Start here

POPIA protects companies too: juristic persons and B2B data

Unlike the GDPR, POPIA protects identifiable, existing juristic persons — companies, CCs and trusts are data subjects.

Published Last reviewed 6 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
POPIA protects companies, close corporations and trusts, not only individuals. The definition of personal information expressly extends to “an identifiable, existing juristic person” — so B2B databases, supplier records and company contact lists are regulated personal information, and a company can complain to the Information Regulator just as a person can. This is a major difference from the GDPR, which protects natural persons only.

On this page

Does POPIA protect company information?

Yes — by express definition. Many businesses assume privacy law is about individuals, so company data is “fair game”. Under POPIA that assumption is wrong from the first line of the Act:

The myth

POPIA only protects individuals — company information is fair game.

What the law actually allows

POPIA protects identifiable, existing juristic persons too. Companies, close corporations and trusts are data subjects; their information is personal information; and they hold the same rights of access, correction, objection and complaint.

What the Act actually says

“’personal information’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person...”

Protection of Personal Information Act 4 of 2013, s 1, definitions of “personal information” and “person”Read it on Dept of JusticePDF

What this means for B2B data in practice

Your supplier database, your B2B prospect list, your tenant company records — all regulated personal information. In practice this changes less than the myth-makers fear and more than the cavalier assume. It changes little because the same six lawful grounds carry ordinary B2B dealing: performing contracts with corporate counterparties, complying with FICA and tax law, and pursuing legitimate business interests. It changes a lot for the cavalier because a juristic person can object, demand access and correction, and complain to the Information Regulator — and because section 69’s electronic-marketing regime protects data subjects generally, which includes companies. Scraping a directory of company emails and blasting it is not made lawful by the targets being businesses.

The GDPR contrast

The GDPR protects natural persons only — its recitals say so expressly. POPIA went further, deliberately. For multinationals this is a recurring compliance gap: a GDPR-built privacy programme imported into South Africa will systematically miss juristic-person data subjects. The other differences that matter — grounds naming, transfer mechanics, breach clocks and fine structures — are compared on POPIA vs GDPR.

Source — the actual words

“’data subject’ means the person to whom personal information relates;”

Note — “Person” in turn means a natural or a juristic person — so wherever the Act says “data subject”, a company can stand in that position.

Protection of Personal Information Act 4 of 2013, s 1, definition of “data subject”Read it on Dept of JusticePDF

Frequently asked questions

Can I email a company at its info@ address without worrying about POPIA?

The company’s information is itself protected — a company is a data subject. For B2B direct marketing by email, section 69 applies to data subjects generally, including juristic persons, so the same opt-in / existing-customer rules are the prudent baseline.

Are a director’s details at work “company information”?

No — information about an identifiable natural person remains that person’s personal information even in a business context. A named director’s direct email identifies a person; treat it as personal information.

Is information from CIPC or other public registers free to use?

Public-record information still falls under POPIA, but the Act accommodates it: collection from a public record is an exception to direct collection (s 12(2)), and further processing of public-record information is deemed compatible (s 15(3)). The conditions — minimality, openness, security — still apply.

Does the GDPR protect companies like POPIA does?

No. The GDPR protects natural persons only. POPIA’s extension to identifiable, existing juristic persons is one of the most important differences between the two regimes.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Start here

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub