Protection of Personal Information Act

The Protection of Personal Information Act (POPIA), South Africa's Act 4 of 2013, establishes a comprehensive legal framework governing the processing of personal information by public and private entities. Parliament assented to the Act on 19 November 2013, with the substantive provisions commencing on 1 July 2020 following a one-year compliance grace period. The legislation creates binding obligations on responsible parties to ensure lawful, transparent, and secure handling of personal data through eight foundational conditions covering accountability, purpose specification, information quality, security safeguards, and data subject participation rights.

The Act establishes the Information Regulator as an independent body with authority to supervise compliance, investigate complaints, issue enforcement notices, and impose administrative fines and penalties. Archives, heritage institutions, and cultural organizations holding personal information must designate an Information Officer, conduct data protection impact assessments for high-risk processing, maintain security measures appropriate to information sensitivity, and facilitate data subject access requests. The framework applies to transborder transfers and includes specific protections for sensitive categories including health information, biometric data, and children's personal information.