South Africa Data Privacy Laws: Complete POPIA Guide (2026)

South Africa's Protection of Personal Information Act (Act 4 of 2013) governs how every organization collects, stores, and shares personal information. Fully enforceable since July 1, 2021, POPIA requires satisfying eight conditions for lawful processing and empowers the Information Regulator to impose fines up to ZAR 10 million.

South Africa's Protection of Personal Information Act (POPIA), formally cited as Act 4 of 2013, is one of the most comprehensive data protection frameworks on the African continent. Signed into law on November 19, 2013, POPIA did not become fully enforceable until July 1, 2021, after a 12-month grace period that began when the remaining sections commenced on July 1, 2020.

POPIA governs how every public and private body in South Africa collects, stores, processes, and shares personal information. Unlike most international data protection laws, POPIA extends its protections beyond natural persons to include juristic persons such as companies and trusts, a feature that has significant practical implications for standard contractual clauses used in cross-border transfers.

This guide covers every major aspect of POPIA compliance as of 2026, including the constitutional foundation, the eight conditions for lawful processing, data subject rights, breach notification obligations, cross-border transfer rules, the 2025 regulatory amendments, enforcement actions, and the penalties organizations face for non-compliance.

Quick Answer: Key Facts About South Africa's Privacy Law

South Africa's main data privacy law is POPIA (Act 4 of 2013). It applies to all organizations that process personal information within South Africa. The supervisory authority is the Information Regulator. Maximum administrative fines reach ZAR 10 million. The law became fully enforceable on July 1, 2021.

The eight conditions for lawful processing are: Accountability, Processing Limitation, Purpose Specification, Further Processing Limitation, Information Quality, Openness, Security Safeguards, and Data Subject Participation.

Organizations can also face criminal prosecution. Serious offences carry up to 10 years imprisonment. This distinguishes POPIA from the EU GDPR, which imposes no criminal imprisonment.

Constitutional Basis: Section 14 and the Right to Privacy

POPIA gives legislative effect to Section 14 of the Constitution of the Republic of South Africa, 1996, which establishes privacy as a fundamental constitutional right.

Section 14 provides that everyone has the right to privacy, which includes the right not to have their person or home searched, their property seized, their communications intercepted, or their private information unlawfully revealed.

POPIA operationalizes this right in the data context by setting specific obligations for responsible parties and granting data subjects enforceable rights. The Constitutional Court of South Africa has consistently interpreted privacy broadly, recognizing it as a right that enables individual autonomy and dignity. POPIA's eight conditions and data subject participation rights translate these constitutional values into practical compliance obligations.

POPIA and PAIA: Complementary Statutes

POPIA must be read together with the Promotion of Access to Information Act 2 of 2000 (PAIA). Both statutes balance competing constitutional rights and are jointly administered and enforced by the Information Regulator.

PAIA gives effect to Section 32 of the Constitution, which establishes the right of access to information held by the state or by private bodies where the information is required for the exercise or protection of any right. PAIA creates mechanisms for requesting access to records held by public and private bodies.

POPIA and PAIA operate in parallel. POPIA restricts the disclosure of personal information, while PAIA creates pathways for accessing information. When these rights conflict, the responsible party must weigh the privacy interests of the data subject against the legitimate information access interest of the requester.

The 2025 amendments to the POPIA Regulations also touched PAIA, removing the prior requirement for information officers to maintain a PAIA Manual, reducing administrative burden while leaving core PAIA access obligations intact.

What Is POPIA and Who Does It Apply To?

The Protection of Personal Information Act was enacted to promote the protection of personal information processed by public and private bodies and to introduce minimum requirements for lawful processing. It also establishes the Information Regulator as an independent oversight body and regulates the flow of personal information across South Africa's borders.

POPIA applies to every organization that processes personal information within South Africa. This includes businesses of all sizes, government departments, non-profit organizations, and any foreign entity that processes personal information using means located within South Africa.

Key Definitions Under POPIA

Understanding POPIA requires familiarity with its specific terminology, which differs from the language used in the EU's General Data Protection Regulation (GDPR).

Personal Information covers any information relating to an identifiable, living natural person or an identifiable, existing juristic person. This includes names, contact details, identification numbers, biometric data, financial information, employment history, location data, and even personal opinions.

Responsible Party is the equivalent of a "data controller" under the GDPR. This is the entity that determines the purpose and means of processing personal information.

Operator functions like a "data processor" under the GDPR. An operator processes personal information on behalf of a responsible party under a contract or mandate.

Data Subject is the person (natural or juristic) whose personal information is being processed.

Processing is broadly defined to include any operation performed on personal information, including collection, storage, modification, retrieval, consultation, use, disclosure, dissemination, merging, restriction, degradation, erasure, or destruction.

The Eight Conditions for Lawful Processing

POPIA establishes eight conditions that every responsible party must satisfy when processing personal information. These conditions form the legal backbone of the Act and apply to all processing activities.

1. Accountability (Section 8)

The responsible party bears ultimate accountability for ensuring compliance with all conditions of lawful processing. This obligation persists even when the responsible party transfers personal information to a third party or operator for processing.

Accountability requires organizations to implement appropriate measures, including policies, procedures, and training programs, to ensure that all processing activities comply with POPIA. The responsible party must be able to demonstrate compliance if challenged by the Information Regulator or a data subject.

2. Processing Limitation (Sections 9-12)

Personal information must be processed lawfully and in a manner that does not infringe on the data subject's privacy. Processing is only lawful when it meets at least one of the justification grounds set out in Section 11.

Section 10 introduces the principle of minimality, requiring that personal information collected must be adequate, relevant, and not excessive for the purpose of processing. Organizations cannot collect more data than they genuinely need.

Section 11 sets out the lawful grounds for processing, which include the data subject's consent, necessity for performing a contract, compliance with a legal obligation, protection of a legitimate interest of the data subject, performance of a public law duty, and pursuit of the legitimate interests of the responsible party or a third party.

Section 12 restricts the collection of personal information directly from the data subject, with exceptions only where collection from another source is authorized by law or necessary for a lawful purpose.

3. Purpose Specification (Sections 13-14)

Personal information must be collected for a specific, explicitly defined, and lawful purpose related to the responsible party's function or activity. Section 13 prohibits collecting personal information without a clear reason for doing so.

Section 14 addresses data retention, requiring that personal information must not be kept for longer than necessary to achieve the purpose for which it was collected. Once the purpose has been fulfilled, the information must be destroyed, deleted, or de-identified unless retention is required by law, reasonably necessary for a lawful purpose, or required under a contract between the parties.

4. Further Processing Limitation (Section 15)

Personal information must not be processed for a purpose that is incompatible with the original collection purpose. Section 15 provides factors for assessing compatibility, including the relationship between the original and further purposes, the nature of the information, the consequences for the data subject, the manner of collection, and any contractual rights or obligations.

5. Information Quality (Section 16)

Responsible parties must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading, and updated where necessary. This obligation considers the purpose for which the information was collected or will be further processed.

6. Openness (Section 18)

When collecting personal information, the responsible party must take reasonably practicable steps to ensure the data subject is aware of specific details. These include the identity of the responsible party, the purpose of collection, whether the supply of information is voluntary or mandatory, the consequences of failure to provide the information, any law authorizing or requiring the collection, and whether the responsible party intends to transfer the information to a third country.

7. Security Safeguards (Sections 19-22)

Responsible parties must secure the integrity and confidentiality of personal information by implementing appropriate technical and organizational measures. Section 19 requires organizations to identify all reasonably foreseeable internal and external risks, establish and maintain appropriate safeguards, regularly verify the effectiveness of those safeguards, and ensure safeguards are continually updated in response to new risks.

Operators (processors) must establish and maintain security measures with the written consent of the responsible party, notify the responsible party immediately of any security compromises, and treat all personal information as confidential.

8. Data Subject Participation (Sections 23-25)

Data subjects have the right to request confirmation of whether a responsible party holds their personal information, to access a record or description of that information, and to request correction, destruction, or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading, or unlawfully obtained information.

Responsible parties must respond to access requests within a reasonable time, in a reasonable manner, at a prescribed fee (if any), and in a form that is generally understandable.

Legal Bases for Processing (Section 11)

Section 11 sets out the six lawful bases for processing personal information. Every processing activity must be justified by at least one of these bases.

Consent. The data subject has given specific, voluntary, and informed consent to the processing of their personal information.

Contractual necessity. Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject before entering into a contract.

Legal obligation. Processing is necessary to comply with a legal obligation binding on the responsible party.

Data subject's vital interests. Processing is necessary to protect the legitimate interests of the data subject.

Public law duty. Processing is necessary for the performance of a public law duty by a public body.

Legitimate interests. Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party, provided that the legitimate interests are not outweighed by the data subject's privacy interests.

Consent under POPIA must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent clauses buried in lengthy terms do not meet the standard.

Data Subject Rights Under POPIA

POPIA grants comprehensive rights to data subjects that go beyond the eight conditions for lawful processing.

Right to Be Notified

Data subjects have the right to be informed when their personal information is being collected (Section 18) and when a security compromise has occurred that may affect them (Section 22).

Right to Access

A data subject who provides adequate proof of identity may request confirmation that a responsible party holds their personal information and may request access to that information under Section 23.

Right to Correction and Deletion

Data subjects may request that their personal information be corrected if it is inaccurate, irrelevant, excessive, out of date, incomplete, or misleading. They may also request deletion if the responsible party is no longer authorized to retain the information. Under the 2025 amended Regulations, responsible parties must notify data subjects in writing within 30 days of the action taken on such a request.

Right to Object to Processing

Under Section 11(3), a data subject may object to the processing of their personal information on reasonable grounds relating to their particular situation, unless the processing is authorized by legislation. If the objection is justified, the responsible party must stop processing. The 2025 amended Regulations allow objections to be submitted via hand delivery, fax, post, email, SMS, or WhatsApp, and telephonic objections must be recorded and made available to the data subject free of charge upon request.

Right to Object to Direct Marketing

Section 69 prohibits unsolicited electronic direct marketing unless the data subject has provided opt-in consent. POPIA replaced the previous opt-out model with a strict opt-in requirement. Data subjects have the right to opt out of direct marketing at any time, and responsible parties must provide an accessible mechanism for doing so.

Right Regarding Automated Decision-Making

Section 71 provides that a data subject may not be subjected to a decision that produces legal consequences or substantially affects them if that decision is based solely on automated processing intended to create a profile. Exceptions apply when the decision is made in connection with a contract, when appropriate protective measures are in place, or when the decision is governed by law or a code of conduct.

Special Personal Information and Children's Data

POPIA imposes heightened protections on certain categories of sensitive data.

Special Personal Information (Sections 26-33)

The processing of special personal information is generally prohibited under Section 26 unless specific exceptions under Sections 27 through 33 apply. Special personal information includes religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, and criminal behavior.

Lawful processing of special personal information requires the data subject's explicit consent, processing necessary to establish a legal claim, processing required by law, or processing for historical, statistical, or research purposes where adequate safeguards are in place.

Children's Personal Information (Sections 34-35)

POPIA defines a child as any person under 18 years of age who is not legally competent. Processing of a child's personal information is prohibited under Section 34 unless a competent person (parent or guardian) has consented, processing is necessary to comply with a legal obligation, or the Information Regulator has granted authorization.

Breach Notification Requirements (Section 22)

POPIA requires prompt notification when a security compromise occurs.

Notification Trigger

Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorized person, the responsible party must notify both the Information Regulator and the affected data subject.

Timing

Section 22 requires notification "as soon as reasonably possible" after discovering the compromise. While the Act does not prescribe a specific statutory deadline, the Information Regulator's Guidance Note on Security Compromises sets an expectation of notification within 72 hours.

Mandatory eServices Portal (From April 1, 2025)

As of April 1, 2025, all public and private entities must submit data breach notifications through the Information Regulator's eServices Portal. Email submissions are no longer accepted. The portal was introduced to standardize reporting quality and improve the Regulator's ability to monitor and respond to security incidents.

In the 2024-2025 financial year, 2,374 security compromise incidents were reported to the Regulator, averaging 198 per month. From the start of the 2025-2026 financial year through early 2026, 1,947 compromises were reported at an average of 284 per month, a 40 percent increase over the same period in the prior year.

Required Content of Notification

The notification to data subjects must include a description of the possible consequences of the security compromise, a description of the measures the responsible party intends to take or has taken to address the compromise, and a recommendation regarding measures the data subject can take to mitigate potential adverse effects.

Permitted Delays

Notification to the data subject may be delayed only if a law enforcement agency or the Information Regulator determines that notification would impede an ongoing criminal investigation.

The Information Regulator: Structure and Powers

The Information Regulator is an independent body established under Section 39 of POPIA. It is subject only to the Constitution and applicable law and is accountable to the National Assembly. The Regulator is responsible for enforcing both POPIA and PAIA.

Composition

The Information Regulator consists of a Chairperson and four full-time members appointed by the President on the recommendation of the National Assembly. Members serve five-year terms and may be reappointed once.

Powers of the Regulator

The Information Regulator has broad enforcement powers, including the authority to conduct assessments and investigations, issue enforcement notices requiring compliance within specified timeframes, issue infringement notices imposing administrative fines, initiate or intervene in legal proceedings, and refer matters for criminal prosecution.

The Regulator may also issue codes of conduct for specific sectors, conduct own-initiative investigations, and enter into agreements with foreign data protection authorities for information sharing and mutual assistance.

Registration of Information Officers

Every organization must designate an Information Officer and register them with the Information Regulator through the eServices Portal before commencing duties, as required by Section 55(2). Organizations may also appoint one or more Deputy Information Officers to assist in compliance duties.

While no formal qualifications are prescribed by law, the Regulator expects appointees to have a reasonable understanding of POPIA and the organization's business operations. Where no separate Information Officer appointment is made, the head of the organization automatically holds the role.

Under the 2025 amended Regulations, the prior requirement for information officers to prepare a PAIA Manual was eliminated, reducing compliance paperwork while leaving substantive PAIA obligations intact.

Cross-Border Data Transfers (Section 72)

Section 72 restricts the transfer of personal information outside the Republic of South Africa.

Adequacy Requirement

The primary mechanism for cross-border transfers is the adequacy standard. The recipient in a foreign country must be subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection substantially similar to POPIA's conditions for lawful processing.

A significant practical challenge is that POPIA does not specify which countries provide adequate protection, nor does it establish a formal adequacy recognition mechanism comparable to the EU's adequacy decisions. The burden falls on each responsible party to assess the adequacy of the foreign country's data protection framework and document that assessment.

Alternative Transfer Mechanisms

Section 72 recognizes four lawful bases for cross-border transfers.

Adequacy. The recipient country has laws, binding corporate rules, or contractual protections that provide substantially similar protection to POPIA.

Consent. The data subject has provided explicit consent to the proposed transfer after being informed of the potential risks.

Contractual necessity. The transfer is necessary for the performance or conclusion of a contract between the data subject and the responsible party, or a contract between the responsible party and a third party in the interest of the data subject.

Data subject's interest. The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent.

The Juristic Person Complication

A distinct challenge in cross-border transfers from South Africa is POPIA's coverage of juristic persons. Standard contractual clauses developed for GDPR compliance are typically drafted to protect only natural persons. European organizations have sometimes declined to amend these templates to extend protection to juristic persons, creating a gap in cross-border transfer mechanisms for organizations whose data subjects include companies or trusts.

Special and Children's Information

Organizations intending to transfer special personal information or children's data to countries without adequate protection must obtain prior authorization from the Information Regulator before the transfer proceeds.

Penalties and Criminal Offences

POPIA imposes both administrative and criminal penalties for non-compliance.

Administrative Fines

The Information Regulator may impose administrative fines of up to ZAR 10 million (approximately USD 550,000 as of 2025) through infringement notices. These fines may be issued when an organization fails to comply with an enforcement notice within the specified deadline.

Under the 2025 amended Regulations, organizations may now apply to pay administrative fines in installments based on financial circumstances and compelling reasons, rather than as a lump sum.

Criminal Penalties (Sections 100-107)

POPIA creates several criminal offences, a feature that distinguishes it from many other data protection laws including the GDPR.

Serious offences (Section 107(1)(a)) carry penalties of a fine or imprisonment for up to 10 years, or both. These include obstructing the Information Regulator (Section 100), failing to comply with an enforcement notice (Section 103(1)), unlawful acts by responsible parties in connection with account numbers (Section 105), and unauthorized access to or alteration of personal information records (Section 106).

Less serious offences (Section 107(1)(b)) carry penalties of a fine or imprisonment for up to 12 months, or both. These include failure to comply with procedural requirements and obstructing witnesses.

Notable Enforcement Actions

The Information Regulator has increasingly exercised its enforcement powers since POPIA became fully enforceable in 2021.

Department of Justice and Constitutional Development (2023)

In May 2023, the Information Regulator issued an enforcement notice against the Department of Justice and Constitutional Development following a ransomware attack in September 2021 that compromised personal information held by the department. The investigation found that the department had failed to renew licenses for its antivirus software, security information and event management system, and intrusion detection solutions, with some licenses expiring in 2020.

When the department failed to comply with the enforcement notice within the 31-day deadline, the Regulator issued a ZAR 5 million infringement notice on July 3, 2023. This was the first substantial administrative penalty issued under POPIA. The department challenged both notices in court, where the matter remained pending as of this guide's date.

Department of Basic Education (2024)

The Information Regulator instructed the Department of Basic Education not to publish matric examination results in newspapers, on the grounds that this constituted unlawful processing of students' personal information. When the department failed to comply, the Regulator issued an enforcement notice followed by a ZAR 5 million administrative fine. The matter is before the courts.

Blouberg Local Municipality (2025)

The Information Regulator issued a ZAR 500,000 administrative fine against Blouberg Local Municipality for exposing the personal information of a former employee online and failing to remediate the exposure after being directed to do so. The municipality subsequently failed to pay the fine, prompting the Regulator to initiate court proceedings for enforcement.

Lancet Laboratories (2025)

Lancet Laboratories was fined ZAR 100,000 after the Regulator issued a formal warning regarding multiple data breaches and the laboratory failed to notify affected data subjects within a reasonable time as required by Section 22.

FT Rams Consulting (2024-2025)

FT Rams Consulting was fined ZAR 100,000 for sending unsolicited direct marketing communications and failing to comply with an enforcement notice. The Regulator subsequently initiated court proceedings after the fine remained unpaid.

WhatsApp LLC (Meta) (2024-2025)

Following a multi-year investigation, the Information Regulator issued an enforcement notice against WhatsApp in September 2024, publicly announced in April 2025. The investigation found that WhatsApp applied different privacy policies and terms of service to South African users compared to European users, with European users receiving stronger protections.

The Regulator identified breaches of multiple POPIA sections including accountability (Section 8), processing limitation (Section 9), consent (Section 11), purpose specification (Section 13), and further processing limitation (Section 15). The matter was resolved through a settlement agreement in which WhatsApp agreed to enhance the transparency of information provided to South African users. The settlement will be made an order of court.

Independent Electoral Commission (2024)

The Regulator issued an enforcement notice against the Independent Electoral Commission after candidate nomination lists for the ANC and MK parties were leaked before the May 2024 national and provincial elections. The investigation found inadequate access control measures and a failure to notify affected data subjects as required by Section 22.

South African Police Service (2023)

The Regulator took action against the South African Police Service after officers shared personal information of gang rape victims, including names, ages, home addresses, and identity numbers, in a consumer WhatsApp group.

Dis-Chem Pharmacies (2024)

In early 2024, the Regulator issued an enforcement notice against Dis-Chem Pharmacies following a security compromise that exposed customer personal information, requiring specific remedial measures.

2025 POPIA Regulations Amendments (GN 6126)

On April 17, 2025, the Information Regulator published significant amendments to the POPIA Regulations under Government Notice GN 6126 of 2025. These amendments came into effect immediately upon publication.

What Changed

Regulation 1 (Definitions). New definitions were added for "complainant," "complaint," "day," "office hours," and "writing" (aligned with the Electronic Communications and Transactions Act), bringing greater clarity to the Regulations.

Regulation 2 (Objection to Processing). The 2025 amendments eliminated the requirement to use a specific prescribed form for submitting objections. Data subjects may now lodge objections by hand delivery, fax, post, email, SMS, WhatsApp, or any other expedient manner. Telephonic objections are valid if the responsible party records the call and makes the recording available to the data subject free of charge upon request. Responsible parties are now required to inform data subjects of their right to object at the time of data collection.

Regulation 3 (Correction and Deletion). Requests for correction, destruction, or deletion must be accepted free of charge through the same expanded channels as objections. Responsible parties must notify the data subject in writing within 30 days of the outcome of the request.

Regulation 4 (Information Officer Duties). The requirement for information officers to prepare a PAIA Manual was removed. Information officers must continue to develop and maintain internal compliance frameworks and registers.

Regulation 6 (Direct Marketing Consent). Consent for direct marketing must be explicit and recorded, obtainable by fax, telephone, email, SMS, WhatsApp, or automated systems. The amendments clarified that an opt-out mechanism alone does not constitute valid consent for unsolicited electronic communications under Section 69(2).

Regulation 7 (Complaint Procedures). Standing to lodge complaints was expanded to include third parties acting in the public interest. The Information Regulator must acknowledge complaints and provide a reference number within 14 days. Assistance must be available in languages other than English. The identity of a complainant may be protected where disclosure would trigger obligations under the Protected Disclosures Act.

Regulation 13 (Administrative Fines). A new provision allows responsible parties to apply to pay administrative fines in installments based on financial circumstances and compelling reasons presented to the Regulator.

Direct Marketing Rules Under POPIA

Section 69 imposes strict rules on electronic direct marketing that affect every business communicating with South African consumers.

Direct marketing by means of unsolicited electronic communications, including email, SMS, fax, automated calls, and telephone calls, is prohibited unless the data subject has given prior opt-in consent or is an existing customer of the responsible party.

For existing customers, a responsible party may market similar products or services without fresh consent, provided the customer was given a reasonable opportunity to object when their information was first collected and on each subsequent communication.

Every marketing communication must clearly identify the sender and provide an accessible opt-out mechanism. A data subject's opt-out request must be honored free of charge.

In December 2024, the Information Regulator published a Guidance Note on Direct Marketing confirming that telephone calls fall within the definition of "electronic communication" under POPIA, closing a loophole that some organizations had exploited to run telemarketing campaigns without obtaining prior opt-in consent.

POPIA vs. GDPR: Key Differences

Organizations operating across both South Africa and Europe need to understand how POPIA differs from the GDPR.

Scope of protection. POPIA covers both natural persons and juristic persons (companies and trusts). The GDPR protects only natural persons.

Data portability. The GDPR grants data subjects the right to data portability. POPIA does not include this right.

Breach notification timeline. The GDPR requires supervisor notification within 72 hours. POPIA requires notification "as soon as reasonably possible" with no fixed statutory deadline, though the Regulator applies a 72-hour guideline.

Information officer requirements. Under POPIA, all organizations must designate an Information Officer regardless of size or processing volume. The GDPR requires a Data Protection Officer only for certain organizations based on the nature and scale of processing.

Penalties. POPIA's maximum administrative fine is ZAR 10 million (approximately USD 550,000), significantly lower than the GDPR's maximum of EUR 20 million or 4 percent of global annual turnover. However, POPIA uniquely allows criminal imprisonment of up to 10 years, a penalty the GDPR does not impose.

Direct marketing. POPIA requires opt-in consent for all unsolicited electronic communications. The GDPR permits direct marketing to existing customers under the legitimate interest basis in certain circumstances.

Adequacy framework. The EU maintains a formal list of countries with adequate data protection. POPIA has no such list; each responsible party conducts its own adequacy assessment for Section 72 transfers.

Business Compliance Checklist

Organizations subject to POPIA should address the following requirements. These steps reflect obligations under the Act and the 2025 amended Regulations.

Appoint and register an Information Officer. Designate an Information Officer and any Deputy Information Officers and register them through the Information Regulator's eServices Portal before processing commences. The head of the organization automatically holds the role if no separate appointment is made.

Conduct a data inventory. Map all personal information the organization collects, processes, stores, and shares. Identify the lawful basis under Section 11 for each processing activity.

Update privacy notices. Ensure that privacy policies and collection notices comply with Section 18's openness requirements, including disclosing the identity of the responsible party, the purpose of collection, and any intended cross-border transfers.

Implement security measures. Conduct risk assessments, implement appropriate technical and organizational safeguards, and regularly test their effectiveness under Sections 19-22.

Establish breach response procedures. Develop and test an incident response plan that enables notification through the eServices Portal as soon as reasonably possible after a security compromise is discovered.

Expand data subject request channels. Following the 2025 amendments, update request intake processes to accept objections, correction requests, and deletion requests via email, SMS, and WhatsApp in addition to traditional written forms.

Review cross-border transfers. For each transfer under Section 72, document the adequacy assessment or alternative transfer mechanism, taking into account the juristic person gap in standard contractual clauses.

Manage operator relationships. Ensure all operator (processor) agreements include POPIA-compliant data processing terms requiring operators to implement security measures and notify the responsible party immediately of security compromises.

Enable data subject rights. Implement processes for responding to access, correction, deletion, and objection requests. Under the 2025 amendments, corrections and deletion outcomes must be communicated in writing within 30 days.

Review direct marketing practices. Confirm that all electronic communications are covered by valid opt-in consent or fall within the existing-customer exception. Ensure opt-out mechanisms are free, accessible, and honored.

For South Africans Whose Data Has Been Mishandled

If you believe an organization has violated your rights under POPIA, you may lodge a complaint directly with the Information Regulator through the eServices Portal or by visiting one of the Regulator's offices. Under the 2025 amended Regulations, the Regulator must acknowledge your complaint and provide a reference number within 14 days. Third parties acting in the public interest may also lodge complaints on behalf of affected individuals.

If your personal information has been involved in a security compromise, the responsible party is required to notify you as soon as reasonably possible and must include guidance on steps you can take to protect yourself.

For information about how recording and monitoring laws interact with data protection in South Africa, see our guide to South Africa recording laws.