by Simone Soodyall
1st May 2021


The Protection of Personal Information Act, 2013 (“POPI” or “POPIA”) came into effect on 1st July 2020.

POPI was promulgated to protect the right to privacy in respect of the processing of personal information and balance the right to privacy against other rights, such as the right to access to information. The aim is to ensure that there is lawful processing of personal information.

In terms of POPIA, all natural and juristic persons are to ensure that there is lawful processing of personal information by implementing reasonable measures to protect the privacy and integrity of information collected, received, stored, disseminated and destroyed, which personal information relates to other persons.

POPI applies to any responsible party, being a natural or juristic person, public or private body, domiciled in the Republic of South Africa which is processing personal information or which makes use of processing measures within the Republic of South Africa. The responsible party (a firm, company, or other organization) is tasked with appointing an Information Officer who is registered with the Information Regulator by 1st July 2021 and ensures that reasonable measures are taken to comply with the Act.

Personal information is defined in the POPIA as any information relating to an identifiable living person (natural or juristic) and include inter alia race, age, marital status, identity number, contact details, banking account number, biometric details and residential address. POPI does not apply to the personal information processed from a person who is no longer alive at the time of such processing. This personal information emanates from a “data subject” who is defined in the Act as the person to whom the personal information relates.

The term “processing” is defined in the POPIA as “any operation or set of operations or activities, whether automated or non-automated, concerning personal information”, such activities to include inter alia: the collection, receipt, recording, organizing, storage, alteration, dissemination, distribution, merging and destruction of information. This processed information must be entered into a record (digital, written etc), which record the responsible party will have in its possession or under its control, whether it is created by the responsible party or not.

Chapter 3 of the Act contains eight conditions for the lawful processing of personal information which are outlined as follows:

1.         Accountability - the responsible party is to ensure that reasonable measures are taken to ensure compliance with the conditions of the Act;

2.         Processing limitation   - personal information may only be processed if it is processed in a reasonable manner, with the consent of the data subject, or if it is necessary for pursing or protection of a legitimate interest of the responsible party or third party. The personal information must be collected directly from the data subject unless obtaining such consent would prejudice a lawful purpose, collecting information from another source would not be prejudicial to the rights of such person, the information form public record or if compliance with obtaining consent would not be reasonably practicable in the circumstances.

3.         Purpose specification  - The personal information processed must be for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party itself. Such information cannot be retained for a period any longer than is required to fulfil such purpose unless required by law or lawful purposes related to the responsible party’s functions, or consent is obtained from the data subject. Should the information not be retained, destruction thereof must be done in such a manner that it prevents the reconstruction of it in an intelligible form.

4.         Further processing limitation – no further processing of the personal information is permissible unless it is in accordance or compatible with the purpose for which it was initially collected, including if there is consent for the further processing, if it is necessary by law or for the conduct of proceedings in court, in the interest of national security or if the information is used for historical or statistical research.

5.         Quality of information - Reasonably practicable steps must be taken to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

6.         Openness - The data subject must be made aware that the information is being collected, the purpose thereof, the identity of the responsible party, whether providing the information is voluntary or mandated by law, their rights in terms of Section 5 of the Act and what the responsible party intends to do with such information.

7.         Security safeguards - The responsible party must establish and maintain safeguards to secure the integrity and confidentiality of the personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage or unauthorised destruction of personal information and unlawful access to such information. Such duty extends to information processed on its behalf by third party operators. A breach of such security safeguards must be reported to the Information Regulator and the data subject.

8.         Data subject participation - The data subject has a right to request the responsible party to confirm whether their personal information is held by the responsible party and thereafter, request it to be altered, corrected, access to it or destroyed.

In an attempt to effectively balance the right of privacy with the right to access to information and freedom of expression, POPI does not apply to information being processed purely for household or private purposes, national security, a judicial function or solely for journalistic, literary or artistic expression.

It is therefore incumbent on the responsible party (a firm, company, or other organization) to ensure that the personal information of your clients is protected at every stage of its lifecycle within the organisation and with third parties. It is imperative for you to be POPI Compliant. To do so, we recommended that you consult with our POPIA Compliance team to assist with an overall POPIA Compliance Audit wherein we can advise on the implementation of tailor-made policies, contracts and training required for your organisation to be fully compliant by 1st July 2021.

Follow Us
For further info contact us on 031 826 4000 OR


1st May 2021

The Protection of Personal Information Act, 2013 (“POPI” or “POPIA”) came into effect on 1st July 2020. POPI was promulgated […]

Read More
12th Apr 2021

We may still be in the middle of a pandemic, but life and love have not slowed down in the […]

Read More
4th May 2020

Section 18 of the Children’s Act 38 of 2005 stipulates that parental responsibilities and rights in respect of a child […]

Read More
Sign up to our newsletter for all the latest legal news.
Field is required!
CNG Attorneys Inc. is a full service law firm based in Durban. We’re a B-BBEE Level 1 Contributor and an all female owned entity.

Our attorneys are experts in multiple areas of law in order to serve our client's every need. Our mission is to see our clients succeed, as they are our number one priority.
Glenashley, Durban North (Head Office)
Suite 1001, Glenashley Views, 1st Floor,
36 Newport Avenue, Glenashley, Durban
031 826 4000
F 086 762 3472
3 Wimble Close, Ballito, 4420, KZN
031 003 4359

Post Box
PostNet Suite 116, Private Bag X02, Glenashley, 4022
Copyright ©2019 CNG Attorneys, All Rights Reserved.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram