Contact

POPI Regulations – An Overview

Back to top

POPI Regulations – An Overview

The Protection of Personal Information Act No 4 of 2013 (POPI) has a number of lofty and noble objectives. For example, it is intended to promote the protection of personal information processed by public and private bodies (and to introduce certain conditions so as to establish minimum requirements for the processing of personal information). It also provides for the establishment of an “Information Regulator”, mandated to exercise certain powers and to perform certain duties and functions in terms of POPI and the Promotion of Access to Information Act, 2000 (PAIA).

22 Jan 2020 4 min read Corporate & Commercial Alert Article

At the time of writing, only certain provisions of POPI have come into force (such as those mandating the establishment of the Information Regulator contained in Chapter 5). However, the primary provisions dealing with personal information and direct marketing are not yet operative.

In December 2018, the Information Regulator published regulations as contemplated in section 112(2) of POPI (the Regulations). These concern:

(1)   certain prescribed forms;

(2)   the responsibilities of what are referred to as “Information Officers”, in addition to those responsibilities contained in the Act;

(3) investigation, conciliation, and settlement of complaints; and

(4)   the process to be followed should a public or private body wish to apply to the Information Regulator for the issuing of a “code of conduct”. The Regulations are not yet operative. Presumably they will be proclaimed to be effective when the remainder of POPI is brought into force and effect.

Below is a brief overview of the Regulations.

Prescribed forms relating to the Information Regulator

The regulations prescribe certain forms to be completed, among other things, in relation to the following matters:

  1. Where a “data subject” (defined in POPI as the person to whom the personal information relates) wishes to object to the processing of personal information.
  2. Where a data subject wishes to request a correction be made to their personal information, or the deletion or destruction of their personal information.
  3. The submission of a complaint by a data subject to the Information Regulator.
  4. The request by a holder of personal information for the data subject’s consent to process their personal information for direct marketing.

The prescribed forms accompany the regulations and provide a first step towards the practical enforcement of provisions of POPI when ultimately enacted.

Information Officers

The regulations also set out the responsibilities of so-called “Information Officers”. In terms of Section 56 of POPI, read with Section 17 of PAIA, public and private bodies are required to appoint Information Officers. An Information Officer is responsible for ensuring compliance with POPI and PAIA. In addition to encouraging compliance with POPI and PAIA, Information Officers are required to:

  1. develop, implement, monitor and maintain a compliance framework;
  2. undertake a personal information impact assessment to ensure that adequate measures and standards exist;
  3. develop, monitor and maintaining an access to information manual (i.e. a PAIA manual);
  4. develop internal measures and systems to process requests for information or access; and
  5. conduct internal awareness sessions.

Investigation, conciliation, and settlement of complaints

The Regulations also provide further information in respect of the Regulator’s powers and duties as regards pre-investigation, conciliation, and settlement of complaints. This is, however, primarily in respect of the prescribed forms required to be completed by the Regulator in respect of the necessary notifications to be made to the relevant parties.

The notifications include the following:

  • As regards pre-investigation proceedings, if the Regulator intends to investigate any matter, the Regulator must notify the parties prior to conducting the investigation.
  • During the course of an investigation, the Regulator must keep the complainant, the data subject (if not the complainant) and the responsible party informed of the developments of the investigation.
  • If during the investigation of a complaint, the Regulator decides to act as a conciliator and convene a conciliation meeting, the Regulator must inform the data subject and responsible party implicated on the compliant form.
  • If it appears from a compliant, any written reply to the complaint, or during a conciliation meeting that it may be possible to secure a settlement between the parties, the Regulator may confer with the parties as required, and may hold a settlement meeting.

Industry codes of conduct

Section 5 of the Regulations provides that a “private or public body which is sufficiently representative of any class of bodies, or of any industry, profession or vocation” may apply to the Information Regulator for the issuing of a “code of conduct” as contemplated in Section 61(1)(b) of POPI. In terms of Section 60 read with Section 61 of POPI, the legislature has seemingly contemplated that the Information Regulator may issue codes of conduct that are binding on a specified class of persons (or class of information), and must:

(1)   incorporate all the conditions for the lawful processing of information; and

(2)   prescribe how the conditions for the lawful processing of information are to be applied or complied with, given the sector in which the class of persons operate.

The publication of the Regulations is a first step toward empowering the Information Regulator (and Information Officers) to discharge their functions under POPI and PAIA. As noted, they are yet to come into force and effect. In the interim, public and private bodies would be well advised to consider how they could best comply, among other things, by providing for the appointment of Information Officers, and possibly even considering how best to formulate codes of conduct which may be proposed to the Information Regulator, as opposed to waiting for the Information Regulator to impose them.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

29 Jun 2023

by Puleng Mothabeng

P.O.V: Your partner ends the partnership but at least there’s no tax payable: BPR 391

At common law, a partnership is not considered to be a legal entity or persona with legal personality separate from its partners. Rather, a partnership has been defined as a legal relationship between two or more persons who carry on a lawful business or undertaking, to which each contributes either money or labour, or anything of value with the object of making a profit, and of sharing that profit between them. As such, all legal consequences flowing from a partnership accrue to the partners in their personal capacities. This is also the position under the Income Tax Act 58 of 1962 (Act). Therefore, any property of the partnership is co-owned by the partners in undivided shares. Each partner therefore has a proportionate interest in the partnership, and by acquiring an interest in the partnership, each partner acquires an undivided share in the assets of the partnership.

Tax & Exchange Control

6 min read

6 Nov 2023

by Thabang Rapuleng and Malesela Letwaba

Take note of your vows: A couple’s transfer of employment and enforceability of restraint of trade agreements

In August 2020, CDH discussed the decision in Slo Jo Innovation (Pty) Ltd v Beedle and Another (J737/22) ZALCJHB 212 ( Beedle ), regarding the transfer of restraint of trade agreements in employment contracts. The court ruled that a restraint of trade agreement included in a contract of employment was transferable under section 197 of the Labour Relations Act 66 of 1995, as amended. The decision in Beedle was upheld by the Labour Appeal Court in Beedle v Slo-Jo Innovations HubHub (Pty) Ltd JOL 60553 (LAC).

Employment Law

3 min read

21 Feb 2024

by Louis Botha

Carbon tax changes related to the renewable energy premium deduction and carbon offset allowance

2 min read

14 Sep 2023

Our Corporate & White Collar Crime Investigations Service offering

Our Corporate & White Collar Investigations team is distinguished by the vast experience of our specialist partners some of whom have more than 20 years’ experience in this field.

Corporate & White Collar Investigations

02:09 Minutes

13 Sep 2023

by Belinda Scriba and Loyiso Bavuma

Evolving power dynamics between a board and business rescue practitioners: It’s a balancing act

As a result of the decision from the Supreme Court of Appeal (SCA) in the case of Tayob and Another v Shiva Uranium (Pty) Ltd and Others ZASCA there have been, and will continue to be, burning questions surrounding which powers shift from the board to the business rescue practitioners (BRPs) once a company has been placed under business rescue supervision. In the Shiva case, the court found that certain administrative powers were retained by the board. For more on the Shiva case see our articles here and here .

Business Rescue, Restructuring & Insolvency

7 min read

21 Aug 2023

by Lutfiyya Ramiah

The National Action Plan to combat Racism, Racial Discrimination, Xenophobia and Related Intolerance

The preamble of the Constitution reminds us that: “ We, the people of South Africa, recognise the injustices of our past; honour those who suffered for justice and freedom in our land; respect those who have worked to build and develop our country; and believe that South Africa belongs to all who live in it, united in our diversity .”

Employment Law

8 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline