Enforcement & reference

POPIA vs GDPR: the differences that actually matter

Juristic persons, six lawful grounds, no adequacy lists, R10m vs 4% — a working comparison for companies subject to both.

Published Last reviewed 8 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
POPIA and the GDPR share an architecture — lawful grounds, conditions, special categories, breach duties — but differ where it counts: POPIA also protects juristic persons (companies are data subjects); every South African organisation has an information officer by law, registered with the Regulator; transfers work through five gateways with no adequacy list; breach notification has no materiality threshold; and fines cap at R10 million rather than 4% of turnover, with a strict-liability civil claim alongside.

The comparison, dimension by dimension

POPIA vs GDPR comparison by dimension
DimensionPOPIA (South Africa)GDPR (EU)
Who is protectedNatural persons AND identifiable, existing juristic persons — companies, CCs, trusts are data subjectsNatural persons only
Lawful groundsSix grounds in s 11(1): consent, contract, legal obligation, data subject’s interest, public duty, legitimate interestsSix bases in art 6(1) — closely parallel; vital interests and public task framed differently
Special categoriesSs 26–33: includes criminal behaviour and trade union membership; sector authorisations (health s 32, race for EE/B-BBEE s 29)Art 9 special categories + art 10 criminal data; derogations member-state specific
Responsible officerInformation officer exists in EVERY organisation by operation of law; registration with the Regulator compulsory (s 55(2))DPO required only for certain processors/activities (art 37)
Cross-border transfersFive gateways in s 72; no adequacy list; binding agreement (e.g. provider DPA) sufficesChapter V: adequacy decisions, SCCs, BCRs — a formal adequacy architecture
Breach notification“As soon as reasonably possible” (s 22); eServices portal mandatory since 1 April 2025; NO materiality threshold72 hours to the authority unless unlikely to result in risk (art 33); data subjects only on high risk
Maximum finesR10 million administrative fine cap (s 109(2)(c)); criminal offences listed separatelyUp to €20m or 4% of global annual turnover, whichever is higher
Civil claimsStrict liability damages claim — no intent or negligence needed (s 99)Art 82 compensation — fault-based with reversed burden
Direct marketingS 69 opt-in for electronic; once-off consent ask; Regulator reads phone calls as electronic; opt-out for post/in personGDPR + ePrivacy regime; soft opt-in similar; member-state variation
Prior authorisationFour narrow triggers need once-off Regulator authorisation (s 57)Prior consultation only for high-risk DPIAs (art 36)

The scope difference is the one to memorise, and it is in the definition itself:

Source — the actual words

“’personal information’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person...”

Protection of Personal Information Act 4 of 2013, s 1, definition of “personal information”Read it on Dept of JusticePDF

Where imported GDPR programmes miss POPIA

Multinationals typically localise the EU playbook and call it done. The recurring gaps: juristic persons — supplier and B2B data flows nobody risk-assessed (see companies and B2B); the information officer — a registration duty with no GDPR equivalent, checked in enforcement (see information officers); breach reporting — the GDPR’s risk threshold does not exist here: all compromises, via the portal (see data breaches); marketing — the once-off consent ask, Form 4 mechanics, recorded calls and the phone-call question are POPIA-specific (see direct marketing); and civil exposure — section 99’s strict liability changes the breach-litigation calculus in South Africa.

Frequently asked questions

If we are GDPR-compliant, are we POPIA-compliant?

Mostly — but not automatically. The systematic gaps: juristic-person data subjects your GDPR programme ignores, the compulsory information-officer registration, breach reporting with no materiality threshold via the eServices portal, and POPIA-specific marketing rules including the Regulator’s view on phone calls.

Which law is stricter?

Neither, uniformly. GDPR fines are vastly larger and its transfer formalities heavier; POPIA is stricter on scope (juristic persons), on breach reporting (no threshold), and on having a registered information officer in every organisation.

Is POPIA based on the GDPR?

No — POPIA (2013) predates the GDPR (2016). Both descend from the same lineage: the OECD guidelines and the EU’s 1995 Directive. POPIA’s s 2 expressly aims at harmony with international standards.

Does using an EU processor satisfy section 72?

Generally yes via the binding-agreement gateway: a GDPR-grade data-processing agreement imposes protection substantially similar to POPIA’s conditions, including onward-transfer limits.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Enforcement & reference

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub