Protection of Personal Information Act sections come into effect


After years of delays, President Cyril Ramaphosa has announced that additional sections of the Protection of Personal Information Act (PoPI) — which protects the personal data of South Africans — will come into effect in July.

Businesses will have one year grace period to ensure that they comply with the requirements of act.

The PoPI Act of 2013 includes laws around the use and storage of the personal information of South African residents. However, while initially introduced in 2013, sections have only come into effect incrementally since 2014.

According to the presidency, sections 2 to 38, sections 55 to 109, section 111, and section 114 (1), (2) and (3), will come into effect on 1 July 2020.

Businesses will have one year grace period to ensure that they comply with the requirements of the Protection of Personal Information Act

So what do the upcoming sections involve?

They include the conditions for lawful processing of personal information, rights of data subjects, exemptions from these conditions, duties and responsibilities of the Information Officer, as well as penalties for non-compliance and the time-frame for compliance.

What this means for consumers and personal data

However, the most relevant section for consumers coming into effect on 1 July is section 5. This section outlines the rights of data subjects — i.e. people whose information is gathered and processed.

These personal data rights include the right for the data subject to:

  • Be notified that personal information about them is being collected
  • Be notified if this information is accessed by an unauthorised person
  • Inquire whether a party has their personal information
  • Request a copy of their information from the responsible party
  • Request the correction or deletion of their personal information
  • Object to the processing of their personal information in certain circumstances
  • Not have their personal data processed for direct marketing purposes
  • Not be subject to a decision based solely on automated processing of their information in certain circumstances (such as automated profiling based on their personal information)
  • Submit a complaint to regulators regarding non-compliance
  • Institute civil proceedings against those who interfere with the protection of their information

The commencement of these regulations marks a turning point in consumer power over their personal data in South Africa.

It also provides important protections for consumers against issues such as algorithmic bias that could exclude them from certain services based on personal data harvested by companies.

Other PoPI provisions

Other provisions commencing (such as section 73 to 109) outline the penalties and processes for non-compliance with the act. This includes the ability for consumers to lodge complaints, as well as provisions for administrative penalties and fines on offenders.

Section 111 focuses on fees payable by data subjects.

Meanwhile, section 114 includes details around “transitional arrangements”:

  • The requirement for all processing of information to conform to the specific sections of the act within one year of the commencement
  • The ability for parties to request an extension on this requirement

You can read the full act and its various sections on the government’s PoPI Act website.

Feature image: Cytonn Photography on Unsplash

Megan Ellis


Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Ventureburn

Sign up to our newsletter to get the latest in digital insights.