POPIA’s definitions in section 1 do a lot of work. Four of them dispose of half the myths on their own — and the fifth (“consent”) explains why consent is usually the wrong ground to volunteer for. Each definition below is quoted verbatim, with what it means in practice.
“Personal information”
Personal information is information relating to an identifiable, living, natural person — and to companies:
“’personal information’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person...”
The definition then lists examples: contact details, ID numbers, location data, biometric information, opinions about a person, private correspondence, employment and financial history, and “the name of the person if it appears with other personal information relating to the person”. Two practical consequences. First, B2B data is not exempt: a company is a data subject and its information is protected (see companies and B2B). Second, information that does not identify anyone is not personal information at all — which is why the High Court held in the matric-results litigation that results published by examination number, without names, could be published.
“Processing”
Processing covers virtually anything you do with information — including sharing it:
“’processing’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;”
Note paragraph (b): “dissemination by means of transmission, distribution or making available in any other form”. Sharing personal information is processing — nothing more, nothing less. There is no separate, stricter rule for sharing. If a lawful ground under section 11 covers the disclosure and the other conditions are met, the disclosure is lawful — the full test is on the sharing page.
“Responsible party”
The responsible party is the body that decides why and how information is processed — what the GDPR calls a controller:
“’responsible party’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;”
“Operator”
An operator is a service provider that processes for you, on your instructions:
“’operator’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;”
Your payroll bureau, your bulk-SMS provider, your cloud host, your debt-collection agency acting on mandate — operators. The law puts the compliance duty on you, the responsible party, and requires a written contract with the operator — the Dis-Chem enforcement turned on exactly that omission. See operators and operator agreements.
“Consent”
Consent has a strict meaning:
“’consent’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;”
“Voluntary, specific and informed expression of will.” A pre-ticked box is not consent. Silence is not consent. A blanket “we may do anything with your data” clause is not consent. This strictness is precisely why consent is usually the wrong ground to rely on when a better one exists — the full argument is on the consent page.