Initiative overview
The Protection of Personal Information Act (POPIA) is South Africa's binding data protection law, governing how personal information may lawfully be collected, stored, processed, and transferred. It applies broadly to any natural or juristic person processing personal information, including corporations and government entities. The Act identifies three role players: the data subject, the responsible party (equivalent to a "controller" in other jurisdictions), and the operator (equivalent to a "processor"). Responsible parties bear primary compliance obligations, including appointing an Information Officer, drafting a Privacy Policy, notifying data breaches, and ensuring operators meet the Act's lawful processing requirements.
Oversight and enforcement are vested in the Information Regulator, an independent body empowered to investigate complaints, conduct assessments, issue warrants and enforcement notices, and refer matters to an Enforcement Committee. The Act includes specific provisions for sensitive categories of personal information, such as health, race, religion, and children's data , as well as dedicated sections on automated decision-making (Section 71), direct marketing, and cross-border data transfers (Chapter 9). Penalties for non-compliance include fines, imprisonment, and compensation payable to affected data subjects.
