Legislation and Regulations

 

 


Get the latest updates in your email box automatically.

Overview of the Protection of Personal Information Act (POPIA)

  5/1/2025 10:41 AM -   -   Protection of Personal Information, Legislation and Regulation -   0 Comments 

The South African Protection of Personal Information Act (POPIA) is a data protection law that aims to safeguard personal information and promote privacy. It establishes rights for individuals and obligations for organizations that process personal data. POPIA applies to both public and private bodies and sets conditions for lawful data processing, including consent, purpose limitation, and data security.

The Protection of Personal Information Act is part of a global movement towards stricter data protection standards. It ensures that individuals retain control over how their information is collected, stored, and shared. For businesses, POPIA compliance is not optional — it is a legal obligation critical for maintaining trust and avoiding severe penalties.

protection of personal information act

Key Aspects of POPIA Compliance

Key aspects of POPIA:

  • Purpose – To promote the protection of personal information processed by public and private bodies.
  • Scope – Applies to any natural or juristic person who processes personal information, whether using automated or non-automated means.
  • Conditions for Lawful Processing – POPIA outlines conditions for lawful processing of personal information, such as consent, necessity for a specific purpose, and data minimization.
  • Data Subject Rights – Individuals have rights regarding their personal information, including access, rectification, and objection to processing.
  • Information Regulator – The Information Regulator is established to promote and enforce POPIA, and individuals can lodge complaints with the regulator.
  • Penalties for Non-Compliance – Violations of POPIA can result in penalties, including fines and imprisonment.

The POPI Act clearly defines how organisations must approach the collection and use of personal data. Failing to meet these key aspects could expose an organisation to reputational damage, legal liability, and substantial financial sanctions.

Who Does POPI Act Apply To?

The POPI Act applies to any individual or organisation, both public and private, that processes the personal information of South Africans. This includes companies, government bodies, and even individuals who handle personal information, whether they are based in South Africa or not, as long as they are using means within South Africa to process the data.

The question of who does POPI Act apply to is broader than many realise. It captures anyone — from multinational corporations to small businesses and even sole proprietors — if they manage personal information in any form. There are no exemptions based on company size or industry.

Specifically, the POPI Act applies to all property practitioners, including but not limited to estate agents, auctioneers, leasing agents, mortgage brokers and property developers. These professionals regularly collect, process, and store personal information such as identity numbers, financial details, and contact information, making compliance essential.

How POPIA Affects Cold Calling Practices

Under POPIA you can only make one initial cold call to obtain consent for direct marketing. Once a person has given consent, you can then continue to contact them for direct marketing purposes unless they opt out. You cannot make multiple calls to obtain consent or solicit a consumer's consent if they have previously opted out.

For existing customers, you may be able to contact them for direct marketing purposes unless they have opted out.

This restriction on cold calling represents a major shift for marketing teams. Organisations must maintain detailed records of consent and respect consumers' wishes if they opt out. Violating these provisions can expose a business to penalties and complaints to the Information Regulator.

Consent under POPIA

Section 11 of POPIA covers consent for processing personal information from the data subject. Consent under POPIA can be either expressed (explicitly given in writing, electronically, or verbally) or implied (through actions that indicate agreement, such as providing data to complete a purchase).

Verbal consent is valid under POPIA. However, it's important to note that for sensitive personal information, like health or biometric data, explicit consent is generally required, whether verbal or written, unless another legal basis applies. POPIA defines consent as a voluntary, specific, and informed expression of will, and it can be given through various means, including verbal statements.

Businesses should not assume consent by default. In every case, organisations must be able to demonstrate that consent was freely given, informed, and related specifically to the processing activity in question.

Data Security Obligations

POPIA requires organisations to implement appropriate technical and organisational measures to ensure the security and confidentiality of personal data, including data breach notification procedures.

Data security under POPIA involves much more than installing firewalls or encrypting databases. Organisations are required to conduct regular risk assessments, implement robust data handling policies, and train employees on data protection principles. In the event of a breach, the organisation must notify both the Information Regulator and the affected individuals promptly and transparently.

Penalties for Non-Compliance

Non-compliance with POPIA can result in significant fines, ranging from R10 million for serious offenses. The Information Regulator, the body responsible for enforcing POPIA, can impose these administrative fines. Additionally, individuals can face imprisonment for up to 10 years or both a fine and imprisonment for serious offenses.

The Information Regulator considers several factors when determining the amount of an administrative fine, including the nature of the personal information involved, the number of data subjects affected, the likelihood of damage or distress, and the preventability of the contravention.

The stakes for compliance are high. Failure to adequately protect personal information can have devastating consequences for an organisation’s finances, operations, and reputation. Business owners, trustees, directors, and property practitioners all need to take POPIA compliance seriously and proactively.

Work with a Property Lawyer Experienced in POPIA Compliance

As compliance requirements tighten under the Protection of Personal Information Act, working with a knowledgeable legal advisor becomes critical. A skilled property lawyer can assist with drafting privacy notices, structuring lawful data collection practices, and ensuring that business procedures comply fully with POPIA requirements.

VDM Incorporated provides clear, practical legal support for property practitioners, businesses, and individuals dealing with POPIA obligations. From updating lease agreements to responding to regulatory enquiries, VDM Incorporated delivers focused, actionable advice to protect your legal and business interests.

TAGS: , , , ,
Comments are closed for this post, but if you have spotted an error or have additional info that you think should be in this post, feel free to contact us.

 

 

Aucamp Incorporated disclaims responsibility for any legal consequences resulting from the use of information on our website. Our page content and legal articles are for informational purposes only and do not offer legal advice, because each legal matter must be evaluated on its respective merits. As such, Aucamp Inc is not liable for actions based on the content of this website. You should consult our legal professionals for specific guidance on all matters.

 

Quick Contact

Tel: +27 71 816 2304

[email protected]

Cullinan Place, (Block B, Floor G)
2 Cullinan Close
Morningside, Sandton, 2057

Contact Form

Information

Legal Articles
About
Team

Legal

POPIA

 

| | | |

 

ITM Website Design

© Copyright 2025 by VDM Attorneys Notaries Conveyancers Terms Of Use Privacy Statement