Jump to content

Protection of Personal Information Act, 2013

Edit links
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Wiae (talk | contribs) at 22:43, 4 May 2022 (rephrase to avoid close copying of https://www.itweb.co.za/content/j5alrvQaVaNvpYQk). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

This article is about South African privacy legislation. For the food, see Popiah. For the 1976 TV series, see Popi (TV series). For the Greek singer, see Popi Malliotaki.

The Protection of Personal Information Act (RSA) (PoPIA or the PoPI Act) is a piece of legislation which governs the law of data protection and privacy in South Africa.[1] The act is empowered by the Constitution of South Africa. The Parliament of South Africa assented to the Act on 19 November 2013. As part of the regulation a new government agency was created, the Information Regulator[2], an independent body which is empowered to monitor and enforce compliance of the PoPI Act within the public and private sector. The act came into force 1 July 2020, which commenced a one year grace period during which all South African entities were expected to become compliant. The grace period ended 1 July 2021.[3]

Core Obligations

The PoPI Act sets out several core obligations.[4] Some of the key requirements include:

  1. Personal information can only be processed:
    • with the consent of the data subject; or
    • if it is necessary for the conclusion or performance of a contract that a data subject is a party to; or
    • it is required by law; or
    • it protects a legitimate interest of a data subject; or
    • if processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
  2. Private and public entities must report data leaks to the affected people and the Information Regulator.
  3. Organizations must appoint a responsible person who must ensure compliance to the PoPI Act.
  4. Cross-border transfers of personal data are restricted.
  5. Organizations that process personal information must ensure they satisfy minimum security obligations.
  6. Direct marketing, the sale and use of electronic directories and automated decision making are also severely curtailed.
  7. The act elevates the obligations placed on entities that process information regarding children, religious beliefs, race, ethnic origin, trade union membership, health, sex life, criminal behavior and biometric information.

Jurisdiction

The PoPI Act applies to all persons and organizations within the borders of South Africa, and extends to visitors and illegal immigrants.[5]

Penalties

Penalties under the Act include fines of up to R10 million and a jail sentence of up to 10 years.[6] No fines or jail sentences have been issued by the regulator yet.

Cybercrimes Act

South Africa does not yet have a formal cohesive piece of legislation in force which governs cybercrimes in South Africa. The Cybercrimes Act has been signed by the President of South Africa, and will come into force on a date to be proclaimed in the Government Gazette. The period between assent and commencement will be spent develop standing operating procedures and other documented processes for the implementation of provisions of the Act.[7]


Citations

  1. ^ "Protection of Personal Information Act 4 of 2013". South African Government website. Retrieved 4 May 2022.
  2. ^ "Welcome to Information Regulator South Africa". Information Regulator. Retrieved 4 May 2022.
  3. ^ Moyo, Admire (22 June 2021). "POPIA prior authorisation commencement date set for 2022". ITweb. Retrieved 4 May 2022.
  4. ^ Information Regulator https://inforegulator.org.za/acts/. Retrieved 4 May 2022. {{cite web}}: Missing or empty |title= (help)
  5. ^ "POPI and the transfer of personal information outside of South Africa". Tonkin Clacey Inc. Retrieved 4 May 2022.
  6. ^ Ramalepe, Phumi. "SA's new privacy laws are in effect – companies that fail to comply can be fined up to R10m". Business Insider. Retrieved 4 May 2022.
  7. ^ Williams, Grant (26 July 2021). "The newly enacted Cybercrimes Act and what it means for South Africans". Golegal. Retrieved 4 May 2022.
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Protection_of_Personal_Information_Act,_2013&oldid=1086228104"