South Africa: Implementation of Protection of Personal Information Act (POPIA) after grace period
Description
Implementation of Protection of Personal Information Act (POPIA) after grace period
The operative provisions of the Protection of Personal Information Act (2013) including a new data protection regime come into effect after a one-year grace period following proclamation No. R21 in 2019. The Act introduces the rights to rectify, delete and access personal data and establishes rules for storing and transferring in other countries of personal data. Further, the Act specifies the limitations to processing certain categories of personal data. Finally, the Act establishes the "Information Regulator" as the supervisor body that should advise and monitor on data protection matters and enforce the prescriptions of the Act.
Original sourceScope
Policy Area
Data governance
Policy Instrument
Data protection regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
executive
Government Body
central government
Complete timeline of this policy change
Hide details
2009-08-24
under deliberation
2013-08-20
adopted
2020-07-01
in force
2021-06-22
adopted
2021-06-22
adopted
Key regulatory dimensions
Regulated subjects
The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type
Any
Economic activity
cross-cutting
Category
All
Policy change by business practice
The detailed activities within the scope of this policy or regulatory change.
personal data (all forms): data collection
Regulatory tool
User notification requirement
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data (all forms): storage (any form)
Regulatory tool
User right to rectification of personal data
User right to access personal data
User right to deletion of personal data
Preventive security requirement
Responsive security requirement
Purpose/processing limitation
Data storage/retention obligation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data (all forms): data processing
Regulatory tool
User consent: Permit user opt-out
User notification requirement
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: religious beliefs: data processing
Regulatory tool
Purpose/processing limitation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: biometric: data processing
Regulatory tool
Purpose/processing limitation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: ethnicity: data processing
Regulatory tool
Purpose/processing limitation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: political orientation: data processing
Regulatory tool
Purpose/processing limitation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: sexual orientation: data processing
Regulatory tool
Purpose/processing limitation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: information pertaining to minors: data processing
Regulatory tool
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data (all forms): transfer: cross-border
Regulatory tool
Adequacy decision requirement
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1