FAQ - Frequently Asked Questions around PoPI Act

Please click on the questions below to view their answers

‘Personal Information’’ means any information relating to an identifiable, living, natural or juristic person

  • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • Information relating to the education or the medical, financial, criminal or employment history of the person;
  • Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • Biometric information of the person;
  • The personal opinions, views or preferences of the person;
  • Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • The views or opinions of another individual about the person; and
  • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

Source: Protection of Personal Information Act 2013 (1)

Some examples of Personal Information are:

  • Names
  • ID Numbers
  • Email Address
  • Telephone Numbers
  • Address/Location
  • Gender
  • Education
  • Maritial Status


High Risk / Special Personal Information:

  • Race/Ethnic origin
  • Political affiliation
  • Medical/Health/Sexual Records
  • Biometric Data
  • Trade Union Membership
  • Financial Records
  • Employment History
  • Criminal History
  • Religious/Philosophical Beliefs
  • Information of Children

These have special requirements if you handle/process such information

The Protection of Personal Information Act 2013 is the Act that specifies what actions/procedures need to be in place in order to prevent Personal Information from being misused.

Effective from 1 July 2021.

Click here to download the full Act

Data Processing refers to any activity performed on or involving Personal Information


  • Saving clients details in a database
  • Receiving clients details to complete an order
  • Transferring employee information to a Payrol service provider
  • Deleting existing Personal Information stored in a database
  • Saving a spreadsheet of users information to an external device
  • Emailing a client details about their order
  • Sending a statement in a email

All Private and Public Entities that handle or process any Personal Information

  • Sole Propriators
  • Partnerships
  • Companies
  • Closed Corporations
  • Trusts
  • Body Corporates
  • Non Profit Company

The PoPI Act is effective from 1 July 2021

Information Officers need to be registered with the regulator as soon as possible.

If applicable, PAIA manuals need to be submitted to the Regulator. (PAIA regulations are often changing)

Being PoPI compliant is an ongoing process.

  • Procedures can always be improved
  • Technology changes
  • Laws changes
  • Unforseen events can occur


The onlinePoPI tool helps you to ensure ongoing PoPI Act compliance

First you need to register your Information Officer with the Regulator

onlinePoPI can then guide you through the PoPI act ensuring that you are compliant with the relevant sections to your entity

onlinePoPI will produce the required declarations, documentation, policies and forms your entity requires

For serious offences a maximum of a R10 million fine or imprisonment for a period not exceeding 10 years or both.

For less serious offences a maximum of a R1 million fine or imprisonment for a period not exceeding 12 months or both.

onlinePoPI will help you to be compliant with the PoPI Act and be well prepared to mitigate these risks.

You need to have assigned an Information Officer to the applicable Entity

The Information Officer needs to be registered with the Regulator

The Information Officer needs to develop and maintain a compliance framework to ensure the entity Protects all the Personal Information it processes

The Information Officer needs to provide training to other employees/members/providers of the entity

Policies and Procedures need to be put in place to ensure

  • Data Subjects know how their Personal Information is being used,
  • How they can access the Personal Information the entity has of them,
  • Inform the Data Subject if there are any breaches


onlinePoPI will help you with this process

The quick and simple answer:

  • If the Data subject has given their consent
  • It is required to fulfill a contract to which the data subject is a party to
  • It is a requirement by a law
  • The Regulator has approved the required data processing


The onlinePoPI tool will guide you through all the other applicable scenarios for your entity


The 8 Protection Principles of Lawful Processing:

  • Accountability - see PoPI section 4
    The Responsible Party’s needs to ensure that the conditions imposed by the Government have been properly complied with.
  • Processing Limitation - see PoPI sections 4, 5, 6
    Personal Information must be processed for the purpose for which it was obtained.
  • Purpose Specification - See PoPI section 7
    Information is only collected, used and stored for carefully defined purposes and time.
  • Further Processing Limitation - see PoPI section 9
    Personal Information can only be reused if this usage aligns with the original purpose of collection.
  • Information Quality - see PoPI section 10
    Personal Information usage must be guided by ‘quality over quantity’ and therefore a Responsible Party needs to ensure that the Information it manages is complete, accurate, not misleading in nature and updated wherever necessary.
  • Openness - see PoPI section 11
    The Responsible Party should be fully compliant with PAIA - Promotion of Access to Information Act (2002), and ensure that no Information is collected unless the data subject fully understands and appreciates the implications of sharing their Information.
  • Security Safeguards - see PoPI sections 13, 14, 15, 16
    The Responsible Party needs to ensure all Personal Information is securely and safely stored and processed.
  • Data Subject Participation - see PoPI section 17, 18, 19, 20
    The Responsible Party should have measures in place to answer any questions about or update any data subjects Personal Information.

Entities that do not process any Personal Information

Every entity PoPI applies to is required to have an Information Officer.

The Information Officer is assigned by the entity to be the contact point for Personal Information issues.

The role of the Information Officer is to ensure that the entity is doing as much as they can to be compliant with the PoPI Act, this involves developing a framework for the entity and constantly improving compliance and providing training to other team members. The onlinePoPI Tool provides the Information Officer and entity with this framework, documentations and support.

The Information Offficer needs to be registered with the Regulator

PAIA is the legislation to the right of access to information.

A PAIA Manual is a document that describes how a Requester can access to Records of the Entity, if the Record is required for the exercise or protection of any Rights.

The Information Officer needs to email the PAIA manual to the Information Regulator at: inforeg@justice.gov.za

Your Entity needs to assign it's Information Officer.

Then you need to register your Information Officer with the Regulator at: https://www.justice.gov.za/inforeg/portal.html