Free · Email-gated · South Africa

Free Privacy Policy (POPIA) Template

A POPIA-aligned Privacy Policy framework for SA websites — section 18 notification, eight processing conditions, data-subject rights, cross-border disclosures.

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer

A POPIA-aligned Privacy Policy is mandatory for every SA website that collects personal information — including contact forms, newsletter signups, account creation, and even cookies that identify visitors. Section 18 of POPIA requires you to notify data subjects of specified information when you collect their personal information; the most efficient way to satisfy section 18 is a published Privacy Policy. This template covers the section 18 framework plus the eight processing conditions, data-subject rights under sections 23–25, cross-border disclosure under s 72, and Information Officer contact details. Pair with our Website Terms of Use template for a complete website legal stack.

Email me the template

Enter your email and we’ll send the template straight to your inbox. Link valid for 7 days.

What’s in the template

POPIA eight processing conditions (accountability, processing limitation, purpose specification, etc.)
Section 18 data-subject notification content
Lawful processing grounds and how they apply
Data-subject rights (access, correction, objection, deletion)
Cookie disclosure framework (section 69 direct-marketing alignment)
Cross-border transfer disclosure under section 72
Information Officer contact details framework
Retention + destruction policy summary

What it’s not

  • A separate Cookie Policy with technical-implementation guidance.
  • GDPR-compliant variants for EU-resident data subjects.
  • Industry-specific privacy notices (healthcare PHI, financial services special PII).

Frequently asked

Does every SA website with a contact form need a Privacy Policy?

Yes. Section 18 of POPIA requires the responsible party to notify the data subject of certain information when personal information is collected — name and address of the responsible party, purpose, intended recipients, source, voluntary/mandatory nature, consequences of failure to provide. The most efficient way to satisfy section 18 for website visitors is a published Privacy Policy.

How is this different from the Website Terms of Use?

T&Cs govern your commercial relationship with the user — what they can do, what they cannot do. The Privacy Policy is the POPIA-mandated transparency notice about how you process personal information. Most websites need both; they reference each other but remain separate documents.

Will this comply with GDPR for EU visitors?

The template is POPIA-anchored. For substantive GDPR compliance (EU resident data subjects, EU-based processing) you need an additional GDPR-specific privacy notice or a dual-compliance framework. We draft those as bespoke add-ons from R6,000.

Do I also need to register an Information Officer?

Yes — every SA responsible party must designate and register an Information Officer with the Information Regulator. The Privacy Policy framework includes the Information Officer contact slot. Registration is a separate Information Regulator process.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.