South Africa enters a new era of both the protection of and access to information.

1 July 2021 is a milestone in South Africa as it is the date when:

  • POPIA entered in full force.
  • the Information Regulator took over the oversight of the Promotion of access to Information Act (PAIA).

The Protection of Personal Information Act (PoPIA) regulates the collection, use and processing by responsible parties and operators (called controllers and processors in other jurisdictions) of personal information collected from an identifiable, living, natural person, or an identifiable, existing juristic person in South  Africa. The Information Regulator of South Africa monitors and enforces compliance with POPIA.

POPIA defines eight conditions for lawful processing of personal information:

  • Accountability;
  • Processing limitation;
  • Purpose specific;
  • Further processing limitation;
  • Information quality;
  • Openness;
  • Security safeguards;
  • Data subjects participation;

It also sets out the legal bases for processing (consent, performance of a contract, compliance with a legal obligation, legitimate interest of the data subject, performance of a public law duty, legitimate interest of the controller).

Our Lexing member for South Africa presents this important law in a clear way on a dedicated website

It also provides free online webinars (in English). In these webinars, you will for example learn that POPIA is quite similar to the GDPR, with both texts being 90% similar.

By registering to its POPIA programme, you will also have access to a whole range of tools that will help you master POPIA (GDPR vs POPIA comparative study, POPIA plain language infographic…).

  • What is the territorial scope of POPIA? Has it an extraterritorial reach like the GDPR?
  • Does POPIA protect the personal data of legal persons (called ‘juristic person’ in POPIA) ?
  • What rights does POPIA give to data subjects?
  • What about children?
  • What are the main differences between POPIA and the GDPR?
  • What are the deadlines for notifying a data breach?
  • Who should be designated as the “information officer”?
  • What is the “POPIA manual”?
  • What is the “account number”, the non-compliance of which can be punished by imprisonment?
  • What are the requirements for transferring personal data outside South Africa?
  • What does POPIA say about direct marketing?
  • What is the maximum administrative fine for a POPIA infringement?

Michalsons, our Lexing member for South Africa brings you the answer to all these questions, and many more. Visit its website!