POPIA Compliance for Technology Companies

The Responsible Party (Section 1)

A responsible party is the entity that determines the purpose and means of processing personal information. In technology terms, this is the entity that decides why data is collected and how it will be used. The responsible party bears the primary obligations under POPIA, including:

• Ensuring that processing is lawful and complies with the eight conditions for lawful processing set out in Chapter 3 of POPIA
• Notifying data subjects of the collection and use of their personal information (section 18)
• Appointing an Information Officer and registering with the Information Regulator
• Notifying the Information Regulator and affected data subjects of security compromises (section 22)

The Operator (Section 1)

An operator is a person or entity that processes personal information on behalf of, and under the authority or instruction of, the responsible party. In technology terms, this is a service provider that handles data according to its client's instructions. Cloud hosting providers, SaaS platforms processing client data, payment processors, and email delivery services typically act as operators. The operator's obligations are more limited but critically important:

• Processing personal information only with the knowledge or authorisation of the responsible party
• Treating all personal information as confidential and not disclosing it without proper authorisation
• Establishing and maintaining appropriate security measures as required by section 19

Required Elements of an Operator Agreement

• Scope of processing: The agreement must clearly define what personal information will be processed, the purpose of the processing, and the specific processing activities the operator is authorised to perform.
• Security measures: The operator must commit to establishing and maintaining security measures that meet or exceed the standards required by section 19 of POPIA, including technical measures (encryption, access controls, intrusion detection) and organisational measures (staff training, access policies, incident response plans).
• Notification obligations: The operator must notify the responsible party immediately if there are reasonable grounds to believe that a security compromise has occurred. This is critical because the obligation to notify the Information Regulator and data subjects falls on the responsible party, not the operator.
• Data return and deletion: Upon termination of the processing agreement, the operator must return all personal information to the responsible party or destroy it, subject to any legal retention requirements.
• Sub-processing restrictions: The agreement should specify whether the operator is permitted to engage sub-operators, and if so, require prior written consent and impose equivalent obligations on any sub-operator through a back-to-back agreement.
• Audit rights: The responsible party should retain the right to audit the operator's compliance with the agreement and with POPIA, either directly or through an independent third-party auditor.

Notification Requirements

• Timing: Notification must be made "as soon as reasonably possible" after the discovery of the breach. The Information Regulator has indicated that this should occur within 72 hours of becoming aware of the breach, aligning with international best practice and the GDPR standard. Unjustified delays in notification may themselves constitute a contravention of POPIA.
• Content of notification: The notification must include a description of the possible consequences of the breach, a description of the measures taken or proposed to be taken to address the breach, a recommendation regarding measures the data subject can take to mitigate the possible adverse effects, and (if known) the identity of the unauthorised person who may have accessed the information.
• How to report: Breach notifications must be submitted to the Information Regulator through its official eServices portal. The portal allows responsible parties to submit security compromise notifications electronically, track the status of their submissions, and respond to any queries from the Regulator. Technology companies should familiarise themselves with this portal and test the submission process before a breach occurs.
• Delay by law enforcement: The Information Regulator may direct a responsible party to delay notifying data subjects if doing so would impede a criminal investigation. However, the notification to the Regulator itself cannot be delayed.

When Cross-Border Transfer is Permitted

POPIA permits the transfer of personal information to a foreign country only in the following circumstances:

• Adequate protection: The recipient country provides an "adequate level of protection" for personal information. The Information Regulator has not yet published a definitive list of countries deemed adequate, but countries with GDPR-equivalent legislation (such as EU and EEA member states) are generally considered to meet this threshold.
• Binding agreement: The recipient is subject to a binding agreement that provides an adequate level of protection that effectively upholds principles for the reasonable processing of personal information substantially similar to POPIA's conditions for lawful processing.
• Consent: The data subject consents to the transfer after being informed of the potential risks.
• Contractual necessity: The transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request.
• Benefit of the data subject: The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain their consent.

Enforcement Mechanisms

• Administrative fines: The Information Regulator may impose administrative fines of up to R10 million for non-compliance. In determining the quantum, the Regulator will consider the nature, gravity, and duration of the infringement, the number of data subjects affected, the degree of damage suffered, and the measures taken by the responsible party to mitigate the damage.
• Criminal sanctions: Certain contraventions of POPIA are criminal offences, punishable by a fine or imprisonment for a period not exceeding 10 years, or both. These include knowingly or recklessly obtaining or disclosing an account number of a data subject, and hindering, obstructing, or unlawfully influencing the Information Regulator.
• Civil claims: Section 99 of POPIA grants data subjects the right to institute civil proceedings for damages suffered as a result of a contravention of POPIA. This includes both patrimonial loss and non-patrimonial loss (such as injury to dignity or emotional distress). Class action suits are also possible where multiple data subjects are affected by the same breach.
• Enforcement notices: The Information Regulator may issue enforcement notices directing a responsible party to take specific steps to comply with POPIA within a specified period. Failure to comply with an enforcement notice is itself an offence.