The Protection of Personal Information Act, 2013 (POPI) commenced on 1 July 2020. The purpose of the Act is to protect personal information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed. The Act gives effect to the right to privacy in terms of section 14 of the Constitution of the Republic of South Africa, 1996, and provides 8 conditions a responsible party must comply with to lawfully process personal information.
Definitions and who the Act applies to
The Act applies to responsible parties who are either domiciled in the Republic of South Africa or who are domiciled elsewhere, but make use of automated or non-automated means in South Africa. A responsible party is defined as a party that determines the purpose of and means for processing personal information. This decision may be made alone or in conjunction with another party. The Act defines personal information as any information that identifies a person such as race, gender, sex, name, e-mail address, physical address, telephone number, information relating to health, education, financial, and employment history amongst others.
8 conditions to process personal information lawfully – POPI compliance
In order to process or collect personal information, a responsible party must comply with the 8 Conditions set out in the Act. I’ve provided an infographic summary of these 8 conditions below. Non-compliance of the Act attracts a fine or imprisonment for a period not exceeding ten years, or both a fine and imprisonment. It is important to note since the commencement of the Act, the Act provides a 12-month grace period. Be POPI compliant now rather than later.
POPI Infographic by Novia Sauls
For more information on the sections of the POPI Act that have commenced on 1 July 2020, view my previous article. (Click on the hyperlink).