South Africa: Enforcement of Protection of Personal Information Act (POPIA)
Description
Enforcement of Protection of Personal Information Act (POPIA)
On 1 July 2021, the Protection of Personal Information (POPIA) was fully implemented after Section 58(2) came into effect. Adopted in 2013, the POPIA applies to public and private “responsible parties” that process personal information (e.g. collect, receive or use data). The POPIA requires entities to obtain consent for the processing of personal information, enabling justifications such as contractual performance, legal obligations and legitimate interests of the data subject. Data subjects can withdraw consent and have the right to access, correct and delete their data, among others.
Original sourceScope
Policy Area
Data governance
Policy Instrument
Data protection regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
legislature
Government Body
parliament
Complete timeline of this policy change
Hide details
2009-08-24
under deliberation
2013-08-20
adopted
2020-07-01
in force
2021-06-22
adopted
2021-06-22
adopted
Key regulatory dimensions
Regulated subjects
The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type
Any
Economic activity
cross-cutting
Category
All
Policy change by business practice
The detailed activities within the scope of this policy or regulatory change.
personal data (all forms): data collection
Regulatory tool
User notification requirement
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data (all forms): storage (any form)
Regulatory tool
User right to rectification of personal data
User right to access personal data
User right to deletion of personal data
Preventive security requirement
Responsive security requirement
Purpose/processing limitation
Data storage/retention obligation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data (all forms): data processing
Regulatory tool
User consent: Permit user opt-out
User notification requirement
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: religious beliefs: data processing
Regulatory tool
Purpose/processing limitation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: biometric: data processing
Regulatory tool
Purpose/processing limitation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: ethnicity: data processing
Regulatory tool
Purpose/processing limitation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: political orientation: data processing
Regulatory tool
Purpose/processing limitation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: sexual orientation: data processing
Regulatory tool
Purpose/processing limitation
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data: information pertaining to minors: data processing
Regulatory tool
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1
personal data (all forms): transfer: cross-border
Regulatory tool
Adequacy decision requirement
Creation of other oversight body
Sanctions
Fine
Regulated subjects
1