Protection of Personal Information Act (POPIA)

What is POPIA?
The POPI Act aims to give effect to the constitutional right to privacy by ensuring that organisations process personal information in a fair, responsible and secure manner. Organisations that fail to safeguard the personal information of customers, employees and other stakeholders could face civil liability claims, criminal and regulatory sanctions and significant reputational damage.

What is Personal Information?
Personal information includes, but is not limited to, information relating to ‘name’, ‘surname’, ‘age’, ‘gender’, ‘race’, ‘contact details’, ‘employment history’, ‘blood type’, ‘views’, etc.

Eight Conditions for Processing Personal Information

Organisations are expected to comply with the following eight (8) conditions that emerge from the Act:-

  • Condition 1: Accountability: The responsible party must ensure that there are measures taken that give effect to the below Principles
  • Condition 2: Processing limitation: Personal information must be processed in accordance with the law and in a proper and careful manner in order not to intrude upon the privacy of the data subject to an unreasonable extent.
  • Condition 3: Purpose specification: Personal information must be collected for a specific, explicitly defined and legitimate purpose. Personal information may not be kept for longer than is necessary for archiving purposes.
  • Condition 4: Further process limitation: Personal information must not be further processed in a way that is incompatible with a purpose for which it has been collected in the first instance.
  • Condition 5: Information quality: The data collector collecting and processing personal information must take practical steps to ensure that the personal information is complete, not misleading, and accurate.
  • Condition 6: Openness: The responsible party must notify the data subject when collecting their personal information.
  • Condition 7: Security safeguards: Appropriate technical and organisational measures must be taken to secure the integrity of personal data by safeguarding against the risk of loss of, or damage or destruction of personal information and against the unauthorised or unlawful access to, or processing of personal information.
  • Condition 8: Data subject participation: Where personal information is collected, the data subject is entitled to obtain confirmation whether and what personal information is being kept.

Please visit the Information Regulator’s website for the detailed Act as well as other information at :

Page last updated: 2022-01-19