South Africa Fact Sheet | Data Protection Africa

SOUTH AFRICA

DATA PROTECTION FACTSHEET

Flag design by Frederick Brownell, image by Wikimedia Commons users, Public domain, via Wikimedia Commons

DATA PROTECTION LAW IN PLACE

DATA PROTECTION AUTHORITY APPOINTED

DOWNLOAD THE ACT

Fast Facts
Domestic Law
Privacy enshrined in Constitution: Yes, privacy is enshrined as a fundamental human right in section 14 of the Constitution of the Republic of South Africa. It is further protected under the common law.

DPA legislation: The Protection of Personal Information Act (POPIA) gives effect to the right to privacy, and seeks to balance it against other important rights such as access to information. The Act was signed in 2013 and has come into operation incrementally. The final sections of POPIA came into force on 1 July 2020, giving Responsible Parties one year within which to comply. Therefore, all responsible parties are required to comply as of 1 July 2021.

Under POPIA, the right to privacy includes a right to protection against the unlawful collection, retention, dissemination, and use of personal information. This includes the right to be notified of the collection of one’s information and to be informed of unauthorised access to personal information by an unauthorised party.

Other rights held by data subjects include rights to:

establish whether personal information is held by a responsible party, and request access to such information;

request that, if necessary, their personal information be deleted, corrected or destroyed;

object to the processing of their personal information, provided that such objection is reasonable, unless the data subject was allowed to object free of charge, and failed to do so upon the initial collection of the data;

object to the processing of personal information for direct marketing purposes at any time, unless the data subject gave their consent and is a customer of the responsible party;

not have their personal information processed by means of unsolicited electronic communications;

submit a complaint to the Information Regulator regarding alleged interference with their personal information; and

institute civil proceedings in relation to the alleged interference with the protection of their personal information.
International Commitments
Scope of Application

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: Yes

Judicial functions exclusion: Yes

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes
Personal Data
Personal information includes information relating to an identiﬁable, living, natural person, and to juristic persons. Personal information includes, but is not limited to:

information relating to gender, sex, pregnancy, marital status, and nationality;

information relating to the education or the medical, ﬁnancial, criminal or employment history of the person;

any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identiﬁer, or other particular assignment to the person;

personal opinions, views, or preferences of the person;

correspondence sent by the person that is implicitly or explicitly private and would reveal the contents of the original correspondence;

views or opinions of another individual about the person; and

the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

The following types of information constitute special personal information and certain additional conditions must be met for its processing to be lawful:

religious or philosophical beliefs;

race or ethnic origin;

political persuasion or trade union membership;

health or sex life;

biometric information; and

criminal behaviour.
Collection and Processing

There are eight conditions required for the lawful processing of personal information by or on behalf of a responsible party:

1. Accountability

The responsible party must ensure that the conditions for lawful processing are satisfied.

2. Processing limitation

Processing must be conducted lawfully, for necessary and not excessive purposes, in a manner that protects the legitimate interests of the data subject and does not infringe on their rights.

Personal information may only be processed with the consent of the data subject (or competent person where the subject is a minor). Such consent is revocable at any time, and at such point, the responsible party must cease processing the information. Personal information may also be processed for a lawfully recognised purpose as specified in POPIA, such as the protection of a legitimate interest of the data subject.

Generally, personal information must be obtained directly from the data subject unless an exception applies.

3. Purpose speciﬁcation

Personal information must be collected for a specific, explicitly defined, lawful purpose related to a particular function or activity of the responsible party. In most circumstances, the responsible party must act to ensure the data subject is aware of this purpose.

Personal information may not be retained for any longer than is necessary to achieve the purpose for which it was collected, barring certain exceptions.

4. Further processing limitation

Further processing of personal information must be compatible with the original purpose for which it was collected, as determined by factors such as the nature of the information concerned, possible consequences of further processing on the data subject, the manner in which the information was collected, and contractual rights and obligations existing between parties.

5. Information quality

The responsible party must take reasonably practicable measures to ensure that the personal information provided is accurate, complete and not misleading. The purpose for which the personal information is collected or further processed determines what is reasonably practical under the circumstances.

6. Openness

The responsible party must keep documentation of all processing operations and notify the data subject when collecting personal information, barring certain exceptions.

7. Security safeguards

The responsible party is required to safeguard the integrity and confidentiality of personal information in its possession and / or under its control by taking the appropriate, reasonable technical and organisational measures to prevent loss, damage or unauthorised destruction. Necessary measures are also to be taken to prevent unlawful access to or processing of personal information.

8. Data subject participation

The responsible party must allow data subjects to exercise their rights under POPIA regarding their personal data.
Transparency

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Yes

Timeframe for notification is specified: No

Exceptions exist to breach notifications: No

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Unclear
Accountability

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Yes

Number of members in DPA: 5

Maximum term length for members of the DPA (years): Repeatedly renewable
Participation

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes
Cross-border Transfer
Transferring the personal information of a data subject outside of South Africa to a third party located in a foreign country is prohibited unless the following can be shown:

the third party who is receiving the information is subject to a set of legal rules or regulations that provide an adequate level of protection;

the data subject consents to the transfer;

the transfer of such information is necessary for the performance of a contract between the responsible party and data subject, or for other pre-contractual measures taken in response to a request made by the data subject;

the transfer is required for the conclusion or performance of a contract concluded in the interest of the data subject, between the responsible party and third party; or

the transfer is to the benefit of the data subject and it is not reasonably possible to obtain the consent of the data subject, and it is highly likely that consent would be given if it were possible to obtain.
Automated Processing

LEARN MORE ABOUT THE METHODOLOGY

Page last updated: 23 May 2022