Written by: Joané Nel
 Date: 31 December 2024

What Is The POPI Act and What Is Its Purpose?

In the current digital era, individuals frequently share their personal information with a single click, sometimes without even realising it. This makes data protection more important than ever, especially in South Africa, where the Protection of Personal Information Act 4 of 2013 plays a key role in safeguarding internet users’ rights. Whether you are acting on behalf of a business that collects and processes customer data or you are an individual concerned about how your information is used and stored, understanding the POPI Act is essential.

The Protection of Personal Information Act 4 of 2013 (hereinafter “the POPI Act”) governs how personal information is collected, processed, and stored. It is primarily concerned with data that can identify individuals, such as names and contact details, and how such data may be lawfully processed. The main aims of the POPI Act are to protect individuals’ private information, set clear rules for how third parties may use this information, and place accountability on those who collect it. The Act also ensures that all personal information is handled in a legal, reasonable, and transparent manner. Burger Huyser Attorneys specialises in data privacy matters and can assist you in navigating this important legislation.

This article discusses the purpose of the POPI Act, who it applies to, the rights of the role players, and the legal remedies available.

Who Does The Protection Of Personal Information Act Apply To?

There is often confusion about who the POPI Act applies to and what its purpose is. The Act involves three primary role players:
 ● The data subject: the person whose personal information is being collected. The Act is specifically designed to protect data subjects’ rights.
 ● The responsible party: the person or entity that determines why and how personal information will be processed. This may include companies, governments, state agencies, or individuals.
 ● The operator: the person who processes personal information on behalf of the responsible party.

The POPI Act governs the relationship between these three groups and places significant responsibility on responsible parties to ensure that the operators they appoint comply with the Act.

What Are The Key Provisions Of The POPI Act?

Section 8 of the POPI Act sets out eight conditions under which personal information may be lawfully collected and processed. Any responsible party or operator handling personal information must comply with these conditions:

  1. Accountability: The responsible party must ensure compliance with all legal requirements. 
  2. Processing limitation: Personal information must be processed fairly, lawfully, and with the data subject’s consent. 
  3. Purpose-specific reasons: Personal information may only be processed for a specific, legitimate purpose. 
  4. Further processing limitation: Information may not be processed for secondary purposes unless compatible with the original purpose. 
  5. Information quality: The responsible party must ensure that all collected personal information is complete, accurate, and up to date. 
  6. Transparency: Data subjects must be informed about the collection and intended use of their personal information. 
  7. Security safeguards: Personal information must be protected from unauthorised access, interference, modification, or disclosure. 
  8. Data subject participation: Data subjects have the right to know whether an organisation holds their personal information and may request corrections or deletion. 

What Are The Rights Of Individuals According To The POPI Act?

Data subjects have several rights regarding their personal information as outlined in Sections 11 to 15 of the Act, including:

  • Informed Consent
     Data subjects must be informed when their personal information is being collected and how it will be used. They also have the right to access their personal information and request that it be corrected or destroyed.
  • Access And Correction
     Data subjects may access their personal information and request amendments if it is incorrect. Section 13 states that once the information is no longer needed, it must be destroyed.
  • Withdrawal Of Consent
     Section 11 states that personal information may only be processed if:
  • the data subject consents, 
  • it is necessary for the performance of a contract, 
  • it is required by law, 
  • it protects the data subject’s legitimate interests, or 
  • it is necessary for the legitimate interests of a third party. 

A data subject may withdraw their consent at any time.

  • Opting Out Of Marketing
     Personal information must generally be collected directly from the data subject unless:
     ○ it is contained in a public record,
     ○ collection does not prejudice the data subject,
     ○ collection is required in the public interest, or
     ○ collecting directly from the subject would prejudice a lawful purpose.

How Can I Opt Out Of Unwanted Marketing And Communications?

The POPI Act allows data subjects to opt out of marketing communication sent via email, SMS, or phone calls. If a data subject no longer wishes to receive such communication, they may inform the sender or organisation, who must then stop all further marketing. Data subjects may also object if their personal information is used or sold for targeted advertising without their consent.

What Happens If A Person Or Organisation Does Not Comply With The POPI Act?
 Failure to comply with the POPI Act may result in fines of up to R10 million or imprisonment for up to 10 years.

The Act also provides remedies for data subjects whose rights have been violated. They may claim compensation for damages arising from unlawful processing, and a court may order the responsible party to stop processing their information.

What Is The Importance Of The POPI Act?

The POPI Act plays a crucial role in protecting both individuals and businesses. Individuals must understand how, when, and why their information is collected and what rights they have. Businesses must ensure that personal information is collected, stored, and processed legally and responsibly. The POPI Act empowers data subjects to control their personal information, while guiding responsible parties to operate lawfully and transparently.

In a world where data flows quickly and often invisibly, the POPI Act acts as a vital safeguard—promoting privacy, transparency, and accountability. Whether you are concerned about how your information is handled or you are a business responsible for processing data, understanding the POPI Act is essential.

If you suspect a breach or need guidance on compliance, legal assistance is readily available. Burger Huyser Attorneys offers expert advice on data privacy matters, from drafting compliance policies to taking action against violations. Contact us today to protect your personal information and ensure your business remains compliant in an ever-evolving digital landscape.

Contact Burger Huyser Attorneys, and book a consultation.

To speak to one of our experienced attorneys in South Africa for immediate assistance, contact us on the numbers below:

Randburg call 061 516 6878; Roodepoort call 061 516 0091; Sandton call 064 555 3358 Pretoria call 064 548 4838;

Centurion call 061 516 7117; Alberton call 061 515 4699Bedfordview call 061 536 3223