Commercial Law

 

 

Yes, if your business: 1) offers goods or services to individuals in the European Union (EU), or 2) monitors the behavior of individuals within the EU (e.g., through website tracking). In such cases, you must comply with both POPIA and GDPR.

Responsible Parties must implement appropriate, reasonable, technical, and organizational measures to prevent unauthorized access or loss of personal data. This includes secure passwords, encryption, firewalls, and staff training.

Non-compliance can result in severe consequences, including:

  • Fines: Up to R10 million under POPIA.
  • Imprisonment: Up to 10 years for certain offenses.
  • Reputational Damage: Loss of customer trust and public credibility.
  • Civil Claims: Data subjects may institute legal proceedings for damages.

Under POPIA and GDPR, valid consent must be voluntary, specific, informed, and an unambiguous indication by the data subject. It cannot be bundled with terms and conditions, and a clear opt-in mechanism is generally required.

Personal information is any information that relates to an identifiable, living natural person, and, importantly, an identifiable existing juristic person (like a company or a trust). This includes names, ID numbers, contact details, employee information, and financial data.
 

Show more FAQs in Category

Data Protection and Privacy

Data protection and privacy refer to the legal framework that governs how personal information is collected, processed, stored, shared, and secured. The objective is to ensure that personal information is handled lawfully and responsibly, with clear limits on access and use. Data privacy focuses on who may access personal information and under what conditions, while data protection sets out the organisational and technical measures required to keep that information secure.

What is Data Protection and Privacy?

These principles sit at the centre of modern business operations. Any organisation that processes employee, client, or supplier information must comply with POPIA and related regulatory duties, many of which intersect with broader commercial law obligations such as contract management, corporate governance, risk oversight, and accountability in business relationships.

Once an organisation collects personal information, it becomes legally accountable for how that information is used, protected, and shared. POPIA sets out eight processing conditions that apply from the moment data enters a business’s systems until it is securely disposed of. These conditions require clear purpose specification, minimal collection, lawful justification, and safeguards that are proportionate to the sensitivity of the information being handled.

Risk often arises because these duties apply to ordinary business activity.
Common scenarios include:

  • Onboarding clients or employees
  • Using cloud platforms or third-party service providers
  • Running marketing databases
  • Storing identification documents
  • Managing access to internal systems

A business may comply on paper but fall short in practice. Examples include outdated access controls, incomplete processing notices, reliance on unsigned operator agreements, or inadequate measures for remote work environments. In each case, the organisation may be processing information unlawfully, even if no harm has occurred yet.

POPIA does not require intent to find a breach. Failure to implement reasonable safeguards, process information for a defined purpose, or maintain quality and accuracy can be enough to attract liability. These obligations apply continuously and extend to anyone acting on the organisation’s behalf, including contractors, outsourced service providers, and cloud vendors.

Where Businesses Breach POPIA Without Realising It

Most data protection failures do not begin with deliberate misconduct. They develop from normal processes that lack legal oversight or operational consistency.

Typical areas of unintentional breach include:

Unclear or Outdated Processing Notices

Processing notices that do not reflect current systems, data flows, or business activities may mislead data subjects and fall short of POPIA’s openness requirements.

Operator Relationships Without Proper Agreements

Many businesses rely on software providers, administrators, consultants, or outsourced teams who handle personal information. Without a compliant operator agreement, the responsible party remains fully liable for any unlawful processing by those operators.

Excessive or Irrelevant Data Collection

Collecting more information than is necessary for a stated purpose breaches the minimality principle. This is common in HR files, customer onboarding forms, and digital sign-up processes.

Weak Access and Security Controls

Shared passwords, uncontrolled administrator access, outdated encryption, and informal data-sharing practices undermine the security safeguards required under the Act.

Inconsistent Retention and Deletion Practices

Personal information retained indefinitely exposes the business to unnecessary risk. POPIA requires destruction or de-identification once data is no longer needed for lawful purposes.

Using International Platforms Without Transfer Safeguards

Cloud-based systems and global applications may store or process information outside South Africa. Section 72 sets strict requirements for these transfers, and many businesses are unaware they apply.

These issues often surface only during due diligence, internal audits, or when a regulator begins asking questions. By that stage, corrective steps can become significantly more complex.

Cross-Border and Third-Party Data Handling

Modern businesses rely heavily on external service providers and cloud-based systems. Whenever personal information leaves the organisation—whether through outsourcing, software platforms, shared workstreams, or international hosting—POPIA imposes additional safeguards. These requirements apply even when the business has limited visibility into the technical workings of the platform it uses.

When Personal Information Moves Beyond the Organisation

Information is considered transferred when:

  • A cloud service stores data on servers outside South Africa,
  • A vendor or consultant accesses internal systems,
  • A multinational parent company receives employee or customer data,
  • or software integrations exchange data across jurisdictions.

Each of these situations activates a set of legal duties that are separate from ordinary processing obligations.

Requirements for Third-Party Processing (Operators)

Any person or entity that processes personal information on behalf of a business is an operator under POPIA. The responsible party must ensure that the operator processes information only with proper authorisation and under terms that reflect the Act’s requirements.

Key expectations include:

  • A written operator agreement that clearly defines scope, instructions, security standards, and confidentiality obligations.
  • Oversight mechanisms to ensure that operators apply appropriate safeguards and notify the organisation of any security compromise.
  • Limitations on sub-processing to prevent uncontrolled access to personal information.

Many organisations assume that commercial contracts or service-level agreements are sufficient. In practice, they often lack the necessary granularity to meet POPIA’s standards.

Cross-Border Transfers Under Section 72

If personal information is transferred to a country outside South Africa, the business must ensure that the receiving jurisdiction or entity provides protection that is comparable to POPIA. This requirement applies even when the transfer happens automatically through a cloud provider or remote support service.

A cross-border transfer is generally lawful only if:

  • The recipient is subject to adequate data protection laws,
  • The data subject consents to the transfer after being properly informed,
  • The transfer is necessary for contract performance, or
  • The business uses binding agreements that ensure equivalent protection.

These conditions must be assessed before any platform, tool, or vendor is integrated into the organisation’s systems. Failure to do so exposes the business to regulatory scrutiny and contractual risk.

Common Problems With Outsourcing and Global Tools

Issues frequently arise when organisations:

  • Adopt cloud platforms without reviewing data-hosting locations,
  • Rely on parent companies’ internal systems without POPIA-aligned agreements,
  • Allow external IT providers unrestricted access to personal information,
  • Fail to verify whether foreign service providers comply with comparable standards.

These weaknesses often come to light during disputes, security incidents, or due-diligence processes—when immediate remediation is difficult and reputational impact is heightened.

Internal Governance and Documentation Requirements

A compliant data protection framework depends on more than secure systems. POPIA requires businesses to demonstrate accountability through clear governance structures, documented procedures, and consistent internal practices. These measures show how an organisation interprets and applies its legal duties in day-to-day operations.

The Information Officer’s Responsibilities

Every organisation must appoint and register an Information Officer. Their duties include:

  • Overseeing POPIA compliance across the business,
  • Managing data subject requests,
  • Coordinating staff awareness and training, and
  • Reporting security compromises to the Information Regulator.

Because these responsibilities carry statutory weight, the role cannot function as a nominal appointment.

Documents Every Organisation Must Maintain

Several documents form the backbone of POPIA compliance. At minimum, businesses need:

  • Processing notices that explain how information is collected and used,
  • Internal data protection and security policies,
  • Records of processing activities, and
  • A POPIA or combined POPIA–PAIA manual.

These documents guide staff, inform the public, and provide regulators with evidence that the organisation understands its obligations. They must reflect current systems and business practices to remain effective.

Retention and Destruction Protocols

POPIA requires personal information to be kept only as long as necessary. Organisations must establish retention schedules and ensure information is destroyed or de-identified once its purpose has been fulfilled. Clear protocols reduce long-term exposure and prevent uncontrolled accumulation of historical data.

The Importance of Staff Awareness

Even strong policies fail without employee understanding. Staff must know:

  • How to recognise personal information,
  • The limits on sharing it, and
  • What steps to take when a concern arises.

A documented training programme demonstrates that the organisation has taken reasonable steps to prevent unlawful processing.

Data Breaches and Incident Response

A security compromise is one of the most serious events a business can face under POPIA. It includes any loss of personal information, unauthorised access, or incident that places data at risk. Once a compromise is identified, the organisation must act quickly and in a manner that reflects its legal obligations.

Immediate Steps After a Compromise

When a breach is suspected or confirmed, the organisation must:

  • Contain the incident and secure affected systems,
  • Determine what information was involved and how the event occurred,
  • Document the investigation process, and
  • Assess whether data subjects face potential harm.

Internal responses must be structured and well-documented, as any uncertainty or delay may increase liability.

Notification Duties

If the breach meets POPIA’s threshold, two notifications are mandatory:

  1. The Information Regulator must be informed with details of the nature of the compromise and the steps taken to address it.
  2. Affected individuals must be notified directly unless an alternative method is justified.

These notifications must be accurate and complete. Errors, omissions, or attempts to minimise the breach may draw regulatory scrutiny or lead to further consequences.

Business Impact

Beyond regulatory engagement, a breach often triggers commercial consequences. Contractual partners may demand assurances, insurers may request detailed investigations, and internal operations may need to be suspended or adjusted. A well-planned response reduces disruption and strengthens the organisation’s position in any subsequent proceedings.

Data protection issues often arise without warning, and many situations require legal interpretation rather than operational judgment. Businesses should seek legal assistance when:

  • a security compromise may require notification to the Regulator or data subjects,
  • Cross-border transfers involve uncertain safeguards or unfamiliar jurisdictions,
  • Agreements with vendors, consultants, or software providers involve access to personal information,
  • Significant system changes, integrations, or cloud migrations affect how data is processed,
  • Internal practices raise concerns about minimality, justification, or retention, or
  • The organisation receives an enquiry, assessment notice, or complaint from the Information Regulator.

These situations carry immediate and long-term consequences. Early legal involvement helps preserve evidence, manage communication, and ensure decisions align with statutory obligations.

VDM Attorneys – Data Protection and Privacy Law

VDM Attorneys assists businesses with the full spectrum of POPIA compliance and data governance matters. Our team supports clients in assessing their data-handling practices, developing lawful processing frameworks, drafting and reviewing the documents required for compliance, and responding to security incidents or regulatory processes.