Lawful grounds

The six lawful grounds: the heart of POPIA

Section 11(1) quoted in full — consent is one of six alternatives, and the Act creates no hierarchy between them.

Published Last reviewed 9 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Section 11(1) of POPIA lists six lawful grounds for processing personal information, separated by “or”: consent, contract, legal obligation, protecting the data subject’s interest, public duty, and legitimate interests. Any one of them makes the processing lawful. The Act creates no hierarchy and expresses no preference for consent — in day-to-day business, contract, legal obligation and legitimate interests carry most processing.

On this page

What does section 11 actually say?

This is the provision that kills the master myth — the belief that POPIA requires consent for everything. Here is section 11(1) in full. Six grounds, separated by “or”. Any one of them makes the processing lawful:

Source — the actual words

“(1) Personal information may only be processed if— (a) the data subject or a competent person where the data subject is a child consents to the processing; (b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party; (c) processing complies with an obligation imposed by law on the responsible party; (d) processing protects a legitimate interest of the data subject; (e) processing is necessary for the proper performance of a public law duty by a public body; or (f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.”

Protection of Personal Information Act 4 of 2013, s 11(1)(a)–(f)Read it on Dept of JusticePDF

The Act creates no hierarchy and expresses no preference for consent. If your processing is necessary for a contract, you do not also need consent. If a law obliges you to process, you do not also need consent. Collecting consent you don’t need is not harmless belt-and-braces either — it makes your processing revocable at will (see why consent is often the worst choice).

The six grounds in plain terms

  • Contract

    s 11(1)(b)

    You need the information to conclude or perform a contract with the person. The contract is the ground — no consent form needed.

    Examples: The gym’s debit-order details; the attorney’s FICA file; the online shop’s delivery address.

  • The data subject’s own interest

    s 11(1)(d)

    Processing that protects the person themselves.

    Examples: Passing a collapsed visitor’s details to paramedics; fraud alerts to a customer.

  • Public law duty

    s 11(1)(e)

    Public bodies performing their statutory functions.

    Examples: A municipality billing for services; a regulator processing licence applications.

  • Legitimate interests

    s 11(1)(f)

    The workhorse: processing necessary to pursue your legitimate interests or those of the third party receiving the information — balanced against the data subject’s.

    Examples: Fraud prevention, security and CCTV, debt recovery, internal administration, IT security, employee references.

Grounds (d), (e) and (f) are balanced by the data subject’s right to object — and legitimate interests must be earned through a balancing exercise, not assumed (see legitimate interests).

The Regulator itself confirms it

This is not a clever lawyer’s reading — the Information Regulator has said it in terms. Its Guidance Note on COVID-19 (3 April 2020) put the structure of section 11 like this:

Source — the actual words

“It is not necessary for a responsible party to obtain consent from a data subject to process his or her personal information in the context of COVID -19, when: processing complies with the obligation imposed by law on the responsible party; processing protects a legitimate interest of the data subject; processing is necessary for the proper performance of a public law duty by a public body; or processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.”

Guidance Note on Processing of Personal Information in the Management and Containment of COVID-19 (3 April 2020), para on lawful processing without consentRead it on Information RegulatorPDF

One business, five grounds — and consent plays the smallest part

Map an ordinary plumbing company’s processing to the grounds. Customer names and addresses for quotes and jobs — contract (s 11(1)(b)). Invoices retained for five years — tax law (s 11(1)(c)). Employee records and payslips — contract and legal obligation (ss 11(1)(b) and (c)). CCTV at the workshop — legitimate interests (s 11(1)(f)). A marketing SMS to past customers about a geyser special — the existing-customer exception (s 69(3)). And a once-off consent request to a referred prospect — section 69(2), consent (s 11(1)(a)). One business, five different grounds — and consent plays the smallest part.

Frequently asked questions

Which lawful ground covers employee records?

Mostly contract (s 11(1)(b)) and legal obligation (s 11(1)(c)) — the employment contract needs payroll and leave processing, and laws like the BCEA and tax legislation require employment records. Employee consent is rarely the right ground.

Which lawful ground covers customer records?

Contract (s 11(1)(b)) for everything needed to deliver what the customer bought, legal obligation (s 11(1)(c)) for invoices and tax retention, and legitimate interests (s 11(1)(f)) for ordinary administration and fraud prevention.

Which lawful ground covers CCTV?

Typically legitimate interests (s 11(1)(f)) — security and crime prevention — or protecting the data subject’s own interest (s 11(1)(d)). The compliance work is signage, minimality and safeguards, not consent.

Which lawful ground covers marketing?

It depends on the channel. Post and in-person marketing can run on legitimate interests with an unconditional right to object. Electronic marketing (email, SMS, calls in the Regulator’s view) falls under section 69: consent or the existing-customer exception.

Is there a hierarchy between the six grounds?

No. The grounds are alternatives separated by "or", and the Act expresses no preference for consent. Choosing the ground that genuinely fits the processing — rather than defaulting to consent — is the core of practical POPIA compliance.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Lawful grounds

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub