On 1 July 2020 the main substance of the Protection of Personal Information Act 4 of 2013 (commonly known as “POPI”) came into operation. The Act outlines how parties who handle an individual’s personal information need to protect this information and provides for some severe-sounding sanctions if this is not done.  This article will attempt to provide you with a brief overview of POPI:   what it intends to achieve, what it requires, what sanctions there are for non-compliance and how this may impact you.

What is POPI?


POPI is an Act that has been passed to give effect to the constitutional right to privacy by protecting how an individual’s personal information is handled, used and recorded. The Act protects a wide scope of information including identifying numbers, contact details, personal opinions and views, race, gender, sexual orientation, culture and financial and criminal records.

The Act predominantly deals with regulating the interactions between a “data subject” and a “responsible party” during the “processing” of personal information

The Act has also established the office of the Information Regulator which is a body that receives and investigates complaints made in relation to non-compliance with the Act.

Section 5 of the Act lists the “Rights of data subjects” which is essentially the rights of individuals in relation to their information. This would be a useful section to read if you would like to be more informed on what your information privacy rights are.

What requirements does POPI introduce for the processing of personal information?


The first thing to note here is that the Act has a 1 year ‘grace period’. So, a responsible party needs to ensure that they are processing personal information in line with the POPI requirements (including those discussed below) before 1 July 2021.

The Act outlines “conditions” for the processing of personal data. These conditions are essentially the requirements that need to be met by a responsible party when they handle personal information and can be summarised as follows:

Practical consequences


For the individual, POPI signifies a concrete step forward in attempting to regulate how our personal information is used by private and public entities.

For businesses, the requirements outlined in the Act may mean that the business will need to restructure how they handle information in order to make sure they do not contravene the provisions of POPI. Some practical steps for a business could include:

Enforcement procedures and consequences of breaching POPI


There are a number of sanctions outlined by the Act. These are:

  1. Civil damages: A data subject or the Regulator may institute an action for civil damages (for a “just and equitable amount”) if one of the provisions outlined in section 99 is breached (includes the “conditions” described above and direct marketing provisions).
  2. Administrative fines: Administrative fines of up to R10 million are payable by a party who commits an offence in terms of the Act. The offences are listed in chapter 11 of the Act.
  3. Some offences may result in up to a 12-month imprisonment or fine. These include:
  1. Some offences may result in up to a ten-year imprisonment or fine. These include:


Written by:
Savanna Kanzler – Candidate Attorney
Should you require assistance kindly contact Stephen Koen at skoen@bissets.com or via: