The myth
“Personal information may not leave South Africa.”
Cross-border transfers are allowed through any one of five gateways. There is no data-localisation rule, no adequacy list, and no Regulator approval step for ordinary transfers.
“(a) the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that— (i) effectively upholds principles for reasonable processing... substantially similar to the conditions for the lawful processing of personal information... and (ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information...; (b) the data subject consents to the transfer; (c) the transfer is necessary for the performance of a contract between the data subject and the responsible party...; (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or (e) the transfer is for the benefit of the data subject, and— (i) it is not reasonably practicable to obtain the consent... and (ii) if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.”
Working the five gateways
Gateway (a) — the protection gateway — carries the recurring flows: a foreign law of substantially similar effect, the group’s binding corporate rules, or (most commonly) a binding agreement with the recipient. Gateway (b), consent — once again only one of the options, and the weakest for systematic flows. Gateways (c) and (d) carry transaction-driven transfers: the client’s own contract needs it, or a contract in the client’s interest does (the overseas hotel, the foreign correspondent attorney). Gateway (e) covers the benefit-of-the-data-subject edge cases where asking first is impracticable but the answer would obviously be yes.
Cloud providers and SaaS: the binding agreement in your terms
Using Microsoft 365, Google Workspace, AWS or any reputable offshore processor is typically covered by gateway (a): the data-processing agreement these providers sign is a “binding agreement” imposing protection substantially similar to POPIA’s conditions, including onward-transfer limits for sub-processors. Two pieces of homework make the reliance real: locate and file the DPA (it doubles as your section 21 operator contract), and disclose the transfer in your privacy notice — section 18(1) expects cross-border intentions to be named. “Data residency” product tiers are a commercial choice, not a POPIA requirement.
The genuine trap: special and children’s information
One transfer category does need the Regulator: transferring special personal information or children’s information to a country that does not provide adequate protection requires prior authorisation under section 57(1)(d). Health data to an offshore practice-management platform, HR-medical records to a global HRIS, a school’s learner records to foreign ed-tech — check the destination’s protections before migrating, and apply once-off where the trigger is met.