The eight conditions

Purpose and retention: how long may you keep records?

Records must not be kept longer than necessary — but four statutory exceptions cover tax, contracts and prescription periods.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Section 13 requires collection for a specific, explicitly defined and lawful purpose. Section 14(1) then says records must not be retained longer than necessary for that purpose — but immediately adds four exceptions: retention required or authorised by law, reasonably required for lawful purposes related to your functions, required by a contract, or consented to. Companies Act and tax retention periods, and keeping evidence for the prescription period of potential claims, all fit comfortably.

On this page

Purpose specification: say why you collect

Source — the actual words

“Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.”

Protection of Personal Information Act 4 of 2013, s 13(1)Read it on Dept of JusticePDF

The purpose does double duty across the Act: it measures minimality (adequate, relevant, not excessive for the purpose), it anchors the compatibility test for further processing, and it starts the retention clock. A purpose you never defined is a purpose you cannot measure anything against — which is why mapping purposes is step one of the compliance shortlist.

The retention rule — and its four exceptions

Source — the actual words

“records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed”

Note — The four exceptions that follow immediately in s 14(1)(a)–(d): retention required or authorised by law; reasonably required “for lawful purposes related to its functions or activities”; required by a contract between the parties; or the data subject (or competent person, for a child) has consented.

Protection of Personal Information Act 4 of 2013, s 14(1)Read it on Dept of JusticePDF

The exceptions carry ordinary commercial reality. Companies Act and Tax Administration Act retention periods are retention “required or authorised by law”. Keeping evidence for the prescription period of potential claims is retention “reasonably required for lawful purposes related to your functions”. The rule POPIA actually adds is the discipline: retention must be a decision per record type, not an accident of never cleaning up.

Building a retention schedule

A workable schedule has three columns: the record type, the period with its justification (the statute requiring it, the contract, or the prescription analysis), and what happens at expiry (delete or de-identify). Common anchors in South African practice include company records under the Companies Act, tax records under the Tax Administration Act, employment records under the BCEA, FICA records for accountable institutions, and the prescription period for contractual and delictual claims. The specific periods for your records are a legal judgment on your facts — the schedule structure is the compliance work POPIA expects to see.

At the end: delete or de-identify — actually

When a retention period expires, section 14 expects the record to be destroyed, deleted or de-identified. De-identification must be real: stripped of anything that identifies, can identify or can be linked to a person by any reasonably foreseeable method — at which point POPIA no longer applies to it and analytics can keep the history. The operational failure mode is keeping everything forever “just in case”: it inflates breach exposure (every stale record is one more record to notify about), and it turns every access request into an archaeology project.

Frequently asked questions

Must I delete a client’s records when they ask?

Only where the information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully — or where you are no longer authorised to retain it. Records you must keep under tax or company law, or reasonably need for potential claims, may lawfully be retained despite a deletion request.

How long should I keep ex-employee records?

Long enough to satisfy the laws that require employment records (e.g. BCEA and tax legislation) and to cover the prescription period for potential disputes — then delete or de-identify. Set the periods per record type in a retention schedule. Specific periods are a judgment call on your facts; take advice.

How long may CCTV footage be kept?

POPIA sets no fixed period — section 14(1) requires footage to be kept no longer than the security purpose needs, unless an incident makes specific footage evidence for contemplated proceedings. A short rolling window with incident-based holds is the common pattern.

Do backups violate the retention rule?

Not inherently — backups serve a lawful purpose related to your functions. But retention rules must reach backups eventually: a deletion policy that never touches backup archives is a policy on paper only.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · The eight conditions

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub