The eight conditions

Access, correction and deletion: data subject rights

Anyone may ask what you hold (free), request the record, and demand correction or deletion — Form 2, 30 days, multiple channels.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Under sections 23 to 25 of POPIA, anyone may ask whether you hold information on them (free of charge), request the record itself, and request correction or deletion of information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully. Under the amended Regulations, requests can arrive by hand, post, email, SMS or WhatsApp on (or substantially similar to) Form 2 — and you must notify the person in writing of the action taken within 30 days of the outcome.

On this page

The right of access: who has what on me?

Section 23(1) gives every data subject — natural or juristic — two entitlements against any responsible party: confirmation, free of charge, of whether you hold personal information about them; and the record or a description of it, including the identity of all third parties who have had access to it, within a reasonable time, at a prescribed fee if any, and in a reasonable format. The request comes in on (or substantially similar to) Form 2 under the Regulations — and since April 2025, by hand, post, email, SMS or WhatsApp.

Correction and deletion: section 24

The grounds are specific — and they are quality grounds, not a veto:

Source — the actual words

“inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully”

Protection of Personal Information Act 4 of 2013, s 24(1)(a)Read it on Dept of JusticePDF

A data subject may demand correction or deletion of information matching that list, or destruction of a record you are no longer authorised to retain. What the section does not create is a general “right to be forgotten” that overrides your lawful retention — tax records, contractual records and litigation holds survive a deletion demand. Where you and the data subject disagree about accuracy and neither yields, the Act lets the person require you to attach their correction request to the record, so every future reader sees the dispute.

The quality duty behind the rights

Source — the actual words

“A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.”

Protection of Personal Information Act 4 of 2013, s 16(1)Read it on Dept of JusticePDF

Section 16 is the standing duty that section 24 lets data subjects enforce. It is also — not a ban — what disciplines employee references: the reference may be given; it must be accurate, relevant and not misleading.

Handling requests in practice

Build one pipeline and route everything through it: receive on every channel the Regulations now recognise (your staff must recognise a WhatsApp message as a Form 2 request); verify identity; locate the records (your retention schedule determines how painful this is); decide — supply, correct, delete, or decline with reasons on the statutory grounds; and respond in writing within 30 days of the outcome, telling the person what was done. The information officer owns the pipeline — dealing with requests is one of the statutory duties of the role.

Frequently asked questions

Can we charge for an access request?

Confirming whether you hold information on someone must be free. For supplying the record itself, a fee may be charged within the prescribed limits — but the confirmation step costs nothing.

Must we verify the requester’s identity?

Yes — adequate proof of identity protects the very information the request concerns. Handing one person’s record to another because the request "looked legitimate" is itself a breach.

What is the deadline for responding?

Under the amended Regulations, the responsible party must notify the requester in writing of the action taken on a correction or deletion request within 30 days of the outcome. Access requests must be handled within a reasonable time and in the prescribed manner.

Must we delete information whenever someone demands it?

No. The correction/deletion right targets information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully — or that you are no longer authorised to retain. Records you are required or entitled to keep (tax, contract, prescription periods) may be retained.

How do POPIA requests relate to PAIA requests?

POPIA section 23 access runs alongside the Promotion of Access to Information Act — section 23(4) channels record requests through PAIA’s procedures. Practically: one front door, two statutes behind it.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · The eight conditions

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub