Contact

Draft Residential Communities Industry Code of Conduct out for comment

Back to top

Draft Residential Communities Industry Code of Conduct out for comment

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa’s primary data protection law and empowers the Information Regulator (Regulator) to oversee compliance with general data protection laws. The Regulator is also empowered, in terms of section 60 of POPIA, to issue codes of conduct to support sector-specific implementation of POPIA and allow for the development of codes of conduct tailored to particular industries.

28 May 2025 5 min read Corporate & Commercial Alert Article

At a glance

  • The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa’s primary data protection law and empowers the Information Regulator to oversee compliance with general data protection laws.
  • The Information Regulator has recently published the draft Residential Communities Industry POPIA Code of Conduct. The Code is intended to promote compliance with POPIA and ensure that POPIA compliance frameworks are developed, implemented, monitored, and maintained by and for the relevant bodies and their members.
  • The Information Regulator has invited affected persons to submit written comments within 14 days of 23 May 2025.

In line with this, the Regulator has recently published the draft Residential Communities Industry POPIA Code of Conduct (Code), prepared by the Residential Communities Council (RCC) and the National Association of Managing Agents (NAMA). The Code is intended to promote compliance with POPIA and ensure that POPIA compliance frameworks are developed, implemented, monitored and maintained by and for the RCC, NAMA and their members. Furthermore, it aims to provide transparency on how personal information is processed in this sector. The Regulator has invited affected persons to submit written comments within 14 days of 23 May 2025.

The Regulator has emphasised, in many news briefings and statements, that the processing of personal information by body corporates and residential schemes has been a major concern for many members of the public.

Although the Code is a welcome step toward structured compliance in the residential communities sector, it must fully meet the requirements set out in sections 60 and 61 of POPIA, as well as the Regulator’s Guidelines to Develop Codes of Conduct (Guidelines), to be considered legally sound and effective.

This article considers the contents of the Code in light of POPIA and the Guidelines.

Who is affected?

The Code applies to RCC and NAMA members, which include homeowners’ associations, managing agents, and service providers such as security firms, IT vendors, and legal professionals. It governs the processing of personal information of homeowners, residents, visitors, employees and contractors within residential communities. These entities and individuals are categorised as either responsible parties, data subjects or third-party operators, with different provisions applicable to each.

Key highlights

The Guidelines explicitly set out that codes do not replace the relevant provisions in POPIA, but they operate in support of the requirements in POPIA. With this in mind, there are several areas of concern and gaps in the Code.

Overreliance on consent as a lawful basis for processing

POPIA contains a number of lawful bases for processing. The Code treats consent as a default mechanism, including in questionable contexts such as visitor and resident management. This may create confusion about when other lawful bases (contractual necessity, legal obligation or legitimate interests) should apply. Ideally, the context of the relationship with a particular category of data subject should determine the most appropriate lawful basis.

Status of contractors and other parties

The Code assumes a responsible party and operator relation applies with contractors (i.e. security companies or property platform), however, in practice there may exist a joint controller relationship or independent responsibilities of parties. This is not appropriately addressed.

The use of unique identifiers

The Code’s assertion that sections 57 and 58 of POPIA will no longer apply once the Code is approved, on the basis that RCC and NAMA will ensure unique identifiers are not used, raises legal and practical concerns. POPIA requires each responsible party to obtain prior authorisation from the Regulator when processing unique identifiers for purposes beyond their original intent.

The Code assumes that unique identifiers will not be used, which is impractical in residential communities where identity numbers and biometric data are common. This may result in responsible parties in the residential communities industry (RCI) assuming that they are exempt from seeking prior authorisation, despite POPIA placing that responsibility on each individual responsible party, not on industry bodies. The Code should include clauses which caution against the re-purposing of unique identifiers or function creep to ensure that it is compliant.

Retention periods for personal information

POPIA requires that personal information may not be retained for longer than is necessary. The Code provides recommended retention periods for various categories of personal information. For example, the Code recommends that visitor records be retained for as long as the information is used and a period of 30 days thereafter. The Code acknowledges that there is no law which currently defines the retention period for visitor records. However, the recommended retention periods in the Code are not all based on legal requirements, some are based on industry practice or absence of law which is likely to result in the inconsistent application of these retention periods as members may treat these retention periods as prescriptive and not as guidance, which is subject to the necessity of the retention.

Monitoring and governance

Another gap in relation to the monitoring and governance of the Code is that it has made provision for the boards of the RCC and NAMA, but it has not provided for how compliance with the Code will be maintained e.g. which body is responsible for monitoring compliance within members, how often audits are conducted, and how non-compliant members will be disciplined. There is no mention of annual reporting to the Regulator as per Clause 25 of the Guidelines. The Guidelines require that a clear governance structure or an oversight committee be put in place.

The Code provides adequate guidance on the below aspects:

  • In relation to the retention of personal information, the Code seeks to propose appropriate retention periods for certain records, including legislated timeframes.
  • The Code imposes security safeguards which are aligned with industry standards i.e. ISO 270001, NIST Cybersecurity Framework and the UK ICO Cybersecurity Scheme.
  • The Code correctly interprets many of the eight conditions for lawful processing.
  • The Code recognises the need for operator agreements and conducting risk assessments.

Public comments on the Code

There remains an opportunity to refine the Code and clarify its ambiguities. Any amendments should be guided by the spirit and purpose of POPIA, ensuring that the Code supports, not substitutes, the law. As of 23 May 2025, the draft Code is open for public comment for a period of 14 days. Stakeholders are encouraged to review it and submit feedback to help shape a more effective and compliant framework.

Comments can be directed to:
POPIACompliance@inforegulator.org.za.

Link to draft Code:
RCC and NAMA POPIA Code of Conduct.

Link to notice from Information Regulator:
Protection of Personal Information Act: Residential Community Industry (RCI)

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2025 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

23 Sep 2024

by Njeri Wagacha and Kevin Kipchirchir

Deep dive into the Supreme Court’s decision in Symon Wairobi Gatuma v Kenya Breweries Limited

It is now well understood that any unilateral amendment to an employment contract amounts to an unfair labour practice under section 45 of the Employment Act 11 of 2007 (the Employment Act). This has recently been reiterated by the Supreme Court of Kenya in Symon Wairobi Gatuma v Kenya Breweries Limited and Three Others, Petition E023 of 2023 (the Supreme Courtdecision).   The Supreme Court decision is, however, more than just a decision on unilateral amendments to employment contracts. It addresses and provides guidance as to how to treat employees during business restructuring exercises and redundancies.

Employment Law

7 min read

7 Aug 2024

by Susan Meyer, Duran Naidoo and Brian Muchiri

Navigating the merger control maze: Kenyan Competition Authority imposes pre-implementation penalty for global merger

The Competition Authority of Kenya (CAK) approved and regularised the merger between Sika International AG (Sika AG) and LSF11 Skyscraper Holdco S.a.r.l (Skyscraper) after the parties self-reported that the merger, which triggered a mandatory notification in Kenya, was implemented without the CAK’s approval.

Competition Law

3 min read

24 Apr 2025

by Alex Kanyi, Denis Maina and Nicholas Owino

Tax amnesty countdown: Don’t miss the deadline

The Tax Procedures (Amendment) Act, 2024 extended the tax amnesty programme introduced by the Finance Act, 2023 by amending section 37E of the Tax Procedures Act to empower the Commissioner for Domestic Taxes to refrain from recovering penalties, interest or fines relating to tax debts, provided that the taxpayer settles all principal taxes for the periods up to 31 December 2023 on or before 30 June 2025.

Tax & Exchange Control

2 min read

12 Sep 2024

by Alecia Pienaar, Deepesh Desai and Azola Ndongeni

Power struggle: Eskom’s bid to reserve grid capacity denied

On 6 May 2024, Eskom submitted an application to the National Energy Regulator of South Africa (NERSA) in terms of section 21(2) of the Electricity Regulation Act 4 of 2006 (ERA), seeking NERSA’s approval to reserve and preserve grid connection capacity in favour of any project procured in terms of a ministerial determination published under section 34 of the ERA.

Projects & Energy

2 min read

30 May 2024

by Belinda Scriba

Understanding the history and significance of business rescue in SA

Belinda Scriba, Director in the Dispute Resolution practice joined Aviwe Mtila on eNCA where she discussed Understanding the history and significance of business rescue in SA.

Corporate Debt, Turnaround & Restructuring

07:52 Minutes

17 Jan 2025

by Alex Kanyi and Denis Maina

Recent amendments to Kenya’s tax laws: Implications and impact

Kenya is entering a new chapter in its tax landscape, with significant reforms introduced through the Tax Laws (Amendment) Act, 2024 (Act), and the Tax Procedures (Amendment) (No. 2) Act, 2024. These two pieces of legislation, which came into force on 27 December 2024, bring major changes to laws that touch all of us – whether we’re salaried employees, business owners or everyday consumers.

Tax & Exchange Control

22 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline