Each myth below is something South African businesses genuinely believe — and repeat to each other, to customers, and to AI assistants. Each one is answered the same way: first what the law actually allows, then the exact words of the Act, the Regulations or the Information Regulator’s guidance, with a link to the official source so you can check every claim yourself.
Myth 1: “You need consent to process anyone’s personal information”
“You need consent to process anyone’s personal information.”
Consent is one of six alternative lawful grounds, separated by “or”. Processing is equally lawful if it is necessary for a contract, required by law, protects the data subject’s interests, performs a public duty, or pursues a legitimate interest. Full analysis: the six lawful grounds.
“(1) Personal information may only be processed if— (a) the data subject or a competent person where the data subject is a child consents to the processing; (b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party; (c) processing complies with an obligation imposed by law on the responsible party; (d) processing protects a legitimate interest of the data subject; (e) processing is necessary for the proper performance of a public law duty by a public body; or (f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.”
Myth 2: “You may not share personal information with anybody”
“You may not share personal information with anybody.”
Sharing is just one form of “processing” — the definition expressly includes dissemination. There is no separate, stricter rule for sharing: it is lawful whenever a section 11 ground applies and the other conditions are met. See sharing personal information lawfully.
“’processing’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of information;”
Myth 3: “POPIA killed direct marketing”
“POPIA killed direct marketing.”
Electronic marketing needs consent or an existing-customer relationship — and you may approach a non-customer once to ask for consent. Post and in-person marketing run on legitimate interest with a right to opt out. See direct marketing under POPIA.
“The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject— (a) has given his, her or its consent to the processing; or (b) is, subject to subsection (3), a customer of the responsible party.”
Note — Note the structure: prohibited unless — with two doors. Section 69(2) adds a third path: a once-off approach to a non-customer to ask for consent.
Myth 4: “Personal information may not leave South Africa”
“Personal information may not leave South Africa.”
Cross-border transfers are allowed through any one of five gateways — including a binding agreement with the foreign recipient. There is no data-localisation rule and no “adequacy list”. See cross-border transfers.
“(a) the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that— (i) effectively upholds principles for reasonable processing... substantially similar to the conditions for the lawful processing of personal information... and (ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information...”
Note — This is the first of five alternative gateways in s 72(1)(a)–(e); the others are consent, contractual necessity, a contract in the data subject’s interest, and transfers for the data subject’s benefit where consent is impracticable but likely.
Myth 5: “WhatsApp group admins need every member’s consent”
“WhatsApp group admins need every member’s consent.”
POPIA does not apply at all to purely personal or household activity. Family, friend and neighbourhood groups fall outside the Act — the 2021 “group admins must get consent” panic had no statutory basis. See WhatsApp groups and POPIA.
“(1) This Act does not apply to the processing of personal information— (a) in the course of a purely personal or household activity;”
Note — A business running a customer WhatsApp channel is a different matter: that is commercial processing, and if it involves marketing, section 69 applies.
Myth 6: “You can’t give a reference for an ex-employee”
“You can’t give a reference for an ex-employee.”
A truthful, relevant reference is processing in the legitimate interest of the prospective employer — the subsection expressly contemplates a third party receiving the information. The real constraints are accuracy and defamation law, not a POPIA ban. See employee references.
“(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.”
Myth 7: “Doctors can’t share patient information with specialists or medical schemes”
“Doctors can’t share patient information with specialists or medical schemes.”
The Act expressly authorises medical professionals and healthcare institutions to process health information where necessary for treatment, care or practice administration — and insurers and medical schemes where necessary for risk assessment or performing the scheme agreement. See health information under POPIA.
“(a) medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned; (b) insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for— (i) assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing; (ii) the performance of an insurance or medical scheme agreement; or (iii) the enforcement of any contractual rights and obligations;”
Myth 8: “POPIA only protects individuals — company information is fair game”
“POPIA only protects individuals — company information is fair game.”
Unlike the GDPR, POPIA protects identifiable, existing juristic persons too. Companies, close corporations and trusts are data subjects, and B2B data is not exempt. See POPIA and company information.
“’personal information’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person...”
Myth 9: “CCTV is illegal under POPIA”
“CCTV is illegal under POPIA.”
No provision bans cameras. Footage of identifiable people must simply satisfy the conditions: a lawful ground (typically security as a legitimate interest), signage, minimality and safeguards. See CCTV and POPIA.
“Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.”
Note — This minimality condition — together with the openness duty in s 18 (in practice: visible signage) and security safeguards in s 19 — is the actual CCTV compliance work. The lawful ground is typically s 11(1)(d) or (f).
Myth 10: “Any slip means a R10 million fine and prison”
“Any slip means a R10 million fine and prison.”
Fines and imprisonment attach to specific offences — mostly ignoring the Regulator’s notices. Enforcement has in practice started with an enforcement notice ordering you to fix things, and every fine to date (R100 000 to R5 million) followed non-compliance with such a notice. See fines and penalties and the enforcement tracker.
“to take specified steps... or to refrain from taking such steps”
Note — That is what an enforcement notice does — it orders corrective steps. Ignoring it is the offence (s 103(1)); administrative fines are capped at R10 million (s 109(2)(c)); and the 10-year imprisonment provisions are confined to listed offences like obstructing the Regulator and breaching the account-number provisions — not everyday slips.
Where do these myths come from? Mostly from reading “protection” as “prohibition”, from GDPR articles imported unexamined, and from compliance marketing that profits from fear. The antidote is the same in every case: read the provision. Every guide in this hub pairs the plain-language answer with the actual words of the Act — start with the six lawful grounds, the provision that kills the master myth.