POPIA -

Protection of Personal Information

Public and Private bodies are required to register with the Information Regulator their Information Officers as outlined in section 55 of POPIA.

Who should be registered as an Information Officer?

Information Officers are, by virtue of their positions, appointed automatically in terms of PAIA and POPIA. Information Officers of public and private bodies must designate and/or delegate any power or duty to Deputy Information Officers, as necessary to make the body as accessible as reasonably possible.

Registering Information Officers

The Information Officers are required, in terms of Section 55(2) of POPIA, to take up their duties only after being registered with the Regulator. The registration of Information Officers can be done on the Regulator’s E-Services Portal

Your duties as the Information officer

Section 55(1) of POPIA sets out the duties and responsibilities of an Information Officer which include the following:-

the encouragement of compliance by the Body with the conditions for the lawful processing of personal information.

an Information Officer may develop a policy on how employees should implement the eight (8) conditions for the lawful processing of personal information or consider issuing a circular in the case of provincial and national departments;

dealing with requests made to the Body pursuant to POPIA.
working with the Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA in relation to the body
ensuring compliance by a body with the provisions of POPIA

The additional duties and responsibilities of the Information Officers, in terms of regulation 4 of POPIA, are to ensure that

a compliance framework is developed, implemented, monitored and maintained;
a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of PAIA, as amended;
internal measures are developed together with adequate systems to process requests for information or access thereto;
internal awareness sessions are conducted regarding the provisions of POPIA, regulations made in terms of POPIA, codes of conduct, or information obtained from the Regulator; and
upon request by any person, copies of the manual are provided to that person upon the payment of a fee to be determined by the Regulator from time to time..

Related Resources

Guidance Note on Information Officers and Deputy Information Officers

Notices
Approved Codes of Conduct
Guidelines
Forms
Prior Authorisation
Exemptions

Guidance note on direct marketing in terms of the Protection Of Personal Information Act of 2013 (POPIA)

The purpose of this Guidance Note is to guide the responsible parties on how to comply with POPIA when processing personal information of data subjects for direct marketing by means of unsolicited non-electronic communications in terms of sections 11 and unsolicited electronic communications in
terms of section 69 of POPIA.

Guidance Note: Guidance note on direct marketing in terms of the Protection Of Personal Information Act of 2013 (POPIA), 03 December 2024

Processing of personal information of voters, and the countering of misinformation and disinformation during elections.

The purpose of the guidance note is to guide political parties and independent candidates in respect of the scope and applicability of the Protection of Personal Information Act, 4 of 2013 (POPIA) and measures that can be taken to comply with the provisions of POPIA, whilst ensuring the free flow of accurate and reliable information to achieve free and fair elections.

Guidance Note: the processing of personal information of voters, and the countering of misinformation and disinformation during elections in terms of the Protection of Personal Information Act, 4 of 2013, 14 May 2024

Processing of Special information

The purpose of this Guidance Note is to guide responsible parties who are required to obtain authorization from the Regulator to process special personal information, as provided for in section 27(2) of POPIA.

Guidance note: the processing of Special Personal Information, 28 June 2021
FORM: Application form for authorisation to process Special Personal Information

Processing of Personal Information of Children

The purpose of this Guidance Note is to guide responsible parties who are required to obtain authorisation from the Regulator to process personal information of children, as provided for in section 35(2) of POPIA.

Guidance Note: the processing of personal information of children
FORM: Application form for authorisation to process Personal Information of Children Information, 28 Jun 2021

Processing Personal Information in The Management and Containment of COVID-19 Pandemic

Guidance Note: the processing of personal information in the management and containment of Covid-19 Pandemic in terms of the Protection of Personal Information Act 4 Of 2013 (POPIA), 03 Apr 2020

Processing of Personal Information of a Voter by a Political Party

The purpose of the document is to guide political parties with regards to the scope and applicability of the Protection of Personal Information Act, 4 of 2013 (POPIA) in relation to political parties.

Guidance Note: Processing of Personal Information of a Voter by a Political Party in terms of the Protection of Personal Information Act, 4 of 2013, 28 Jan 2019

In terms of the provisions of section 61 (2) of the Protection of Personal Information Act (POPIA) No 4 of 2013, the Information Regulator gives notice that is in receipt of a codes of conduct from:

Notice in terms of Section 61(2) of the Protection of Personal Information Act No 4 of 2013 (POPIA): Credit Bureau Association (CBA), Code of Conduct: Lawful Processing of Personal Information in credit Sector, 14 Apr 2021
Proposed Code of Conduct by the Residential Communities Council (RCC) – 08 September 2023
Proposed code of conduct from the Direct Marketing Association of Southern Africa (DMASA) that deals with how personal information will be processed in the Direct Marketing Industry – 30 June 2023
Proposed code of conduct for processing personal information in the research sector – 12 May 2023
Code of conduct from the Credit Bureau Association (CBA) – Approved, 12 October 2022
Code of conduct from the Banking Association South Africa (BASA) – Approved, 12 October 2022
Code of conduct – Lawful Processing of Personal Information by credit bureaus in South Africa, 24 June 2022
Code of conduct for the processing of personal information by the banking industry, 24 June 2022
Code of conduct from the Credit Bureau Association (CBA), 14 Jan 2022
Code of conduct from the Banking Association South Africa (BASA)
Code of conduct from Credit Bureau Association (CBA) , 20 December 2021
SILK ROUTE GOLD (PTY) LTD, 02 August 2021
MAKTABA STATIONERY TA PNA, 02 August 2021
WILLCOM (Pty) Ltd, 02 August 2021
ROCKJUMPER BIRDING TOURS CC, 02 August 2021
National Radiology Services Inc, 02 August 2021
REGIO INDEPENDENT SCHOOL, 02 August 2021

Notice in terms of Section 61(2) of the Protection of Personal Information Act No 4 of 2013 (POPIA): Banking Association South Africa (BASA), Lawful processing of personal information by member Banks, 08 June 2021 Code of conduct from the Banking Association South Africa(BASA)

Guidelines

Email applications for codes of conduct: POPIACompliance@inforegulator.org.za

A standard for making and dealing with complaints under approved codes of conduct, issued, 01 Mar 2021
Checklist that accompanies the Guideline to Develop Codes of Conduct has also been issued, 03 Mar 2021 Guidelines to develop Code of Conduct, 15 Feb 2021, issued under the Protection of Personal Information Act 4 of 2013 (POPIA). Xhosa Version

Protection of Personal Information (POPIA) Forms

Application Form for Prior Authorisation Responsible parties may submit their applications for prior authorisation by completing the form.
FORM SCN1 – Security Compromises Notification – Fillable Form
Guidelines on completing a Security Compromise Notification into Section 22 POPIA
Form 1: Objection to the Processing of Personal Information
Form 2: Request for Correction or Deletion of Personal Information or Destroying or Deletion of Record of Personal Information
Form 3: Application for the Issue of a Code of Conduct
Form 4: Application for the Consent of a Data Subject for the Processing of Personal Information for the Purpose of Direct Marketing
Form 5: Complaint Regarding Interference with the Protection of Personal Information/Complaint Regarding Determination of an Adjudicator
Form 20: Request for an Internal Review s in the rules of procedure relating to the manner in which a complaint must be submitted and handled by the Information Regulator
Application form for authorisation to process Special Personal Information
Application form for authorisation to process Personal Information of Children
Exemption Application Form submitted in terms of section 37(1)

This Guidance Note is issued to guide responsible parties who are currently processing or intend to process personal information which is subject to prior authorization to ensure compliance with the relevant provisions of the Protection of Personal Information Act 4 of 2013 (POPIA).

Guidance Note on applications for Prior Authorisation (Revised)

POPIA prescribes the eight (8) conditions for the lawful processing of personal information by or for a responsible party. These conditions are not applicable to the processing of personal information to the extent that such processing is exempted in terms of section 37 or 38, from one or more of the conditions concerned in relation to such processing.

Guidance note on exemptions 2021
Application Form for Exemptions: Follow this link for the Exemption Application Form
Email Address: POPIACompliance@inforegulator.org.za

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.