Population: 59,308,690

Capitals: Pretoria (executive), Bloemfontein (judicial), Cape Town (legislative)

President: Cyril Ramaphosa

2021 Freedom House Score: 79/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, privacy is enshrined as a fundamental human right in section 14 of the Constitution of the Republic of South Africa. It is further protected under the common law.

DPA legislation: The Protection of Personal Information Act (POPIA) gives effect to the right to privacy, and seeks to balance it against other important rights such as access to information. The Act was signed in 2013 and has come into operation incrementally. The final sections of POPIA came into force on 1 July 2020, giving Responsible Parties one year within which to comply. Therefore, all responsible parties are required to comply as of 1 July 2021.

Under POPIA, the right to privacy includes a right to protection against the unlawful collection, retention, dissemination, and use of personal information. This includes the right to be notified of the collection of one’s information and to be informed of unauthorised access to personal information by an unauthorised party.

Other rights held by data subjects include rights to:

• establish whether personal information is held by a responsible party, and request access to such information;
• request that, if necessary, their personal information be deleted, corrected or destroyed;
• object to the processing of their personal information, provided that such objection is reasonable, unless the data subject was allowed to object free of charge, and failed to do so upon the initial collection of the data;
• object to the processing of personal information for direct marketing purposes at any time, unless the data subject gave their consent and is a customer of the responsible party;
• not have their personal information processed by means of unsolicited electronic communications;
• submit a complaint to the Information Regulator regarding alleged interference with their personal information; and
• institute civil proceedings in relation to the alleged interference with the protection of their personal information.

ICCPR: Ratified

Council of Europe Convention 108: No

Council of Europe Convention 185: Signed

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: Yes

Judicial functions exclusion: Yes

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes

Personal information includes information relating to an identifiable, living, natural person, and to juristic persons. Personal information includes, but is not limited to:

• information relating to gender, sex, pregnancy, marital status, and nationality;
• information relating to the education or the medical, financial, criminal or employment history of the person;
• any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;
• personal opinions, views, or preferences of the person;
• correspondence sent by the person that is implicitly or explicitly private and would reveal the contents of the original correspondence;
• views or opinions of another individual about the person; and
• the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

The following types of information constitute special personal information and certain additional conditions must be met for its processing to be lawful:

• religious or philosophical beliefs;
• race or ethnic origin;
• political persuasion or trade union membership;
• health or sex life;
• biometric information; and
• criminal behaviour.

There are eight conditions required for the lawful processing of personal information by or on behalf of a responsible party:

1. Accountability

The responsible party must ensure that the conditions for lawful processing are satisfied.

2. Processing limitation

Processing must be conducted lawfully, for necessary and not excessive purposes, in a manner that protects the legitimate interests of the data subject and does not infringe on their rights.

Personal information may only be processed with the consent of the data subject (or competent person where the subject is a minor). Such consent is revocable at any time, and at such point, the responsible party must cease processing the information. Personal information may also be processed for a lawfully recognised purpose as specified in POPIA, such as the protection of a legitimate interest of the data subject.

Generally, personal information must be obtained directly from the data subject unless an exception applies.

3. Purpose specification

Personal information must be collected for a specific, explicitly defined, lawful purpose related to a particular function or activity of the responsible party. In most circumstances, the responsible party must act to ensure the data subject is aware of this purpose.

Personal information may not be retained for any longer than is necessary to achieve the purpose for which it was collected, barring certain exceptions.

4. Further processing limitation

Further processing of personal information must be compatible with the original purpose for which it was collected, as determined by factors such as the nature of the information concerned, possible consequences of further processing on the data subject, the manner in which the information was collected, and contractual rights and obligations existing between parties.

5. Information quality

The responsible party must take reasonably practicable measures to ensure that the personal information provided is accurate, complete and not misleading. The purpose for which the personal information is collected or further processed determines what is reasonably practical under the circumstances.

6. Openness

The responsible party must keep documentation of all processing operations and notify the data subject when collecting personal information, barring certain exceptions.

7. Security safeguards

The responsible party is required to safeguard the integrity and confidentiality of personal information in its possession and / or under its control by taking the appropriate, reasonable technical and organisational measures to prevent loss, damage or unauthorised destruction. Necessary measures are also to be taken to prevent unlawful access to or processing of personal information.

8. Data subject participation

The responsible party must allow data subjects to exercise their rights under POPIA regarding their personal data.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Yes

Timeframe for notification is specified: No

Exceptions exist to breach notifications: No

Requires a data processing register: No

Register is publicly available: NA

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Unclear

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): Yes

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: Yes

Number of members in DPA: 5

Maximum term length for members of the DPA (years): Repeatedly renewable

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

Transferring the personal information of a data subject outside of South Africa to a third party located in a foreign country is prohibited unless the following can be shown:

• the third party who is receiving the information is subject to a set of legal rules or regulations that provide an adequate level of protection;
• the data subject consents to the transfer;
• the transfer of such information is necessary for the performance of a contract between the responsible party and data subject, or for other pre-contractual measures taken in response to a request made by the data subject;
• the transfer is required for the conclusion or performance of a contract concluded in the interest of the data subject, between the responsible party and third party; or
• the transfer is to the benefit of the data subject and it is not reasonably possible to obtain the consent of the data subject, and it is highly likely that consent would be given if it were possible to obtain.

Provides a right not to be subject to automated decision-making: Yes