The Protection of Personal Information Act (POPIA) is South Africa’s data protection law similar to GDPR. The purpose of POPIA is to protect people from harm by protecting their personal information. It has the similar defination like GDPR: The data subject, The responsible party (data controller), The operator (data processor).
POPIA allows companies and organisations to process data if it’s deemed in the user’s “legitimate interest”. POPIA defines consent as any voluntary, specific and informed expression of will.
The consent of the data subject is central. Websites, companies and organisations have to prove that their processing is lawful, consents have been obtained from users.
What is the timeline of Protection of Personal Information Act (POPIA)?
The POPI commencement date is 1 July 2020 with 12 months grace period which makes the deadline for organisations to comply 1 July 2021.
POPIA applies to The following Businesses
Any company or organisation processing personal information in South Africa, who is domiciled in the country, or not domiciled but making use of automated or non-automated means of processing in the country.
Including adtech and social media companies make use of automated processing.
What should be done by the responsible party?
- Appoint an Information Officer.
- Raise awareness amongst all employees.
- Amend contracts with operators.
- Report data breaches to the regulator and data subjects.
- Check that they can lawfully transfer personal information to other countries.
- Only share personal information when they are lawfully able to.
POPIA penalties for non-compliance
- A fine or imprisonment of between 1 million ZAR and 10 million ZAR or one to ten years in jail.
- Paying compensation to data subjects for the damage they have suffered.
Consent is requried under POPIA
Personal information is only allowed to be processed if the end-user consents to the processing, including to the specific purposes for which the personal information is being collected.
A user can withdraw their consent at any time.
Use a consent management platform like UniConsent to offer consumers full control of data collection, opt-out features, manage the preferences communication for POPIA compliance together with GDPR.
Personal right under POPIA
- Right to be notified about collection and processing of personal information
- Right to access personal information
- Right to request correction of personal information
- Right to request deletion of personal information
- Right to object to the processing of personal information
- Right not to have personal information processed for the purpose of direct marketing by means of unsolicited electronic communications (clearly reflecting the ePrivacy Directive and not the GDPR)
- Right to not be subject to a decision which results in legal circumstances based solely on the basis of the automated processing
- Right to complain to the Information Regulator
- Right to effect judicial remedy
Eight conditions of lawful data processing in South Africa
All eight conditions must be met when processing personal information lawfully under POPIA. The consent of the data subject is central. Websites, companies and organisations have to prove that their processing is lawful, consents have been obtained from users.
- Accountability (processing is lawful and done in a non-privacy infringing way)
- Processing limitation (processing only for the given purpose)
- Purpose specification (specific purpose must be explicitly defined)
- Further processing limitation (additional processing must still be in accordance with original purpose that the end-user gave their consent to)
- Information quality (make sure that the data is complete, accurate and updated)
- Openness (documentation of all processing operations)
- Security safeguards (must ensure protection and confidentiality of personal information)
- Data subject participation (ensure that end-users can exercise their rights to access, correct and delete their data)
The main supervisory and enforcing body under POPIA is the Information Regulator, SAIR.
Consent under POPIA vs GDPR
POPIA and the GDPR have the almost identical definitions of consent.
POPIA definition: “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”