POPI and the Employment Life Cycle: The CDH POPI Guide

The Protection of Personal Information Act 4 of 2013 (POPI) came into force on 1 July 2020, save for a few provisions related to the amendment of laws and the functions of the Human Rights Commission. POPI places several obligations on employers in the management of personal and special personal information collected from employees, in an endeavour to balance the right of employers to conduct business with the rights of employees to privacy.

21 Sep 2020 2 min read Employment Alert Article

Responsible parties have been granted a grace period ending on 30 June 2021, to comply with the provisions of POPI. Non-compliance with POPI is a criminal offence attracting imprisonment not exceeding 10 years with or without a fine and/or an administrative fine not exceeding R10 million which may be imposed by the Information Regulator.

POPI applies to the ‘processing’ or ‘further processing’ of personal and special personal information of employees by an employer. The ‘processing’ of information relates to a comprehensive range of activities. It includes the initial obtaining or collection of personal information, the retention and use thereof, access and disclosure and finally the disposal of the data.

Although, POPI prohibits the processing of special personal information. An employer can process this information if, amongst others; it obtains express consent of the employee; it has a legal duty to do so; the information is available in the public domain or the information is being processed for historical; statistical or research purposes.

While POPI is not limited to employers and employees, there is no doubt that the employment relationship falls within its ambit. Our POPI guide contains a non-exhaustive list of the ways in which POPI applies to the employment life cycle as well as guidance notes on the various stages.

With the deadline for compliance with POPI fast approaching, employers need to, among others, appointment an information officer; conduct an assessment of their internal processes, provide their employees with POPI related training; adopt adequate controls to ensure the safety of personal information; and establish adequate policies and procedures to comply with the eight conditions for lawful processing of information, in order to be compliant on or before 30 June 2021. Our POPI guideline (available at the link below) will assist you in navigating this new terrain. The guideline answers general queries in relation to POPI in the employment environment. For more bespoke advice, please contact one of our practitioners.


The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.