skip to Main Content

South Africa

The Protection of Personal Information Act (POPIA) is South Africa’s data protection commenced on 1st July 2020, and places the onus for organisations to comply by 1st July 2021.

The law covers any natural or juristic person who processes personal information, including large corporate entities, SME’s and government, and involves the interactions between three parties (who can be natural or juristic persons).

  1. The person to whom the information relates (the data subject)
  2. The person who determines why and how to process. For example, profit companies, non-profit companies, governments, state agencies and people. Called controllers in other jurisdictions (the responsible party)
  3. A person who processes personal information on behalf of the responsible party. For example, an IT vendor (the operator or processor).

The Protection of Personal Information Act places various obligations on the responsible party, which is the body ultimately responsible for the lawful processing of personal information. Fines for non-compliance will range from between R1 million and R10 million will apply, as will the paying of compensation to data subjects for the damage they have suffered. Considered at this stage unlikely, imprisonment of between one to ten years is also an option for the regulator.

For updates on changes in legislation
Sign Up for Vox updates on the POPIA

Follow the Legislative updates by clicking on the link to the the POPIA updates website