Commencement of the Protection of Personal Information Act 4 of 2013

The President announced and published a proclamation, on 22 June 2020, that the majority of the provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) will commence on 1 July 2020.

POPIA is the new South African data protection legislation. The proclamation means that all the substantive requirements in POPIA in relation to data protection will be applicable from 1 July. These include, amongst other things, the conditions for the lawful processing of personal information and requirements for:

  • the treatment of sensitive personal data and children’s information;
  • the prior authorisation of certain processing activities;
  • the cross-border transfer of personal data;
  • the security of personal information;
  • the duties and responsibilities of Information Officers;
  • direct marketing by means of unsolicited electronic communication; and
  • reporting and notification of data breaches.
The provisions setting out the procedures for dealing with complaints and the general enforcement of POPIA by the Information Regulator will also come into effect on 1 July. The Information Regulator was established to implement and enforce POPIA and its powers include the ability to levy administrative fines (of up to ZAR10 million).

POPIA provides for a transitional period of 1 year.  This means that both private businesses and organisations and public bodies that process personal information must, at this stage, ensure that they comply with POPIA by 1 July 2021.

The transitional period can be extended by a further 3 years for specific classes of information and certain data controllers (referred to as 'responsible parties' in POPIA), but there is no guarantee that an extension will be given.

The sections in POPIA which will amend other laws, including the Promotion of Access to Information Act 2 of 2000 (PAIA),and which provide for the effective transfer of certain functions currently performed by the South African Human Rights Commission (SAHRC) to the Information Regulator will come into effect on
30 June 2021.

For further information please contact any of the partners in our Data Protection Practice.

Disclaimer: This publication is not intended to constitute legal advice which can only be given having regard to particular facts and circumstances. Any liability that would or could arise from or of the contents hereof is hereby excluded. Always seek professional advice from a suitably qualified lawyer on any specific legal problem or matter.

Please read our privacy policy here.

  Update my details and manage my subscriptions
Unsubscribe from all Bowmans marketing communications