south african popia explained

South African POPI Act Explained

In this article, we’ll share with you some of the key components and a basic summary of the POPI Act (POPIA) that may be relevant to your business. Of course, each business will have different processes and require different policies to be put in place but the basics will be explained below. At the end of this article, we also include resources where you can read the full POPI Act and we also share a sample Privacy Policy which you can insert into your website or areas where private information is gathered.

The purpose of the Act:

To promote the protection of personal information processed by public and private bodies (regulate how a person’s data is stored, used, etc.) and to provide for the rights of persons regarding unsolicited electronic communications. (In a nutshell)

How it may affect your business:

  • You may need to put systems in place to store data securely, especially if you gather personal information like email addresses, telephone numbers, Identity-related information, or documents.
  • You may no longer market or communicate with people who have not consented to receive your communications. This does not mean you need to throw out any databases you have collected until now, but it does mean you will need to make sure that existing subscribers can opt-out at any time and any new subscribers should consent to receive marketing from you.

Appoint an Information Officer:

  • The Information Officer is responsible for ensuring the Company’s compliance with POPIA.
  • Where no Information Officer is appointed, the head of the Company will be responsible for performing the Information Officer’s duties.
  • Once appointed, the Information Officer must be registered with the South African Information Regulator ( ) established under POPIA prior to performing his or her duties.

Rights of Data Subjects

  • Has the right to decide whether data may be collected or not
  • Has the right to ask for data to be changed or deleted
  • The data subject has the right to object to the processing of their data i.e. processing data can include items such as performing a credit check on a customer or applying for a credit facility/loan. (Similarly, the company may refuse to take on a client if the client is not willing to adhere to the necessary checks or data required by the company to issue their services to the client)
  • The right to object to direct marketing or unsubscribe from direct marketing.

Direct marketing by means of unsolicited electronic communications

  • Direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs, or e-mail is prohibited unless consent has been given.
  • Companies may only process the personal data of a customer if the info was obtained in the context of the sale of a product or service and direct marketing is about the company’s products or similar products
  • All direct marketing communication must contain details of the company and address or contact details or link to unsubscribe

Administrative fines

    • If a company is alleged to have committed an offense in terms of this Act, the Regulator may cause to be delivered by hand to that person, an infringement notice.
    • This must contain the name and address of the person who listed the complaint, specifies the particulars of the alleged offense, and the amount of the administrative fine payable(not exceeding R10 million)

The company can respond by Paying the fine or making arrangements to pay the fine or go to court within the time permitted.

Action Steps

For most business owners, this does not change much but to protect yourself, we recommend putting the following in place:

  • A privacy policy on your website
  • Making sure any data you store is safely stored and managed correctly
  • Making sure that customers consent to direct marketing or can opt-out if they do not want to receive marketing.
  • Appointing an information officer to stay up to date with any new regulations and help you implement the necessary in your business.



To find the detailed POPI Act – visit

Appointment of Information Officer:

Privacy Policy Example: 


Scroll to Top

Your Email has been subscribed

share with the world