Landlords compliance with Protection of Personal Information Act (POPIA) 

Introduction to POPIA

The Protection of Personal Information Act (POPIA) is a South African law enacted to regulate the collection, processing, storage, and sharing of personal information by both public and private entities.

The Act ensures that personal data is handled responsibly to protect individuals from data breaches, identity theft, and other privacy violations.

POPIA aligns South Africa’s data protection framework with global standards such as the General Data Protection Regulation (GDPR) of the European Union.

The Act was signed into law in 2013, but its full implementation commenced on 1 July 2021, following a one-year grace period for compliance.

Objectives of POPIA

POPIA is designed to achieve the following objectives:

1. Protect the Right to Privacy – Ensure that personal information is processed lawfully and responsibly.
2. Promote Transparency and Accountability – Establish clear guidelines for businesses and organizations handling personal data.
3. Regulate Cross-Border Data Transfers – Set restrictions on international data sharing to protect South African citizens’ privacy.
4. Enhance Cybersecurity and Data Protection – Mandate organizations to implement security measures against data breaches.
5. Provide Individuals with Control Over Their Data – Grant South Africans rights to access, correct, and request deletion of their personal information.

Key Definitions in POPIA

Understanding the terminology used in POPIA is crucial for compliance:

• Personal Information: Any data that can identify an individual, such as names, contact details, ID numbers, biometric data, and online identifiers (e.g., IP addresses).
• Data Subject: The individual whose personal information is being processed.
• Responsible Party: The organization or individual that collects and processes personal data.
• Operator (Data Processor): A third party that processes personal data on behalf of the responsible party.
• Processing: Any activity involving personal data, including collection, storage, modification, and sharing.
• Information Regulator: The regulatory authority responsible for enforcing POPIA compliance.

The Eight Conditions for Lawful Processing of Personal Information

POPIA establishes eight conditions to ensure that personal data is processed lawfully and fairly:

1. Accountability
   • Organizations must take responsibility for ensuring compliance with POPIA.
2. Processing Limitation
   • Data collection must be lawful, minimal, and not excessive.
3. Purpose Specification
   • Personal information should only be collected for a specific, explicitly defined purpose.
4. Further Processing Limitation
   • Data cannot be used for a purpose beyond the one initially specified unless certain conditions are met.
5. Information Quality
   • Organizations must ensure that personal data remains accurate, up-to-date, and complete.
6. Openness
   • Data subjects must be informed about data collection and the purpose of its use.
7. Security Safeguards
   • Adequate security measures (e.g., encryption, firewalls) must be in place to protect personal data from unauthorized access or breaches.
8. Data Subject Participation
   • Individuals have the right to access, correct, or delete their personal information.

Rights of Data Subjects Under POPIA

POPIA grants individuals several key rights over their personal information:

1. Right to Access – Individuals can request access to their personal data.
2. Right to Correction and Deletion – Individuals can ask for corrections or removal of inaccurate or outdated data.
3. Right to Object – Individuals can object to certain types of data processing, such as direct marketing.
4. Right to Data Portability – Although not explicitly stated in POPIA, data subjects can request their data in a usable format.
5. Right to Be Notified – Individuals must be informed if their data is being collected or if a data breach occurs.

Obligations for Businesses and Organizations

To comply with POPIA, businesses must implement the following measures:

1. Appoint an Information Officer
   • This person is responsible for ensuring compliance with POPIA within the organization.
2. Develop a Data Protection Policy
   • A policy outlining how personal information is handled and protected.
3. Obtain Lawful Consent
   • Organizations must obtain explicit consent before processing personal data, except in specific circumstances.
4. Secure Data Transfers
   • Personal information cannot be transferred outside South Africa unless the recipient country has equivalent data protection laws.
5. Implement Security Measures
   • Organizations must safeguard data against loss, unauthorized access, or cyber threats.
6. Notify Authorities of Data Breaches
   • If a data breach occurs, the Information Regulator and affected individuals must be informed as soon as possible.

Exemptions Under POPIA

While POPIA applies broadly, some exemptions exist:

• Personal or Household Use – Individuals processing data for personal reasons (e.g., storing contacts) are exempt.
• Journalistic and Artistic Purposes – Media entities may have exemptions under certain conditions.
• National Security and Law Enforcement – Government entities handling sensitive data related to national security or criminal investigations may have limited exemptions.
• Public Interest – Certain information may be processed for the public good, such as research or statistical analysis.

Enforcement and Penalties for Non-Compliance

The Information Regulator is responsible for enforcing POPIA. Businesses and individuals who fail to comply with the Act face serious consequences, including:

1. Administrative Fines – Up to R10 million per violation.
2. Criminal Prosecution – In severe cases, responsible individuals may face imprisonment of up to 10 years.
3. Civil Claims – Data subjects can seek compensation for damages caused by data breaches or non-compliance.
4. Reputational Damage – Non-compliance can lead to a loss of customer trust and brand damage.

Impact of POPIA on Businesses and Individuals

POPIA has a significant impact on how businesses handle data:

For Businesses

• Increased responsibility for securing customer data.
• The need for privacy-by-design in IT systems.
• Stricter consent and transparency requirements.
• Legal risks and compliance costs.

For Individuals

• Greater control over personal data.
• Improved data security.
• Protection from spam and unsolicited marketing.
• Legal recourse for data misuse.

Comparison Between POPIA and GDPR

Final Thoughts

The Protection of Personal Information Act (POPIA) represents a significant step forward in data privacy and security in South Africa.

Organisations must prioritize compliance to avoid legal repercussions, while individuals benefit from stronger control over their personal information.

As the regulatory landscape evolves, businesses must remain vigilant in updating their data protection strategies to align with POPIA’s requirements.

Frequently Asked Questions – Protection of Personal Information Act (POPIA)

General Questions

What is POPIA?

The Protection of Personal Information Act (POPIA) is South Africa’s data protection law that regulates how personal information is collected, processed, stored, and shared.

It ensures individuals’ privacy rights are protected and requires businesses to handle personal data responsibly.

When did POPIA come into effect?

POPIA was signed into law in 2013, but full enforcement began on 1 July 2021, after a one-year grace period for compliance.

Why was POPIA introduced?

POPIA was enacted to:

• Protect individuals’ personal information from misuse.
• Regulate businesses and government bodies in handling data.
• Align South Africa’s data protection laws with international standards like the GDPR.

Scope and Applicability

Who does POPIA apply to?

POPIA applies to any person or entity (including businesses, government agencies, and non-profits) that processes the personal information of South African citizens or residents.

Does POPIA apply to small businesses?

Yes. Whether you are a large corporation or a small business, if you collect or process personal data (e.g., names, contact details, emails), you must comply with POPIA.

Are there any exemptions under POPIA?

Yes. POPIA does not apply in the following cases:

• Personal or household use (e.g., keeping contacts in a private phone).
• Journalistic, artistic, or literary purposes (subject to specific conditions).
• National security, law enforcement, and judicial activities under specific laws.
• De-identified or anonymized data (where individuals cannot be identified).

Does POPIA apply to international companies?

Yes. If an international company processes personal data of South African residents, it must comply with POPIA, regardless of its physical location.

Personal Information and Consent

What is considered ‘personal information’ under POPIA?

Personal information includes any data that identifies a person, such as:

• Name, surname, and identity number.
• Contact details (phone number, email address, home address).
• Banking and financial details.
• Biometric data (fingerprints, facial recognition).
• Online identifiers (IP address, cookies, geolocation data).

What is ‘sensitive personal information’ under POPIA?

Sensitive (or special) personal information includes:

• Race, ethnicity, or religion.
• Health and medical records.
• Criminal history.
• Political affiliations or beliefs.
  Processing such data is strictly regulated, and explicit consent is usually required.

Do businesses need consent to collect personal data?

Yes. In most cases, explicit consent is required before collecting or processing personal data. However, consent is not required if:

• Data processing is necessary for a contract (e.g., banking transactions).
• The law mandates the data collection.
• There is a legitimate interest that does not override the individual’s privacy rights.

How must businesses obtain consent?

Consent must be:

• Explicit – Clear and affirmative action (e.g., ticking a box, signing a form).
• Voluntary – Individuals should not feel forced to give consent.
• Informed – The purpose of data collection must be clearly explained.
• Revocable – People must be able to withdraw consent at any time.

Data Processing and Security

What are the eight conditions for lawful data processing?

To comply with POPIA, businesses must follow these eight processing conditions:

1. Accountability – The business is responsible for compliance.
2. Processing Limitation – Data must be collected legally and for a specific purpose.
3. Purpose Specification – The purpose of collecting data must be clear and legitimate.
4. Further Processing Limitation – Data cannot be reused for unrelated purposes.
5. Information Quality – Personal data must be accurate and up to date.
6. Openness – Individuals must be informed about how their data is used.
7. Security Safeguards – Data must be protected from breaches and unauthorized access.
8. Data Subject Participation – People have the right to access, update, or delete their data.

How should businesses secure personal information?

Companies must implement adequate security measures, such as:

• Encryption and access control to protect stored data.
• Firewalls and antivirus software for cybersecurity.
• Secure password policies for employees handling sensitive data.
• Regular security audits to detect vulnerabilities.

What happens in case of a data breach?

If a data breach occurs:

1. Notify the Information Regulator as soon as possible.
2. Inform affected individuals about the breach.
3. Take immediate steps to mitigate further risks.

Failure to report a data breach can lead to hefty fines and legal action.

Rights of Individuals Under POPIA

What rights do individuals have under POPIA?

South African citizens and residents have the right to:

• Access their personal data held by companies.
• Correct or update inaccurate information.
• Request deletion (‘right to be forgotten’) if data is no longer needed.
• Object to direct marketing and automated decision-making.
• Be informed of data collection and processing practices.

Can individuals request to have their data deleted?

Yes. Under POPIA, people can request businesses to delete their personal data if:

• It is no longer necessary for the original purpose.
• They withdraw consent.
• The data was processed unlawfully.

However, some legal or contractual obligations may prevent deletion (e.g., financial records must be kept for auditing purposes).

Compliance and Penalties

Who is responsible for enforcing POPIA?

The Information Regulator of South Africa is the official body overseeing compliance and handling complaints.

What are the penalties for non-compliance with POPIA?

Businesses and individuals that fail to comply with POPIA may face:

• Fines of up to R10 million per violation.
• Prison sentences of up to 10 years (for severe offenses).
• Civil claims from affected individuals for damages.

Can a business be fined for sending unsolicited marketing messages?

Yes. Direct marketing without consent is a violation of POPIA. Companies must obtain explicit opt-in consent before sending marketing communications (emails, SMS, calls).

Can individuals sue businesses for data breaches?

Yes. If a company fails to protect personal information, affected individuals can file a lawsuit for damages.

Practical Steps for Businesses to Comply with POPIA

How can my business ensure POPIA compliance?

To comply with POPIA, businesses should:

1. Appoint an Information Officer to oversee data protection.
2. Develop a Privacy Policy outlining data handling practices.
3. Obtain explicit consent before collecting personal data.
4. Implement strong cybersecurity measures to protect data.
5. Train employees on data protection regulations.
6. Review contracts with third-party service providers handling personal data.
7. Prepare a data breach response plan to mitigate risks.

Final Thoughts

POPIA is essential for protecting personal information in South Africa. Compliance is not optional, and businesses must take active steps to safeguard customer data.

Click the blue link to join the South African Landlords Association (SALA).

Our Top Read Blogs:

How to Sell a House in South Africa Fast

Complete Process of Tenant Eviction in South Africa

South African Property Tax: Comprehensive Guide to Definition, Calculation, and Revenue Impact.