Start here

What POPIA actually is — and what it is not

POPIA regulates personal information; it does not prohibit using it. What the Act’s own purpose section says.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
POPIA — the Protection of Personal Information Act 4 of 2013 — does not prohibit the processing of personal information. It regulates it, by setting minimum threshold requirements for lawful processing. If you meet the Act’s conditions, you may collect, use, store and share personal information. No permission slip from the data subject or the Information Regulator is needed unless the Act says so for your specific situation.

On this page

Does POPIA prohibit using personal information?

No — and this single misunderstanding is the source of most POPIA myths. Somewhere between 2020 and today, South Africa talked itself into the belief that POPIA makes it illegal to collect, use or share anyone’s personal information without their permission. Businesses refuse routine requests “because of POPI”. Employers think they can’t give references. Doctors worry about sending referral letters. Marketers believe marketing itself is banned. None of that is what the Act says. POPIA is a rulebook for processing, not a prohibition on processing — and consent is one of six alternative lawful grounds, not a universal requirement.

The myth

POPIA makes it illegal to use anyone’s personal information without their permission.

What the law actually allows

The Act’s own purpose section says it exists to regulate the manner in which personal information may be processed, by establishing minimum threshold requirements — while explicitly protecting the free flow of information. Meet the conditions, and you may process.

What the Act actually says

“(a) give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at— (i) balancing the right to privacy against other rights, particularly the right of access to information; and (ii) protecting important interests, including the free flow of information within the Republic and across international borders; (b) regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information...”

Protection of Personal Information Act 4 of 2013, s 2(a)–(b)Read it on Dept of JusticePDF

What the Act’s purpose section actually says

Parliament was explicit that privacy is not absolute. POPIA gives effect to the constitutional right to privacy (section 14 of the Constitution), but the Act’s preamble records that Parliament enacted it with the opposite concern equally in mind: removing unnecessary impediments to the free flow of information. Read the preamble’s own words — this is the balance the whole Act is built on, and it is why “when in doubt, refuse” is the wrong instinct under POPIA.

Source — the actual words

“consonant with the constitutional values of democracy and openness, the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information”

Protection of Personal Information Act 4 of 2013, PreambleRead it on Dept of JusticePDF

Read that again: the Act exists to regulate the manner in which personal information may be processed, by setting minimum threshold requirements. It is a rulebook for processing, not a prohibition on processing. If you meet the conditions, you may process — including collect, use, store and share — personal information.

What this means in practice

Consider an ordinary day at a panel beater. The workshop photographs a damaged vehicle, records the owner’s name and number, sends the quote to the insurer, and invoices the owner. That is processing personal information from start to finish — and every step is lawful under POPIA without a single consent form, because each step is necessary to perform the repair contract (section 11(1)(b)) and to pursue legitimate business interests (section 11(1)(f)).

What POPIA does demand is that you know why you process what you process, that you can point to a lawful ground for each purpose, and that you meet the eight conditions — collect only what you need, tell people what you are doing, keep it accurate and safe, and respect their rights to access, correct and object. That is the actual compliance work, and none of it requires asking every data subject for permission to run your business.

Where POPIA comes from

POPIA — the Protection of Personal Information Act 4 of 2013 — was assented to on 19 November 2013. Its main provisions commenced on 1 July 2020, and the compliance grace period ended on 30 June 2021. It gives effect to section 14 of the Constitution, which guarantees everyone the right to privacy, and it is enforced by the Information Regulator — an independent body that investigates complaints, issues enforcement notices and, where those are ignored, administrative fines of up to R10 million. How that enforcement has actually played out — who has been fined, for what, and how much — is tracked on the POPIA enforcement tracker.

Frequently asked questions

Is it illegal to share personal information under POPIA?

No. Sharing is simply one form of "processing", and processing is lawful whenever one of the six lawful grounds in section 11 applies and the eight conditions are met. POPIA regulates sharing; it does not ban it.

Do I need permission from the Information Regulator to process personal information?

No. POPIA has no general registration or licensing requirement for processing. Only a narrow list of high-risk operations in section 57 needs once-off prior authorisation — for everyone else, no permission or notification is required.

When did POPIA start applying?

POPIA was assented to on 19 November 2013. Its main provisions commenced on 1 July 2020, and the one-year compliance grace period ended on 30 June 2021. The Act has been fully enforceable since then.

Does POPIA apply to small businesses?

Yes. There is no small-business exemption, no turnover threshold and no industry carve-out. A one-person consultancy and a listed bank are equally bound, and so is the State.

Is POPIA the same as the GDPR?

No. POPIA is South Africa’s own statute. It shares the GDPR’s architecture but differs in important ways — most notably, POPIA also protects juristic persons (companies, CCs and trusts), and its fines are capped at R10 million rather than a percentage of turnover.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Start here

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub