south-africa-popia
South Africa POPIA Compliance
Overview
The Protection of Personal Information Act (POPIA), Act No. 4 of 2013, is South Africa's comprehensive data protection law. It came into full effect on 1 July 2021 following a one-year grace period after commencement on 1 July 2020. POPIA is modelled broadly on EU data protection principles but is adapted to the South African constitutional framework, specifically Section 14 of the Constitution (right to privacy). The Information Regulator is the independent supervisory authority responsible for enforcement. POPIA applies to any responsible party (controller) domiciled in South Africa or that uses automated or non-automated means within South Africa to process personal information, unless those means are used only to forward information through the Republic.
Key Definitions
| POPIA Term | GDPR Equivalent | Definition |
|---|---|---|
| Personal information | Personal data | Information relating to an identifiable living natural person or identifiable existing juristic person (POPIA uniquely covers juristic persons) |
| Special personal information | Special category data | Religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sex life, biometric information, criminal behaviour (Section 26) |
| Responsible party | Controller | A public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing (Section 1) |
| Operator | Processor | A person who processes personal information for a responsible party in terms of a contract or mandate (Section 1) |
| Data subject | Data subject | The person to whom personal information relates (includes juristic persons) |
| Information Officer | DPO | Head of organisation or designated person responsible for encouraging compliance (Section 55) |