The Protection of Personal Information Act 4 of 2013 (“the Act” and “POPI”) aims to regulate the processing of personal information in order to protect the constitutional right to privacy. It does this by, among other things, setting out conditions for the “lawful processing” of personal information. Compliance with its provisions is compulsory for most companies in South Africa; penalties, fines and even criminal liability are imposed by the Act in order to ensure such compliance.


Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) became applicable as of 1 July 2020. This means that companies need to be compliant with the main portion of the Act by 1 July 2021. With this date being just over two months away and with the consequences for non-compliance being so serious, businesses may be scrambling for any last-minute guidance to ensure that the procedures they have in place will fit the standards of the Act. Logically, some businesses may turn to the Act’s Regulations (“the Regulations”) to provide such guidance.


Being only 8 pages long with an extra 35 pages of standardised forms, the Regulations unfortunately do not provide any sought-after practical guidance and insight into how to comply with the Act as a whole. With their content prescribed by section 112 of the Act, the scope of the Regulations is quite limited.


It is expected that most professional bodies will release their own industry-specific POPI regulations and guidelines with greater detail on how their members may comply. Until these guidelines are released, companies and professionals will need to comply as best they can with the gazetted Regulations, limited though they may be.


Principally, the Regulations provide for the procedures to be followed and the relevant forms to be submitted in relation to specific provisions of the Act including the procedures to be followed when:


  1. Objecting to the processing of personal information in terms of section 11(3)(a);
  2. Requesting the correction or deletion of personal information or destruction or deletion of a record of personal information in terms of section 24(1);
  3. Applying for the issuing of a code of conduct in terms of section 61(1)(b);
  4. Requesting a data subject’s consent to process personal information in terms of 69(2);
  5. Submitting a complaint in terms of section 74(1);
  6. A Regulator decides to act as a conciliator during an investigation;
  7. A Regulator intends to investigate a matter provided for in Chapter 10 of the Act;
  8. Settling complaints ; and
  9. requesting an assessment in terms of section 89(1).


The Regulations also set out the responsibilities of information officers, in addition to those provided by section 55(1) of the Act.

Accordingly, a company’s main point of reference in ensuring compliance with the provisions of the Act is still the Act itself and the Regulations only come into play when a party needs to take procedural steps in the specific instances set out in section 112 of the Act. If a company wants further practical insight into understanding how to comply with the Act/POPI they may need to consult online resources and undergo training from the relevant competent bodies


There are eight principles to POPI compliance, downloadable here, the most important of which is probably the second: processing limitation. This principle deals with lawfulness of processing information – that such information should be collected lawfully, as minimally as possible, with the subject’s direct consent and with adequate justification. A good rule of thumb until more specific guidelines are published (but which by no means replaces these guidelines) is to always obtain a person’s informed consent before collecting their information, to collect only what you need, and to use it only for the purpose explained to the person.


Save for Regulation 4 (providing for the responsibilities of information officers), which will commence on 1 May 2021, and Regulation 5 (providing for the application for the issuing of a code of conduct), which commenced on 1 March 2021, the Regulations will commence on 1 July 2021. If in doubt regarding compliance for your business, it is advisable to contact a reputable lawyer for assistance.

About the author

Mikayla joined Dunsters as a candidate attorney in 2020 and is currently in her second year of articles. She is an alumni of Stellenbosch University where she obtained her BA(Law), LLB and LLM degrees. While completing her LLM she obtained practical experience in the legal field and gained valuable insight into the plight of disadvantaged communities by working as a paralegal at the Stellenbosch University Law Clinic.

Mikayla enjoys general civil litigation and has a keen interest in Company and Tax Law. She particularly enjoys drafting civil pleadings as well as tailoring commercial contracts to suit each client’s unique goals.

In her time off, Mikayla enjoys taking long drives and frequenting outdoor markets.

We use cookies to analyse website usage and other technical information to improve the functionality of our website   View more
Cookies settings
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active
This policy informs you how we will use your personal information, by using our services and/or website you consent to our use of your personal information for the purposes described herein.
    • Personal Information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to, name and surname; identification number; physical address; contact information such as an email address and telephone number.
    • Data Subject means the person to whom personal information relates.
    • Responsible Party means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
    • Identification Information means information that can be used to identify the data subject.
    • Compliance Information means information that is needed by Dunsters Attorneys for us to be compliant with relevant laws including the Financial Intelligence Centre Act “FICA” and regulatory standards and government orders such as Anti-Money Laundering (AML), Know-Your-Client (KYC) and Counter-Terrorist Financing (CTF).
    • Communication Information includes all correspondence such as emails and messages.
    • Financial information means any information relating to payment of invoices, including but not limited to banking information and account details
  • We may collect website usage and other technical information such as details of your visits to our website through cookies and other tracking technologies. Cookies are small data files stored by your computer to help improve functionality or tailor information to provide visitors with more relevant pages.
  • The information we collect may include information provided to us through your initial correspondence, possibly including:
    • Name and Surname
    • Email address
    • Contact numbers; and/or
  • This may also include information that we may have requested, and you subsequently provided, including, but not limited to:
    • Compliance Information
    • Identification Information
    • Communication Information
    • Financial Information
    • Other Personal Information
  • Reasons for collection of your personal information will be explained to you when we collect/request the information. We may request certain personal information to comply with global industry regulatory standards, local regulatory standards or government orders.
  • You, the data subject, consent to our use of your information in line with this privacy policy and/or any terms of engagement you may sign with us. If you wish to revoke your consent, please email .
  • We acquire information from you directly, save where accessible from publicly available sources.
  • Information may be collected through various platforms, including:
    • Our onboarding process with you
    • Email engagement
    • Telephonic engagement
    • In-person engagement
    • Cookies
    • Your personal information may be collected and saved on our system for the following purposes:
      • To enable us to provide legal services.
      • To send news, updates and marketing information.
      • To review job applications.
      • To comply with legal requirements
    • Your personal information will not be used for the following purposes:
      • We will never use your personal information for direct marketing purposes without your consent (you may opt-out of our newsletter at any time)
      • We will never disclose your personal information to another third party without permission from yourself, unless it is required for fulfilment of our legal services or as mandated by law.
  • Right of the data subject under the POPI Act include, but are not limited to:
    • Having access to their recorded personal information
    • Requesting correction or amendment to their personal information and to have information corrected or amended
    • Requesting deletion or destruction of personal information from the responsible party’s system
    • Objecting to the processing of personal information
    • Submitting a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or submitting a complaint to the Regulator (
    • Instituting civil proceedings regarding the alleged interference with the protection of their personal information.
  • We will retain your information for the period required by law.
  • Where we retain your contact information for any period other than may be prescribed by law, we retain this information to keep you updated of our various offerings and news. By not unsubscribing from newsletter, you consent to us retaining your personal information on our records indefinitely, for the purposes explained above, including, to keep you informed about news and updates pertaining to Dunsters Attorneys Inc.
  • We take reasonable technical and organisational measures to secure the integrity of your personal information and use accepted technological standards to prevent unauthorised access to or disclosure of your personal information, and protect your personal information from misuse, loss, alteration and destruction.
  • The measures that are taken in order to protect your personal information include:
    • Physical measures: access to physical copies of your information is controlled using strict protocol.
    • Electronic measures: firewalls and password protection
  • While we will take all reasonable steps to ensure the security of your data and personal information according to industry standards, it is not possible to guarantee the complete security of all information provided at all times.
  • We will notify you as soon as reasonably practicable of any breach of security, loss of or damage to your personal information.
  • Data subjects are responsible for taking reasonable precautions to safeguard their personal information.
  • Although we endeavour to ensure your information is as correct as possible, you are responsible for notifying us of any changes to your data or personal information in respect of the services provided and/or your account with us.
  • We will not be held liable for losses of any nature which are due to incorrect data or personal information provided by users in respect of the service provided.
  • We will not be held liable for any loss or damage arising from a security breach or disclosure of your personal information or data, to the maximum extent permitted by law.
  • We shall not be liable for any damage or interruptions caused by any computer viruses or other malicious code that may affect your computer or other equipment, or any phishing, spoofing or other attack.
  • If you suspect that your personal information has been compromised, or that there has been unauthorised use of your email address by any person, or any other violations to the security of the website, please contact us.
Save settings
Cookies settings