Documentation
Log inSign up
Start typing to search…

POPI Act 2013

Short notes on the Protection of Personal Information Act, 2013 (POPIA)

What is this Act for?

This law has as its purpose (which is broadly in line with international laws of this sort), the protection of personal information and therefore privacy in the context of data. Privacy extends to how personal information is collected, stored, used, or manipulated. Hence, the purpose of POPI is to:

  • Give effect to the constitutional right to privacy by safeguarding Private Information.
  • Balance the right to privacy against other rights, like the right of access to information.
  • Regulate the manner in which Private Information must be processed.
  • Provide persons with rights and remedies if POPI is contravened.

Understanding POPI Terminology

Your Information

This is anything that can identify who you (the "data subject") are or who someone else is.

It includes a name, identity number, address, gender, race, religion, medical issues, employment history, email, photograph, social media accounts, biometrics, personal views and opinions or statements, disability, language—anything that could enable someone else to find out something about you or any other person.

Responsible Party

A person who decides how Personal Information is processed and what this Personal Information is used for. A responsible party can be a natural person, a juristic person such as a company or group of companies, or a government body. In the context of SMSPortal's services, you, our customer, are viewed as the Responsible Party.

Operator

A natural or juristic person that processes Personal Information for the responsible party. SMSPortal would act as the Operator in the process of rendering our services and products.

What is the Act saying about ‘Personal Information’?

What can be done?

Since you (and every other person) are likely to give personal information to many institutions and individuals, this Act restricts how those entities or people can deal with your (and their) information. This includes how they (or you) collect, record, store, distribute, share, sell, receive, transmit, destroy, and retrieve this information.

In short, the Act deals with any of these activities, which it refers to as ‘processing’ your (and their) data. It addresses all data in any form, which it refers to as a ‘record’—in other words, personal information can be in any form at all (e.g., written or filmed) but will still be considered a ‘record.’ It excludes ‘purely household activities.’

When does it apply?

You need to be fully compliant with all sections of the Act by 1 July 2021, when POPIA will be enforced.

SMSPortal recommends you act now to ensure that you are aligned with the requirements as soon as possible. WASPA is already seeking to implement these requirements under the WASPA Code.

The key provisions of this Act deal with the rights of people to object to the processing of their data at any time (unless they are required to provide it for a lawful purpose or voluntarily provide it in the course of obtaining a service). They also deal with the obligation to ask for permission to ‘process’ personal information.

This means:

  • You ask for only the bare minimum of personal information required.
  • The person understands why they are giving their personal information, how it will be used, and for what purpose.

Every organisation (company or other entity) must appoint its own Information Officer. The Officer must bring the organisation into line with the requirements of the Act and liaise, when necessary, with the Information Regulator.

Direct Marketing and Unsolicited Communications

The definition of direct marketing is quite broad, as it refers to communications directly targeted at promoting goods or services as well as 'indirect' marketing messages.

Communications required to be sent by law (such as bank statements or a television license renewal notice) along with communications that are necessary for the conclusion or performance of a contract do not have to comply with the regulations relating to direct marketing, even if those communications indirectly promote products or services of the sender.

Existing Customers

Section 69(3) of the Act states that the responsible party (you as the sender of marketing messaging) will not have to request marketing consent from an existing customer if the following requirements are met:

  • The responsible party must have obtained the customer's contact details in the context of the sale of the responsible party's products or services.
  • The Personal Information must have been collected to market the responsible party's own products and services.
  • The customer must have been given a reasonable opportunity to object to the use of their personal information for marketing purposes, free of charge and without too much formality.

New Customers

If you are contacting someone for the very first time, but you want to be able to contact them again, you will need their voluntary, informed, specific, opt-in consent in writing with their full name and signature.

You must also record:

  • The name and contact details of the marketer and the information officer or deputy information officer.
  • The date and place where consent was given.
  • The type of goods or services being marketed.
  • The preferred method of future communication (SMS, email, or phone).

Important: No one is automatically opted in—if a person doesn’t tick the opt-in box, they must not be considered opted in. You need express consent.

Frequently Asked Questions

1) What is POPIA?

PoPIA is the Protection of Personal Information Act 4, 2013, South Africa. While PoPIA compliance is a hot topic currently, it has been around for quite some time. The Act was fully enacted on 1 July 2020 and was fully enforced after a one-year grace period on **1 July

Updated about 1 month ago