The POPI Act was promulgated on 26 November 2013, with the intention of promoting the right to privacy as provided for in the Constitution. In essence POPIA is designed to balance the legitimate needs of an organisation to collect and use personal information with an individual’s right of privacy.

The commencement date for the Act was 1 July 2020, and organisations have 12 months within which to become compliant (i.e.: 30 June 2021).

Central to the Act is the requirement that the ‘processing’ of any and all ‘personal information’ is required to be done in compliance with the 8 conditions for the lawful processing of personal information. These conditions being as follows:



1. Accountability

Ensure compliance with all 8 conditions for lawful processing.

2. Processing Limitation

Ensure processing has a legal basis, is reasonable, and that the information processed and collected is one of the prescribed circumstances.

3. Purpose Specification

Ensure collection for a specific purpose, retention for the required period, destroyed when required, and access restricted in the prescribed circumstances.

4. Further Processing Limitation

Ensure further processing is compatible with the initial purpose of collection.

5. Information Quality

Ensure the completeness and accuracy of personal information.

6. Openness

Ensure there is a compliant PAIA / POPIA Manual and make data subjects aware of various disclosures, except where non-compliance is permitted by the Act.

7. Security Safeguards

Ensure there is compliant security safeguards to protect personal information.

8. Data Subject Participation

Ensure there are compliant mechanisms whereby data subjects can request access to their information and the correction / deletion of that information.

The Act defines ‘personal information’ as follows:

  • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
  • Information relating to the education or the medical, financial, criminal or employment history of the person.
  • Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person.
  • The biometric information of the person.
  • The personal opinions, views or preferences of the person.
  • Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
  • The views or opinions of another individual about the person.
  • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

This already broad definition is compounded by the definition of ‘processing’, which includes any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:

  • The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • Dissemination by means of transmission, distribution or making available in any other form; or
  • Merging, linking, as well as restriction, degradation, erasure or destruction of information.

We can help you remain compliant by getting all your POPI legal documentation and training done in one convenient place.

Our services include assistance with:

Complete our quick registration form to get started.

What is POPIA and how can it affect me and my business?