The eight conditions

The eight conditions: POPIA’s actual compliance checklist

What “POPIA compliance” really means — eight conditions in section 4, not a stack of consent forms.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Whatever lawful ground you rely on, processing must satisfy eight conditions listed in section 4(1) of POPIA: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. This — not collecting consent forms — is what “POPIA compliance” actually means.

On this page

What are the eight conditions?

Section 4(1) lists them. Each condition below links to its deep guide where one exists — together they are the actual work plan for POPIA compliance:

  • 01Accountability

    s 8

    The buck stops with you, the responsible party — including for work your operators do.

  • 02Processing limitation

    ss 9–12

    Process lawfully and reasonably; collect only what the purpose requires; have a section 11 ground; collect directly from the data subject unless an exception applies.

    Minimality & collection

  • 03Purpose specification

    ss 13–14

    Collect for a specific, explicitly defined, lawful purpose — and don’t keep records forever.

    Purpose & retention

  • 04Further processing limitation

    s 15

    New uses of existing information must be compatible with the purpose of collection — with a list of deemed-compatible uses.

    Sharing & further processing

  • 05Information quality

    s 16

    Take reasonably practicable steps to keep information complete, accurate, not misleading and updated.

  • 06Openness

    ss 17–18

    Keep the PAIA documentation and tell people what you collect, who you are, why, and their rights — in practice, a decent privacy notice.

    Privacy notices

  • 07Security safeguards

    ss 19–22

    Appropriate, reasonable technical and organisational measures; operator contracts; breach notification. Where most real enforcement has happened.

    Security safeguards

  • 08Data subject participation

    ss 23–25

    People may ask what you hold, request the record, and request correction or deletion.

    Data subject rights

Accountability: the buck stops with you

Condition 1 frames all the others. You, the responsible party:

Source — the actual words

“must ensure that the conditions set out in this Chapter... are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.”

Protection of Personal Information Act 4 of 2013, s 8Read it on Dept of JusticePDF

“During the processing itself” includes the processing your operators do for you — the Dis-Chem enforcement notice turned on a provider’s breach and the missing operator contract, not on anything Dis-Chem’s own systems did.

Frequently asked questions

Is there an official POPIA compliance certificate?

No. POPIA prescribes no certification, and the Information Regulator issues none. Vendors selling "POPIA certificates" are selling their own paper — useful at most as evidence of effort, never as official status.

What does POPIA compliance actually involve?

Knowing what you process and why, assigning a section 11 ground to each purpose, meeting the eight conditions — minimality, retention rules, a privacy notice, security safeguards, operator contracts, breach readiness — and registering your information officer.

Am I responsible for my service providers’ compliance?

Yes. The accountability condition (s 8) makes the responsible party answerable for the conditions throughout the processing — including processing done by operators on your behalf. Section 21 requires a written contract obliging the operator to maintain security safeguards.

Do the eight conditions apply to every business?

Yes — all eight apply to every responsible party, big or small. What "appropriate" and "reasonably practicable" demand scales with your size, the sensitivity of the information, and the risks.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · The eight conditions

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub