Protection of Personal Information Act (POPIA)

The Protection of Personal Information Act (POPIA) is South Africa’s data protection law, fully enforceable since July 1, 2021. It establishes eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. POPIA applies to any organization that processes personal information of data subjects within South Africa, or uses equipment in South Africa for processing, unless the processing is merely transit.

POPIA is enforced by the Information Regulator, which can issue enforcement notices, impose fines of up to ZAR 10 million, and refer criminal offenses for prosecution with potential imprisonment. Like the GDPR, POPIA requires a lawful basis for processing, grants data subjects rights of access, correction, and deletion, and mandates notification of data breaches to both the regulator and affected individuals. A notable feature is the regulation of special personal information (including biometric data, religious beliefs, and trade union membership) and the specific rules for processing children’s personal information.