Search legal guides

Search MJ Kotze Inc legal guides and articles

Trading & compliance

POPIA and Data Protection When Doing Business in South Africa [2026]

Does POPIA reach your company? Information officers, lawful processing, section 72 cross-border transfer rules and fines up to R10 million, explained for foreign groups.

Published Last reviewed 13 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

Quick answer

Does POPIA apply to your company?

South Africa’s data-protection statute is the Protection of Personal Information Act 4 of 2013 POPIA. Its substantive provisions commenced on 1 July 2020 with a one-year grace period, so the Act has been fully enforceable since 1 July 2021. It is policed by the Information Regulator, South Africa’s data-protection authority. Figures and enforcement status last reviewed 16 July 2026.

The territorial test has two limbs. POPIA applies to a responsible party — the person who decides why and how personal information is processed — that is domiciled in South Africa; and to a responsible party not domiciled here that makes use of automated or non-automated means in the Republic. A South African subsidiary or registered branch is squarely covered from day one. A foreign company with no local entity can still be caught through the “means” limb — South African servers, agents, distributors, field staff or a local marketing operation that collects or processes personal information will typically cross the line, so borderline structures deserve advice on the facts.

One feature surprises almost every overseas legal team: POPIA protects juristic persons as well as natural persons — wider than the European Union’s General Data Protection Regulation (GDPR), which covers natural persons only. Your database of South African corporate customers and suppliers is personal information under POPIA, and the processing conditions and transfer rules apply to it.

If you are still choosing your market-entry vehicle, start with subsidiary vs branch and external company registration — whichever you pick, the POPIA duties on this page attach as soon as the entity processes personal information.

The GDPR map: what your existing programme covers — and what it does not

POPIA and the GDPR share the same architecture, so an EU-compliant group starts far ahead. The vocabulary maps almost one-to-one:

POPIA termNearest GDPR equivalent
Responsible partyController
OperatorProcessor
Data subject (natural and juristic persons)Data subject (natural persons only)
Information officer (registered with the Regulator)Data protection officer
Section 72 transfer gatewaysChapter V international transfers
Prior authorisation (ss 57–58)No direct equivalent

Lawful processing rests on eight conditions (sections 8 to 25 of the Act): accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation. If your group already maintains GDPR-grade records of processing, privacy notices, security measures and data-subject request handling, most of that work carries across directly.

What an EU privacy pack does not discharge: the South African information officer registration and PAIA manual (next section), the treatment of juristic-person data, the prior-authorisation triggers in section 57, and section 72’s own transfer gates — which apply independently of whatever GDPR mechanism the group uses. And the traffic runs both ways: the EU has no adequacy decision for South Africa, so EU-to-SA transfers separately need GDPR Article 46 safeguards. The firm’s standing POPIA guide and South African compliance hub cover the domestic framework in more depth; this page keeps to the inbound-investor angle.

The information officer: who it is, where they must sit, and registration first

Every responsible party has an information officer by operation of law — the statute designates the head of the organisation by default:

Source — the actual words

"information officer" of, or in relation to, a— (a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or (b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;

Protection of Personal Information Act 4 of 2013, s 1 (definition of "information officer")Read it on LawLibrary

The Promotion of Access to Information Act 2 of 2000 (PAIA) defines the “head” of a juristic person as its chief executive officer or equivalent — or a person duly authorised by that officer. That delegation route matters, because for a foreign-run group the Information Regulator’s Guidance Note is explicit that the role cannot sit offshore:

Source — the actual words

5.2 To ensure accessibility of a private body, the Information Officer of a multinational entity based outside the Republic must authorise any person within the Republic of South Africa as an Information Officer. 5.3 Each subsidiary of a group of companies must register its Information Officer and Deputy Information Officer(s) with the Regulator.

Note — Paragraph 7.6 of the same Guidance Note applies the rule to deputies: the information officer of a multinational based outside South Africa must designate a person within South Africa as a deputy information officer.

Information Regulator — Guidance Note on Information Officers (1 April 2021), paras 5.2–5.3Read it on Information Regulator

Registration is not optional paperwork to catch up on later — the Act makes it a precondition to the officer acting at all:

Source — the actual words

(2) Officers must take up their duties in terms of this Act only after the responsible party has registered them with the Regulator.

Protection of Personal Information Act 4 of 2013, s 55(2)Read it on LawLibrary

Registration is done through the Information Regulator’s eServices portal. Once registered, the officer’s statutory duties (section 55(1), fleshed out by regulation 4 of the POPIA Regulations) include encouraging and ensuring compliance, developing a compliance framework, handling data-subject requests, working with the Regulator on investigations and running internal awareness. Two companion duties round out the local layer: every private body — even a one-person company — has needed a PAIA manual since 1 January 2022, when the small-company exemption lapsed; and the officer belongs on the same post-incorporation checklist as your tax numbers — see tax and employer registrations after incorporation.

Operators: put the contract in writing

An operator is POPIA’s processor — anyone who processes personal information for you under a mandate, from a payroll bureau to a cloud host. The Act requires the relationship to be contractual and the security obligations to be express:

Source — the actual words

(1) A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19.

Protection of Personal Information Act 4 of 2013, s 21(1)Read it on LawLibrary

Section 21(2) adds that the operator must notify the responsible party immediately where there are reasonable grounds to believe personal information has been compromised. In practice a GDPR-style data-processing agreement usually needs only light adaptation — reference POPIA’s section 19 security standard, cover juristic-person data and align the notification trigger. Review every South African vendor contract against this before go-live; our guide to contracts and dispute resolution covers the wider contracting framework, and if you sell software or cloud services into South Africa, see POPIA for tech companies on the firm’s software and technology law hub for the vendor-side view.

Direct marketing: electronic channels are opt-in

If your market-entry plan includes email or SMS campaigns to South African prospects, section 69 is the rule to read first — it inverts the default many marketers assume:

Source — the actual words

(1) The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject— (a) has given his, her or its consent to the processing; or (b) is, subject to subsection (3), a customer of the responsible party.

Protection of Personal Information Act 4 of 2013, s 69(1)Read it on LawLibrary

The existing-customer soft opt-in (section 69(3)) is narrow: the contact details must have been obtained in the context of a sale, you may market only your own similar products or services, and the customer must have been offered an opt-out at collection and in every message. A prospect who is not a customer may be asked for consent once only (section 69(2), on the prescribed Form 4), and every marketing message must identify the sender and give an address to opt out (section 69(4)). One open point to watch: the Regulator’s view that ordinary voice telemarketing also counts as “electronic communication” was being tested in court in 2025–26 and remained unresolved as at July 2026 — plan conservatively.

Cross-border transfers: section 72 and the intra-group example

For a foreign group the single most important provision is section 72. The default position is a prohibition on sending personal information to anyone in a foreign country — your own head office included — unless one of five gateways applies:

Source — the actual words

(1) A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless— (a) the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that— (i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and (ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country; (b) the data subject consents to the transfer; (c) the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request; (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or (e) the transfer is for the benefit of the data subject, and— (i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and (ii) if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.

Protection of Personal Information Act 4 of 2013, s 72(1)Read it on LawLibrary

The worked example every group needs: your South African subsidiary reporting customer and employee data to the foreign head office. The standard solution is the section 72(1)(a) route — a binding intra-group data-transfer agreement (or binding corporate rules) obliging the recipient to protect the data to a standard substantially similar to POPIA’s processing conditions, including restrictions on onward transfers out of the recipient’s hands. An agreement modelled on the EU standard contractual clauses usually satisfies the test if that onward-transfer language is included. South Africa publishes no official adequacy white-list, so the adequacy assessment is a self-assessment — document it. Consent (b) and contract necessity (c)–(d) are workable alternatives for specific flows, but a signed group agreement scales better than chasing consents.

Two footnotes for EU-headquartered groups. First, remember that POPIA protects juristic-person data, so B2B records need a gateway too. Second, the compliance runs in both directions: because the EU has no adequacy decision for South Africa, personal data flowing from the EU into your South African operation needs GDPR Article 46 safeguards as well. Employee data is usually the biggest intra-group flow — see employment law essentials for foreign employers for the HR side. And if the data leaving South Africa is special personal information or children’s data headed for a non-adequate country, section 72 is not the end of it — prior authorisation applies, which is the next section.

Prior authorisation: the trap GDPR programmes miss

POPIA keeps a short list of processing activities that need the Information Regulator’s advance sign-off — a mechanism with no direct GDPR equivalent, which is exactly why foreign groups routinely miss it:

Source — the actual words

(1) The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to— (a) process any unique identifiers of data subjects— (i) for a purpose other than the one for which the identifier was specifically intended at collection; and (ii) with the aim of linking the information together with information processed by other responsible parties; (b) process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties; (c) process information for the purposes of credit reporting; or (d) transfer special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.

Protection of Personal Information Act 4 of 2013, s 57(1)Read it on LawLibrary

The mechanics have teeth. You notify the Regulator — and then stop: section 58(2), in force since 1 February 2022, forbids carrying out the processing until the Regulator responds. The Regulator has four weeks to decide or to announce a more detailed investigation (section 58(3)); a further investigation must conclude within a period of up to 13 weeks (section 58(4)). Build that pause into the launch plan: credit-scoring and affordability products, background-screening services processing criminal-conduct data for clients, identifier-matching across databases, and exports of health or children’s data to non-adequate countries are the classic triggers for market entrants.

Security compromises: notify under section 22

Alongside the section 19 duty to secure personal information with appropriate, reasonable technical and organisational measures, POPIA has a breach-notification rule: where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, section 22 requires the responsible party to notify the Information Regulator and the affected data subjects. Your operators feed into the same duty — section 21(2) obliges them to alert you immediately on suspicion of a compromise, which is why the written operator contract matters in an incident.

Practical preparation beats improvisation: keep an incident-response plan that names the information officer as owner, and confirm the Regulator’s current notification channel at the time of reporting, as its processes continue to develop. A security compromise is also the fact pattern behind one of the Regulator’s best-known enforcement notices — which brings us to the track record.

Enforcement: R10 million fines and a real track record

POPIA’s ceiling is an administrative fine of up to R10 million per infringement (section 109(2)(c)); certain offences also carry up to 10 years’ imprisonment. The Information Regulator publishes its enforcement notices, and the record since 2023 shows a regulator willing to use its powers against government departments, listed retailers and global platforms alike:

  • Department of Justice and Constitutional Development — the first-ever administrative fine, R5 million, by infringement notice dated 3 July 2023; the department is challenging the fine in court, with the case still pending per the Regulator’s November 2025 statement.
  • Dis-Chem Pharmacies — enforcement notice issued 31 August 2023 over the April–May 2022 security compromise.
  • FT Rams Consulting — the first direct-marketing enforcement notice, 27 February 2024, followed by a R100 000 infringement penalty for ignoring it; the penalty went unpaid and the Regulator has sued to recover it.
  • WhatsApp LLC — an enforcement notice issued in September 2024 (published April 2025) citing breaches of sections 8, 9, 11, 13, 15, 17 and 19, with GDPR-parity concerns — settled on 13 November 2025 with transparency and consent undertakings. The detailed settlement terms are not public; this reflects the parties’ public statements.

The pattern for a market entrant is clear: the cheap, controllable items — a registered South Africa-based information officer, a PAIA manual, written operator contracts, an intra-group transfer agreement and an opt-in marketing list — are precisely the items the Regulator tests first. Doing them at setup costs a fraction of doing them under an enforcement notice.

Frequently asked questions

More market-entry questions are answered in the Doing Business in South Africa FAQ.

  • It can. POPIA applies to a responsible party domiciled in South Africa, and to one not domiciled here that makes use of automated or non-automated means in the Republic — servers, agents, personnel or a local operation processing personal information. A foreign parent with no South African footprint is usually reached indirectly: its South African subsidiary may only send personal information to it through a section 72 gateway, and the Information Regulator’s Guidance Note requires a multinational operating from outside South Africa to authorise an information officer within South Africa.

  • Yes — through a section 72 gateway. Sending personal information to a recipient in a foreign country, including a group hosting platform, is prohibited unless a gateway applies. Most groups rely on section 72(1)(a): a binding agreement or binding corporate rules giving the data substantially similar protection to POPIA, including restrictions on onward transfers. Consent and contract necessity are alternatives. South Africa publishes no official adequacy white-list, so the assessment is yours to make and document. Special personal information or children’s data going to a country without adequate protection additionally needs prior authorisation under section 57(1)(d).

  • No — it is an excellent starting point, not a substitute. The two laws share the same architecture, so records of processing, security measures and data-subject request handling carry across. But POPIA also protects juristic persons (companies), requires an information officer registered before taking up duties plus a PAIA manual, imposes prior-authorisation triggers with no direct GDPR equivalent, and applies its own section 72 transfer gates. And because the EU has no adequacy decision for South Africa, EU-to-SA flows separately need GDPR Article 46 safeguards. An EU privacy pack does not discharge the South African-specific duties.

  • Yes. Every responsible party must register its information officer before that officer takes up duties (section 55(2)) — done through the Regulator’s eServices portal. A multinational operating from outside South Africa must authorise a person within South Africa, with South Africa-based deputies, per the Regulator’s Guidance Note; each group subsidiary registers its own officers. You must also adopt a PAIA manual — compulsory for every private body since 1 January 2022 — and notify the Regulator for prior authorisation before starting any processing listed in section 57.

  • Administrative fines run to a maximum of R10 million (section 109), and certain offences carry up to 10 years’ imprisonment. Enforcement is real: the Department of Justice received the first administrative fine of R5 million in 2023 (now under court challenge); FT Rams Consulting received the first direct-marketing enforcement notice on 27 February 2024 plus a R100 000 infringement penalty for ignoring it; Dis-Chem received an enforcement notice on 31 August 2023 over a security compromise; and WhatsApp settled the Regulator’s enforcement notice on 13 November 2025 with transparency and consent undertakings.

  • Not without consent. Section 69 makes direct marketing by electronic communication — automatic calling machines, fax, SMS or email — opt-in. There is a narrow soft opt-in for your existing customers: details obtained in the context of a sale, marketing only your own similar products or services, with an opt-out offered at collection and in every message. You may ask a prospect for consent once, on the prescribed form, and every message must identify the sender and give an opt-out address. Whether ordinary voice calls also count as electronic communication was still being tested in court as at July 2026.

This guide states the position as at 16 July 2026. It is general information, not legal advice — POPIA outcomes turn on your data flows, structures and documents, so take advice on your facts before processing begins.

For the businesses we act for

The Keystone Workspace

The attorney-designed platform the businesses we act for use to run their contracts, e-signatures and company secretarial work in one place.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration 17444.

This guide is general information, not legal advice for your specific matter.

Work with an attorney

Set up in South Africa with counsel on the ground

Martin Kotze advises overseas companies and their local teams on South African market entry — entity setup, directors and governance, contracts, employment and regulatory compliance. General guidance on this page is not a substitute for advice on your facts.