DATA PROTECTION FACTSHEET
Capitals: Pretoria (executive), Bloemfontein (judicial), Cape Town (legislative)
President: Cyril Ramaphosa
2021 Freedom House Score: 79/100
Data protection law? Yes, with data protection authority appointed
Privacy enshrined in Constitution: Yes, privacy is enshrined as a fundamental human right in section 14 of the Constitution of the Republic of South Africa. It is further protected under the common law.
DPA legislation: The Protection of Personal Information Act (POPIA) gives effect to the right to privacy, and seeks to balance it against other important rights such as access to information. The Act was signed in 2013 and has come into operation incrementally. The final sections of POPIA came into force on 1 July 2020, giving Responsible Parties one year within which to comply. Therefore, all responsible parties are required to comply as of 1 July 2021.
Under POPIA, the right to privacy includes a right to protection against the unlawful collection, retention, dissemination, and use of personal information. This includes the right to be notified of the collection of one’s information and to be informed of unauthorised access to personal information by an unauthorised party.
Other rights held by data subjects include rights to:
- establish whether personal information is held by a responsible party, and request access to such information;
- request that, if necessary, their personal information be deleted, corrected or destroyed;
- object to the processing of their personal information, provided that such objection is reasonable, unless the data subject was allowed to object free of charge, and failed to do so upon the initial collection of the data;
- object to the processing of personal information for direct marketing purposes at any time, unless the data subject gave their consent and is a customer of the responsible party;
- not have their personal information processed by means of unsolicited electronic communications;
- submit a complaint to the Information Regulator regarding alleged interference with their personal information; and
- institute civil proceedings in relation to the alleged interference with the protection of their personal information.
Council of Europe Convention 108: No
Council of Europe Convention 185: Signed
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: Yes
Cabinet or Executive Council exclusion: Yes
Judicial functions exclusion: Yes
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
Personal information includes information relating to an identiﬁable, living, natural person, and to juristic persons. Personal information includes, but is not limited to:
- information relating to gender, sex, pregnancy, marital status, and nationality;
- information relating to the education or the medical, ﬁnancial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identiﬁer, or other particular assignment to the person;
- personal opinions, views, or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly private and would reveal the contents of the original correspondence;
- views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
The following types of information constitute special personal information and certain additional conditions must be met for its processing to be lawful:
- religious or philosophical beliefs;
- race or ethnic origin;
- political persuasion or trade union membership;
- health or sex life;
- biometric information; and
- criminal behaviour.
There are eight conditions required for the lawful processing of personal information by or on behalf of a responsible party:
The responsible party must ensure that the conditions for lawful processing are satisfied.
2. Processing limitation
Processing must be conducted lawfully, for necessary and not excessive purposes, in a manner that protects the legitimate interests of the data subject and does not infringe on their rights.
Personal information may only be processed with the consent of the data subject (or competent person where the subject is a minor). Such consent is revocable at any time, and at such point, the responsible party must cease processing the information. Personal information may also be processed for a lawfully recognised purpose as specified in POPIA, such as the protection of a legitimate interest of the data subject.
Generally, personal information must be obtained directly from the data subject unless an exception applies.
3. Purpose speciﬁcation
Personal information must be collected for a specific, explicitly defined, lawful purpose related to a particular function or activity of the responsible party. In most circumstances, the responsible party must act to ensure the data subject is aware of this purpose.
Personal information may not be retained for any longer than is necessary to achieve the purpose for which it was collected, barring certain exceptions.
4. Further processing limitation
Further processing of personal information must be compatible with the original purpose for which it was collected, as determined by factors such as the nature of the information concerned, possible consequences of further processing on the data subject, the manner in which the information was collected, and contractual rights and obligations existing between parties.
5. Information quality
The responsible party must take reasonably practicable measures to ensure that the personal information provided is accurate, complete and not misleading. The purpose for which the personal information is collected or further processed determines what is reasonably practical under the circumstances.
The responsible party must keep documentation of all processing operations and notify the data subject when collecting personal information, barring certain exceptions.
7. Security safeguards
The responsible party is required to safeguard the integrity and confidentiality of personal information in its possession and / or under its control by taking the appropriate, reasonable technical and organisational measures to prevent loss, damage or unauthorised destruction. Necessary measures are also to be taken to prevent unlawful access to or processing of personal information.
8. Data subject participation
The responsible party must allow data subjects to exercise their rights under POPIA regarding their personal data.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Yes
Timeframe for notification is specified: No
Exceptions exist to breach notifications: No
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): Yes
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: Yes
Number of members in DPA: 5
Maximum term length for members of the DPA (years): Repeatedly renewable
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
Transferring the personal information of a data subject outside of South Africa to a third party located in a foreign country is prohibited unless the following can be shown:
- the third party who is receiving the information is subject to a set of legal rules or regulations that provide an adequate level of protection;
- the data subject consents to the transfer;
- the transfer of such information is necessary for the performance of a contract between the responsible party and data subject, or for other pre-contractual measures taken in response to a request made by the data subject;
- the transfer is required for the conclusion or performance of a contract concluded in the interest of the data subject, between the responsible party and third party; or
- the transfer is to the benefit of the data subject and it is not reasonably possible to obtain the consent of the data subject, and it is highly likely that consent would be given if it were possible to obtain.
Provides a right not to be subject to automated decision-making: Yes