National Assembly voted in favour of Advocate Pansy Tlakula being appointed as the National Information Regulator.

  • Where do I report a POPI violation?

    You can report a Popi violation by e-mailing .
    Your complaint will be dealt with by an adjudicator. If you are not happy with the determination of the adjudicator, you can still approach the Information Regulator for another ruling.

  • Is anyone exempt from complying with POPI?
    • Personal or household activity
    • Processing any personal information that has been de-identified.
    • Crime investigation by the SAPS
    • Terrorist and related activities
    • Journalists, authors and artists freely expressing themselves
    • Historical, statistical or research activities
    • Public Interest to process information outweighs privacy of Data Subject
    • Processing personal information for purely journalistic, artistic or literary purposes
  • What is a data subject?

    A data subject is an individual whose personal information has been processed. When you keep someone's personal data on file, that person becomes a a data subject, and you have to respect their data subject rights.

  • Does POPI Act apply to WhatsApp?

    Where a WhatsApp group is created to facilitate family related or personal matters, such as between family, friends or acquaintances, then POPIA will not apply.
    If a WhatsApp group is created by a business for marketing purposes, business are required to obtain consent before adding the relevant person to the WhatsApp group.

    Where a business makes use of a contact list or mailing list to broadcast messages through WhatsApp, consent from those individuals who do not constitute existing customers of the business is required.

  • What does Popi mean to the consumer?

    One of the the aims of the POPI Act is to protect consumers by safe guarding their personal information. The Act helps protect consumers from having their money and identity compromised or stolen as well as keeping their personal information private. It can only be collected and/or used where there is a lawful justification for it.

  • How does the POPI Act affect marketing?

    The POPI Act regulates direct marketing using electronic communication and the Consumer Protection Act (CPA) regulates all forms of unsolicited direct marketing activities. Organisations using this type of marketing should make use of consent forms to “opt-in” rather than just offering the “opt-out” option.

  • What is the difference between PAIA and POPIA?

    PAIA and POPIA are both "information" laws, with the former protecting the right to access and freedom of information and POPIA protecting the unjustified exposure of personal information. Both Acts compliment each other in ensuring that information is managed lawfully.

  • What is the difference between POPIA and GDPR?

    The POPI Act is a South African law extending its protections on collected information to companies and corporations as well as individuals. The POPI Act applies to everyone in South Africa who processes the personal information of any South African citizen or organisation while the GDPR is a European Union (EU) law relating to the personal information of individuals while 

  • How does the POPI Act affect call centres?

    The POPI Act states that call centers are obliged to only use information for the purposes for which it was originally collected. POPIA does not prohibit cold calling however companies and consumers need to be aware that the Consumer Protection Act (CPA) imposes prohibitions on cold callers.

  • Top