The eight conditions

Minimality and collecting directly: sections 9–12

Collect only what the purpose requires, directly from the person — unless one of the section 12(2) exceptions applies.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
POPIA’s processing-limitation condition has three working parts: process lawfully and reasonably (s 9), collect only information that is adequate, relevant and not excessive for the purpose (s 10), and collect directly from the data subject (s 12) — unless an exception applies, such as public-record information, no prejudice to the person, court proceedings, or your or a recipient’s legitimate interests. Tracing a debtor or vetting a counterparty fits those exceptions.

On this page

Lawful and reasonable processing

Section 9 sets the tone for the whole condition: process lawfully and “in a reasonable manner that does not infringe the privacy of the data subject”. Reasonableness is the lens for every choice that follows — what you collect, from where, and how you use it.

Minimality: adequate, relevant and not excessive

Source — the actual words

“Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.”

Protection of Personal Information Act 4 of 2013, s 10Read it on Dept of JusticePDF

Minimality is purpose-relative: the same field can be essential in one context and excessive in another. An attorney’s FICA file needs an ID number; a newsletter signup does not. This is also the condition that disciplines CCTV (point cameras at the risk, not at everything) and references (share what the prospective employer needs, not the whole HR file).

Direct collection — and the section 12(2) exceptions

Section 12(1) requires collection directly from the data subject. But the exceptions in section 12(2) accommodate the real world — collection from another source is permitted, among others, where:

Source — the actual words

“the information is contained in or derived from a public record or has deliberately been made public by the data subject” ... where collection from another source “would not prejudice a legitimate interest of the data subject” ... where it is necessary for “the conduct of proceedings in any court or tribunal” ... or “to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied”.

Protection of Personal Information Act 4 of 2013, s 12(2) (extracts)Read it on Dept of JusticePDF

Tracing, vetting and bought lists

The exceptions are why ordinary risk management survives POPIA. Tracing a debtor through a tracing agent, or vetting a counterparty against public registers, fits squarely within section 12(2) — the debtor’s address was never going to come from the debtor. The same analysis turns hostile for bought marketing lists: there is rarely an exception that fits, the recipient’s section 69 duties kick in, and the seller’s privacy notice probably never disclosed the sale.

Frequently asked questions

Can I buy lead lists under POPIA?

Collection from a source other than the data subject needs a section 12(2) exception, and electronic marketing to the list needs section 69 consent or an existing-customer relationship — which a bought list, by definition, does not give you. Buying lists is where multiple POPIA rules converge against you.

May I collect information from public registers like CIPC or the deeds office?

Yes. Section 12(2) excepts information contained in or derived from a public record, or deliberately made public by the data subject. The other conditions — minimality, openness, security — still apply to what you do with it.

How much information is "not excessive"?

Judge it against the purpose: if the purpose is fulfilled without the field, don’t collect the field. A quote request doesn’t need an ID number; CCTV for security doesn’t need to cover the staff kitchen.

Can I collect information about someone from a third party for a dispute?

Yes. Section 12(2)(d)(iii) excepts collection where it is necessary for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · The eight conditions

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub