The Protection of Personal Information Act (POPI Act or POPIA) is South Africa’s data protection law. The first question you need to ask is do you have to comply with it? Who must comply with POPIA? Who does the POPI Act apply to? What is the territorial scope of the POPI Act?  You need to know whether you have to comply or not. If not, you can afford to procrastinate. If you must comply, you have no time to lose and you need to take action fast.

For many, the answer is a simple yes. For a few, the answer is more complicated.

You need to comply if:

  • your organisation is domiciled in South Africa, or
  • your organisation is not domiciled in South Africa, but processes personal information in South Africa.

Whether or not you process in South Africa can be difficult to answer. This is important to understand, because POPIA can apply even if your organisation is domiciled outside South Africa.

Your organisation does not need to comply if it is domiciled and processes outside of South Africa. In this respect, POPIA is not like the GDPR and Kenyan Data Protection Act, which require you to comply if your organisation processes the personal information of data subjects in the territory. POPIA focusses on the location of processing rather than the location of the data subject.

-If you don’t want to comply with POPIA, move outside South Africa and process from there-

Remember that even though you are in South Africa, you might not have to comply because your processing is exempt – the processing of some personal information is excluded. For example, if you are processing purely for a personal reason or as a household activity then POPIA won’t apply to you.

-POPIA is about where you process and not who your data subjects are-

If you do need to comply, you can find out how we can help you. The risks are significant and there is no time to lose – POPIA already commenced on the 1st of July 2021.

The responsible party must comply?

POPIA requires someone called the responsible party to do all sort of things. The responsible party is called the controller in most parts of the world. Who is this responsible party? Are you a responsible party? The responsible party is the person “which, alone or in conjunction with others, determines the purpose of and means for processing personal information.” There are often many organisations that have relationships regards data processing and often the question is – Who is responsible for data protection in your relationships? Note – it is the responsible party and not the operator.

The responsible party could be a:

  • public body, including government departments, municipalities, and any institution performing a public power
  • private body, including a partnership
  • natural person who carries or has carried on any trade, business or profession, but only in such capacity
  • juristic person – either former or existing

Which responsible parties does the POPI Act apply to?

If you answer yes to either of the following questions, you have to comply with POPIA.

Are we domiciled in South Africa?

Domiciled is a Latin word that simply means reside or be based in South Africa. So, if you are a legal entity (like a company or trust) that is registered in South Africa, you’re domiciled in South Africa. If you’re a natural person living in South Africa, you’re domiciled in South Africa.

This question is like the question for the application of the GDPR – Are we established in the European Union? Very similar considerations apply.

Do we process personal information in South Africa?

In other words, do you use equipment (like a server or computer) located in South Africa to process personal information? If so, POPIA applies. However, there is an exception. If you use equipment only to forward information through South Africa, POPIA does not apply to you.

Remember that process means processing by the responsible party (controller) or by an operator on its behalf (processor). So, if your operator is using equipment in South Africa to process personal information for you, you will have to comply

It does not matter who your data subjects are

If you are a company registered in South Africa but only process the personal information of Europeans, you have to comply with POPIA (and the GDPR) to protect the personal data of Europeans. And if you are an organisation domiciled in Europe and process in Europe the personal information of South African data subjects (for example, to offer them goods or services), you don’t need to comply with POPIA. You would, however, need to comply with the GDPR regards South African data subjects.

-POPIA is not extraterritorial like the GDPR.-

But if you are domiciled outside of South Africa but you process personal information in South Africa, you must comply with POPIA.

If you are domiciled outside of South Africa and are considering outsourcing some processing to a South Africa company, remember that this will trigger you having to comply with POPIA.

-If you outsource processing to South Africa, you’ll have to comply with POPIA-

Who is exempt from POPIA?

But hang, on some processing is excluded. POPIA provides a few exemptions. If you answer yes to any of the following questions, you do not have to comply with POPIA.

  1. Do we process personal information that is not entered into a record?
  2. Do we process personal information in the course of purely household activities?
  3. Is the information we process de-identified so that it no longer amounts to personal information?
  4. Are we a public body that protects national security?
  5. Are we a public body that prosecutes offenders?
  6. Are we a cabinet (and its committees) or the executive council of a province?
  7. Are we a court referred to in s166 of the Constitution and process for judicial functions?
  8. Do we process for purely journalistic, artistic or literary purposes?

Your responsible party might make you agree to comply

If you answered no to the questions, you might still need to comply with the POPI Act in the responsible party-operator (controller-processor) relationship. Are you domiciled outside South Africa and process lots of personal information outside South Africa for South African organisations? If you are an operator for a responsible party who must comply, you are not obliged by law to comply with the POPI Act. However, your responsible party will probably contractually oblige you to comply. It might be worthwhile to prepare your company for those obligations beforehand.


Source: Michalsons | By John Giles