Frequently Asked Questions and their answers

 Data is now so valuable that it is considered the ‘new oil’. POPIA protects yours!

What is the difference between POPIA and POPI?
The terms mean exactly the same thing and can be used interchangeably. POPIA is short for Protection of Personal Information Act and POPI Act is exactly the same thing with the only change being the word Act is written out.
What is POPIA?
The abbreviation is otherwise known as, the Protection of Personal Information Act. Some people choose to use POPI Act as an abbreviation, but it all refers to the same thing.
The main goal of the POPIA is to protect people and companies (also known as data subjects) from security breaches, theft, and discrimination.
It will include conditions for the lawful processing of personal data of South Africans (both South African citizens and those living in South Africa). The Act includes eight general conditions and three less descriptive conditions
What is GDPR?
The General Data Protection Regulations (GDPR) is the European version of POPIA.
Why should South Africans care about the GDPR?
We all transfer information to locations outside of South Africa, especially when using the “cloud”.
A company may transfer personal information to recipients in locations outside South Africa if the recipient country has data protection laws similar to POPIA. If there are not adequate protection laws, personal information may only be transferred to such countries if the data subject consents or if the recipient is subject to binding corporate rules or a binding agreement which provides an adequate level of protection effectively upholding the principles in POPIA, including the provisions relating to the further transfer of personal information.
What other legislation in South Africa regulates privacy?
YES! POPIA will however be the primary act we use. All other legislation must be amended to comply with POPIA. Other legislation with privacy content are:
• Electronic Communications and Transactions Act (ECTA);
• Promotion of Access to Information Act (PAIA);
• National Credit Act and the Consumer Protection Act.
This website assists with compliance across most privacy legislation, not just POPIA! We walk the extra mile with you.
Who will be affected by POPIA?
In short — just about everyone. All persons and companies will be affected by the Act

ALL companies need to have systems in place to deal with personal information. Plus, POPIA also has guidelines about direct marketing — so any brand sending messages or emails to consumers without them opting in, beware!

What is Personal Information?
Personal Information is data that can be used to identify a person.

Personal Information may include:
• ID number;
• Email address;
• Telephone numbers;
• Physical address;
• Physical and mental health information;
• Disability information;
• Marital status
• Pregnancy status
• Religion/Beliefs/Culture;
• Educational/Medical/Financial/Criminal or Employment History;
• Race/Sex/Nationality/Ethnics/Social Origin;
• So much more!

What are information processing conditions?
POPIA includes eight information processing principles or conditions, namely: accountability, data subject participation, further processing limitation, information quality, openness, processing limitation, purpose specification and security safeguards. These conditions ensure improved data quality and business management.
When does POPIA come into effect?
By 1 July 2021 the entire act will be fully in force.
Do I need to get permission to contact consumers already on my direct mailing list?

If you got permission, your golden. If you told me when you collected my information that you are going to use it to send me specials, then gave me the opportunity to unsubscribe every time I got the email — there is that unsubscribe at the bottom — then your fine.

If you’ve been emailing me for 10 years and I haven’t said anything, then there is this soft opt-in concept. So, to answer your question, yes and no. The marketers that behaved in an ethical way will be able to continue to market to their lists.

What happens if I ignore POPIA?
Firstly, its law. Ignoring it will be a big mistake.
Don’t underestimate POPIA and don’t just see it as a burden, instead, try to view it as an opportunity to create your own data strategy that will guard your company/practice and your clients/customers.
However, failure to comply to this act can lead to a variety of implications – these include:
• A complaint lodged with the Information Regulator and a fine;
• Receiving a civil claim for payment of any damages;
• Criminal prosecution – if convicted there could be a fine of up to R10 million or a prison sentence of up to ten years, or even both.
Who is an "Operator"?
An Operator is defined under POPIA as a “person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”.

Examples of these service providers include:

  • Advertising agencies;
  • Auditors;
  • PR agencies;
  • Recruitment and employment agencies;
  • Credit Bureaux;
  • Verification agencies;
  • Attorneys;
  • Sales Agents;
  • Service Agents.
What is the difference between a Responsible Party and an Operator?
Responsible parties determine the purpose for processing information, what information is processed, for how long and how it is processed. Where an Operator is involved, the Responsible Party will still determine the purpose for processing etc, but will outsource the processing of the information to the Operator. The Responsible Party therefore still makes all decisions in relation to the information and the Operator acts in accordance with these decisions and on the instructions from the Responsible Party.

The Responsible Party remains ultimately accountable for ensuring that POPIA is complied with by both itself and all Operators providing services to the Responsible Party. The outsourcing or sub-contracting of any processing activities to Operators does not absolve the Responsible Party from liability. If the Operator contravenes POPIA, the Responsible Party will still be held liable by the Information Regulator.

Why do you need an Operator Agreement?
In terms of section 20 of POPIA, an Operator or anyone processing personal information on behalf of a Responsible Party or an Operator, has a duty to treat any personal information which it processes on behalf of the organization as confidential and must not disclose it, unless required by law or in the course of the proper performance of his/her duties.


Furthermore, in terms of section 21 of POPIA, the Responsible Party must have a written agreement between itself and the Operator to ensure that the Operator establishes and maintains adequate safeguards and security measures in respect of the information which it is processing on behalf of the Responsible Party.


The Responsible Party will ultimately be held liable by the Information Regulator for a breach of POPIA by the Operator where the breach occurred within the scope of the mandate agreement between the Responsible Party and the Operator.


However, in the instance where the Operator have exceeded its mandate and breached POPIA, the Operator is seen to be acting as a Responsible Party in regard to the Personal Information as the Operator is determining the purposes and means of processing.


A written agreement between the Responsible Party and the Operator is therefore extremely important for the Responsible Party. By including a liability clause, the Responsible Party can hold the Operator liable for any claims which the Information Regulator and/or data subjects may have against the Responsible Party as a result of a breach of POPIA by the Operator.

Definition of "responsible party"
“responsible party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;
Definition of "operator"
“operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
Definition of "processing"
“processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:

the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

dissemination by means of transmission, distribution or making available in any other form; or

merging, linking, as well as restriction, degradation, erasure or destruction of information.

What is personal information and what does it include?
“personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:


  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • information relating to the education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
How do I get my website POPIA compliant?
if you are a website owner visit this link on how we can help you get your website more compliant with POPIA guidelines.


4 steps to PRIVACY compliance


Book a consultation with a legal expert.

Find the right privacy templates for you

Download and complete with your details

Use on all your platforms

Book a 30 min online consultation to review your document with a legal adviser for R570