Data Protected - South Africa
Last updated March 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
The Protection of Personal Information Act 4 of 2013 (“POPIA”).
POPIA is supported by subordinate legislation, being regulations that can be made by either the Information Regulator or the Minister of Justice and Constitutional Development in terms of section 112 and 113 of POPIA. The Information Regulator issued regulations on 14 December 2018, in South Africa's Government Gazette 42110, which came into operation between March and July 2021 ("The Regulations").
Entry into force
The President signed a proclamation in April 2014 declaring the sections of POPIA relating to the appointment of the Information Regulator effective.
Most of the remaining provisions came into force on 1 July 2020.
POPIA provided for a one-year grace period after the provisions came into force, and so it was only after 1 July 2021 that the processing of personal information had to conform to the requirements of the POPIA. Most private bodies were exempted from having a PAIA manual (discussed below) in place until 31 December 2021 and the deadline for those that needed to get prior authorisation for high-risk processing activities under POPIA (discussed briefly below) was extended to 1 February 2022.
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
The Information Regulator
JD House, 27 Stiemens Street, Braamfontein,
Johannesburg, 2001.https://inforegulator.org.za/
The National Assembly approved the appointment of members to the Information Regulator on 7 September 2016. The Regulator will be responsible for education, monitor and enforce compliance, handle complaints, perform research and facilitate cross-border cooperation. The Information Regulator has jurisdiction throughout the republic, is independent and is subject only to the Constitution and to the law and must be partial and perform its functions and exercise its powers without fear, favour, or prejudice.
Adv Pansy Tlakula was appointed as the Chairperson of the Information Regulator with effect from 1 December 2016. Adv Lebogang Stroom-Nzama, and Adv Collen Weapond were appointed as full-time members and Ms Alison Tilley and Mr Mfana Gwala were appointed as a part-time member. They will serve a term of office of five years.
Notification or registration scheme and timing
There is no notification scheme.
However, prior authorisation must be obtained from the Information Regulator where a “responsible party” (akin to a data controller) seeks to: (i) process unique identifiers (an identifier that is assigned to the data subject by a responsible party and uniquely identifies the data subject) under certain circumstances; (ii) process criminal behaviour on behalf of third parties; (iii) process personal information for the purposes of credit reporting; or (iv) transfer “special personal information” or personal information of a child to a third country without adequate protection.
Exemptions to notification
Not applicable.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The POPIA applies where the responsible party is: (i) domiciled in South Africa; or (ii) not domiciled in South Africa but makes use of automated or non-automated means in South Africa to process personal information, unless those means are used only to forward personal information through South Africa.
Is there a concept of a controller and a processor?
The POPIA applies to responsible parties, but limited obligations extend to “operators” (akin to data processors) too.
An operator must: (i) only process personal information with the knowledge or authorisation of the responsible party; (ii) treat personal information which comes to its knowledge as confidential and not disclose it (unless required by law or in the course of the proper performance of its duties); and (iii) notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
Are both manual and electronic records subject to data protection legislation?
Yes. The POPIA applies to personal information entered in a record by or for a responsible party by making use of automated or non-automated means, provided that where non-automated means are used the recorded information forms part of a filing system or is intended to form part thereof.
The meaning of “automated means” is any equipment capable of operating automatically in response to instructions given for the purpose of processing information.
A filing system is a structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
Are there any national derogations?
Certain types of processing are excluded by the POPIA. For example, processing in the course of a purely personal or household activity; processing by a public body which involves national security; processing by the Cabinet of the national government ; and processing relating to the judicial functions of court need not comply with the conditions for lawful processing of personal information.
Also exempted from the conditions for lawful processing of personal information is processing solely for the purpose of journalistic, literary or artistic expression, to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression. The journalistic exemption requires that where the responsible party is, by virtue of office, employment or profession, subject to a code of ethics that provides adequate safeguards for the protection of personal information then such code will apply to the processing concerned to the exclusion of POPIA.
For example, the Press Code, as published by the Press Council of South Africa, mandates journalists who subscribe to the Code to strive to consistently avoid causing unnecessary harm by ensuring that personal information does not get misappropriated and is not utilized to harm the data subjects.
_____________________________________________________________________ Top
Personal Data
What is personal data?
The POPIA defines “personal information” to mean information relating to an identifiable, living, natural person, and, where applicable, an identifiable, existing juristic person (for example, a company or other similar legal entity).
An open-ended list of examples of the types of information that constitute personal information is provided in the POPIA. Such examples include: (i) information relating to personal characteristics such as race, gender, sex and age; (ii) personal opinions and preferences; (iii) private correspondence; and (iv) the views of another individual about a data subject.
Is information about legal entities personal data?
Yes. The POPIA extends to include information not only about individuals, but also about juristic persons (legal entities). The processing of personal information of legal entities is subject to the same provisions as the processing of personal information of individuals.
What are the rules for processing personal data?
Personal information may generally be processed if: (i) the data subject provides voluntary, express, and informed consent to the processing; (ii) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party; (iii) processing complies with an obligation imposed by law on the responsible party; (iv) processing protects a legitimate interest of the data subject; (v) processing is necessary for the proper performance of a public law duty by a public body; or (vi) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
A data subject may withdraw consent to processing of personal information at any time. This withdrawal of consent does not affect processing of personal information in accordance with other processing rules (see above), such as where the processing complies with an obligation imposed by law on the responsible party.
Personal information may be processed only if all measures that give effect to the processing comply with the eight “conditions for lawful processing of personal information”. These conditions, which are modelled on provisions of the Data Protection Directive, are called: accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation.
Are there any formalities to obtain consent to process personal data?
The POPIA requires consent to be a voluntary, specific and informed expression of will. However, there is no prescribed manner in which such consent must be obtained.
Consent for the purposes of receiving direct marketing by means of unsolicited electronic communications must be requested in a prescribed manner and form.
Are there any special rules when processing personal data about children?
Processing data about children is only allowed if; (i) it is carried out with the prior consent of a competent person; (ii) it is necessary for the establishment, exercise or defence of a right or obligation in law; (iii) it is necessary to comply with an obligation of international public law; (iv) it is for historical, statistical or research purposes; or (v) it is of personal information which has deliberately been made public by the child with the consent of a competent person.
A competent person in this instance means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
The Regulator may, upon application by a responsible party and by notice in the Government Gazette, authorise a responsible party to process the personal information of children if the processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the child.
Are there any special rules when processing personal data about employees?
No. There are no special rules when processing personal data about employees.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
Under the POPIA, sensitive personal data, referred to as “special personal information”, includes the standard types of sensitive personal data such as personal information concerning: the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject (excluding genetic information) and information concerning the criminal behaviour of a data subject to the extent that such information relates to: (i) the alleged commission by a data subject of any offence; and (ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
Are there additional rules for processing sensitive personal data?
Special personal information may be processed where either a general exception or a functional exception is met.
General exceptions include: (i) the processing is carried out with the consent of a data subject; (ii) processing is necessary for the establishment, exercise or defence of a right or obligation in law; (iii) processing is necessary to comply with an obligation of international public law; (iv) processing is for historical, statistical or research purposes to the extent that the purpose serves a public interest and the processing is necessary for the purpose concerned, or it appears to be impossible or would involve a disproportionate effort to ask for consent (and in both cases sufficient guarantees protect the privacy of the data subject); and (v) the information has deliberately been made public by the data subject.
An example of a functional exception (as set out in the POPIA) is where the data subject’s religious or philosophical beliefs are processed by a spiritual or religious organisation to whom the data subject belongs.
The Information Regulator may, upon application by a responsible party, authorise the processing of special personal information where such processing is deemed by the Information Regulator to be in the public interest and subject to adequate safeguards.
Are there additional rules for processing information about criminal offences?
This is subject to the same rules as other sensitive personal data.
Are there any formalities to obtain consent to process sensitive personal data?
The formalities are the same as those for consent to process personal data (see above).
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
The default position is that the head of a private company is the “information officer”. The information officer need not be registered with the Information Regulator.
Companies may designate and must register with the Information Regulator any number of deputy information officers as is necessary to perform the duties and responsibilities of the information officer. There is no fee associated with this registration.
What are the duties of a data protection officer?
The information officer’s responsibilities (and, where delegated to deputy information officers, the deputy information officers’ responsibilities) include: (i) the encouragement of compliance by the responsible party with the conditions for lawful processing of personal information; (ii) dealing with requests, including data subject access requests; and (iii) working with the Information Regulator in relation to investigations.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
Personal information may be processed only if all measures that give effect to the processing comply with the eight “conditions for lawful processing of personal information”. One of those conditions is accountability.
Are privacy impact assessments mandatory?
POPIA itself does not make privacy impact assessments mandatory, however, the Regulations relating to the protection of personal information require an information officer to conduct an impact assessment to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
When personal information is collected, a responsible party must take reasonably practicable steps to ensure that the data subject is aware of: (i) the information being collected and the source of the information; (ii) the name and address of the responsible party; (iii) the purpose for which the information is being collected; (iv) whether or not the supply of the information by the data subject is voluntary or mandatory; (v) the consequences of failing to provide the information; (vi) any particular law authorising or requiring the collection of the information; (vii) whether the responsible party intends to transfer the information to a third country or international organisation, and the level of protection afforded to the transferred information; and (viii) any further information which is necessary to enable the processing to be reasonable in the circumstances.
If the information is collected directly from the data subject these steps must be taken before the information is collected. If the information is collected from a third party, the steps must be taken either before the information is collected or as soon as reasonably practicable thereafter.
There are exceptions in POPIA to the requirement that fair processing information be provided, such as where: (i) the data subject has consented to the non-compliance and non-compliance would not prejudice a legitimate interest of the data subject; (ii) where non-compliance is necessary to avoid prejudice to the maintenance of the law by any public body or is necessary to comply with an obligation imposed by law or for the conduct of proceedings in any court or tribunal or in the interests of national security; (iii) compliance would prejudice a lawful purpose of collection; (iv) where compliance is not reasonably practicable in the circumstances of the particular case; or (v) the information will not be used in a form which the data subject may be identified or the information will be used for historical, statistical or research purposes.
Rights to access information
Data subjects have the right to request, free of charge, confirmation of whether or not a responsible party holds personal information about them.
Data subjects also have the right to request the record, or a description of the personal information being held by the responsible party, as well as information concerning the identity of all third parties who have had access to the personal information. This may be subject to a prescribed fee and the responsible party may require the payment of a deposit.
Rights to data portability
There is no right to data portability.
Right to be forgotten
A data subject may request a responsible party to delete personal information in the responsible party’s possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
Objection to direct marketing
A data subject may object, at any time, to the processing of personal information for the purposes of direct marketing.
For direct marketing by means of any form of electronic communication, a data subject must be provided with the opportunity to object to the processing of personal information at the time when the personal information was collected, and on the occasion of each communication with the data subject for this purpose.
If a data subject has objected to the processing of their personal information for direct marketing purposes, the responsible party may no longer process the personal information.
Other rights
A data subject may object, at any time, to processing of personal information that is being carried out subject to the following processing rules: (i) the processing protects a legitimate interest of the data subject; (ii) the processing is necessary for the proper performance of a public law duty by a public body; or (iii) the processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
Under the Promotion of Access to Information Act, all public and private bodies must prepare a manual setting out how people can get access to records held by the body (“PAIA Manual”).
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
The POPIA requires responsible parties to secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, and unlawful access to or processing of personal information.
In order to give effect to this general security obligation, responsible parties must take reasonable measures to: (i) identify all reasonably foreseeable internal and external risks to personal information; (ii) establish and maintain appropriate safeguards against the risks identified; (iii) regularly verify that the safeguards are effectively implemented; and (iv) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
Specific rules governing processing by third party agents (processors)
The processing of personal information by operators (akin to data processors) must be in accordance with a written contract which ensures that the operator establishes and maintains the same security measures required of the responsible party (see above).
An operator must notify the responsible party immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorised person.
Notice of breach laws
A responsible party is obliged to notify both the Information Regulator and data subjects where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorised person.
This notification must occur as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. The notification to the data subject must meet certain manner and form requirements and may only be further delayed if a public body responsible for the prevention, detection or investigation of offences, or if the Information Regulator determines that the notification will impede a criminal investigation by the public body concerned.
The Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of information if the Information Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
The POPIA contains a restriction on the transfer of personal information outside South Africa.
Transfers outside South Africa can take place if the transfer satisfies one or more of the following conditions: (i) the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for lawful processing in the POPIA (including, where applicable, in respect of data subjects that are legal entities); (ii) the data subject consents to the transfer; (iii) the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request; (iv) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or (v) the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject to the transfer but if it were the data subject would be likely to give it.
Notification and approval of national regulator (including notification of use of Model Contracts)
Notification and approval of the Information Regulator must be obtained only where a responsible party seeks to transfer special personal information or personal information of a child to a third country without adequate protection.
Use of binding corporate rules
Binding corporate rules are specifically referred to in the provisions of the POPIA dealing with transfer of personal information to third countries.
Binding corporate rules are defined to mean personal information processing policies, within a group of undertakings (a controlling undertaking and its controlled undertaking), which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country.
_____________________________________________________________________ Top
Enforcement
Fines
Where a responsible party is alleged by the Information Regulator to have committed a criminal offence (including a failure to comply with an Enforcement Notice) under the POPIA, an administrative fine may be imposed by the Information Regulator for an amount of up to ZAR 10 million (approximately €598,000). The responsible party who receives an administrative fine can, instead of paying it, elect to be tried in court on a charge of having committed the alleged offence in terms of the POPIA.
Imprisonment
The Information Regulator can issue an Enforcement Notice for breach of the conditions for lawful processing. Failure to comply with that Enforcement Notice is a criminal offence, punishable by a term of imprisonment not exceeding 10 years, or a fine, or both.
Unlawfully obstructing the Information Regulator’s investigation; providing false information to the Information Regulator; or unlawfully dealing with an account number assigned to a data subject by a financial institution are also criminal offences punishable by a term of imprisonment not exceeding 10 years, or a fine, or both.
Failure to notify processing that is subject to prior authorisation from the Information Regulator (such as the transfer of special personal information to a third country without adequate protection); intentionally obstructing the execution of a search warrant issued to the Information Regulator; making a knowingly false statement to the Information Regulator in response to an enforcement or information notice; and failure to produce evidence when summoned to do so by the Information Regulator are criminal offences punishable by imprisonment for a period not exceeding 12 months, or a fine, or both.
Compensation
Data subjects have a statutory right under the POPIA to institute a civil action for damages for interference with their personal information, whether or not there is intent or negligence on the part of the responsible party.
A court may award the data subject: (i) compensation for patrimonial and non-patrimonial loss suffered; (ii) aggravated damages; (iii) interest; and (iv) costs of suit.
Other powers
The Information Regulator, on its own initiative, or at the request by or on behalf of an information officer or head of a private body or any other person, may make an assessment of whether a public or private body’s policies and implementation generally complies with the provisions of POPIA.
Practice
The grace period in relation to POPIA only ended on 1 July 2021. Since then, the Information Regulator has taken steps to develop its approach to the enforcement of POPIA. The Information Regulator has launched a platform which enables persons to lodge POPIA (and PAIA) complaints directly with the Information Regulator.
The Information Regulator has also established an enforcement committee which assists the Information Regulator with any POPIA complaints it is presented with. The enforcement committee is empowered to consider complaints and propose findings and recommendations to the Information Regulator. The Terms of Reference for the Enforcement Committee were updated in 2022.
The Information Regulator has also released Codes of Conduct for the Credit Bureau Association and the Banking Association of South Africa and has proposed codes of conduct for other associations and councils.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
There are no specific ePrivacy laws but the POPIA does contain provisions relating to direct marketing.
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
POPIA does not expressly regulate the use of cookies. However, “online identifiers” do fall within the definition of personal information, so cookies may be subject to general data protection regulation under the POPIA.
Regulatory guidance on the use of cookies
There is no regulatory guidance on the use of cookies.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
It is only possible to send direct marketing e-mails to data subjects if their consent has been obtained, or if the data subjects are customers of the responsible party and: (i) their contact details have been obtained in the context of the sale of a product or service; (ii) they are marketed to for the purpose of marketing the responsible party’s own similar products and services; and (iii) they have been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to the use of their contact details at the time the information was collected and on the occasion of each communication with the data subject for the purposes of marketing.
Subscribers may be approached for consent only once. They must also be provided with the opportunity to object to the receipt of the e-mails on the occasion of each communication.
Conditions for direct marketing by e-mail to corporate subscribers
There is no distinction between the conditions for direct marketing to individual subscribers and corporate subscribers. (Personal information in the POPIA includes information relating to legal entities).
Exemptions and other issues
An exemption similar to the similar products and services exemption applies, see above.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The conditions are the same as those for e-mail marketing.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
See above.
Exemptions and other issues
See above.
_____________________________________________________________________ Top