Sharing personal information

POPIA for body corporates and HOAs

Members with a legitimate interest may see contact lists and arrears — “we can’t, because POPI” is usually wrong in community schemes.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
A body corporate or HOA is a responsible party under POPIA — but the Act does not seal scheme records away from the members. A member requesting the contact list or arrears information needed to exercise membership rights is a third party with a legitimate interest (s 11(1)(f)), and PAIA may give them an enforceable right of access. “We can’t, because POPI” is, in most of these cases, simply wrong.

On this page

Members asking for scheme information

The commonest community-scheme dispute: a member asks for the owners’ roll or the arrears schedule, and the trustees refuse “because of POPI”. The refusal usually gets the Act backwards. The member is a third party with a legitimate interest — section 11(1)(f) expressly contemplates supplying information to such a third party — and membership rights (requisitioning meetings, electing trustees, scrutinising finances they fund) are about as legitimate as interests get:

Source — the actual words

“(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.”

Protection of Personal Information Act 4 of 2013, s 11(1)(f)Read it on Dept of JusticePDF

PAIA runs alongside: a record of a private body needed for the exercise or protection of rights is accessible on request. The correct trustee response is scope control, not refusal — supply what the membership purpose needs (minimality), and record the disclosure.

Scheme scenarios: lawful or not?

Common body corporate and HOA scenarios under POPIA
ScenarioVerdictWhy
A member requests the contact list to requisition a general meetingLawfulExercising membership rights is a legitimate interest (s 11(1)(f)); PAIA may add an enforceable access right.
Trustees review the arrears schedule to manage scheme financesLawfulCore trustee function — legitimate interests and the scheme’s governing legislation.
Publishing a named arrears list on the noticeboard or group chatNot lawfulShaming exceeds the purpose; minimality (s 10) and reasonableness (s 9) fail even though recovery itself is lawful.
CCTV at gates and common property with visible signageLawfulSecurity is a legitimate interest; signage satisfies the openness duty (s 18).
The managing agent processes owner data for the schemeLawfulThe agent is an operator — a written contract with security terms is required (s 21).
Sharing an owner’s details with a marketer “for community benefit”Not lawfulNo ground covers it; electronic marketing would additionally trigger section 69.

Scheme WhatsApp groups

Residents’ social groups — braais, lift clubs, lost cats — are purely personal or household activity, outside the Act entirely (s 6(1)(a)). An official scheme channel run by the trustees or managing agent is different: that is the body corporate processing members’ numbers for scheme communication, which a legitimate interest comfortably covers — but it is not a marketing list, and adding the trustees’ side businesses to it walks straight into section 69. The full analysis is on WhatsApp groups and POPIA.

Managing agents are operators

The managing agent processes the scheme’s personal information on its mandate — the definition of an operator. Section 21 requires the body corporate to have a written contract obliging the agent to maintain security safeguards and to report any compromise immediately. Trustees who have never seen such a clause in the management agreement have found their scheme’s first real POPIA gap — the same gap that anchored the Dis-Chem enforcement notice.

Frequently asked questions

Can a body corporate refuse to give a member the owners’ contact list?

Usually not, where the member needs it to exercise membership rights — calling meetings, canvassing votes, holding trustees to account. That is a legitimate interest under s 11(1)(f), and PAIA may give an enforceable access route. Minimality still applies: the list for the purpose, not ID numbers and financials.

May trustees discuss a specific owner’s arrears at a general meeting?

Scheme finances are members’ business and arrears affect every levy payer — discussing the levy roll is part of governance. The line is purpose: reporting and deciding on recovery is lawful; naming-and-shaming theatrics exceed it.

Does the complex WhatsApp group need POPIA consent?

A residents’ social group is typically personal/household activity outside the Act. An official channel run by the body corporate is scheme processing — lawful for scheme communications, but it is not a marketing list.

Is the managing agent responsible for POPIA compliance, or the scheme?

Both, differently. The body corporate is the responsible party; the managing agent is its operator. Section 21 requires a written contract obliging the agent to maintain security safeguards and report breaches immediately.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Sharing personal information

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub