🇿🇦 South Africa
Informations
Extracts :
Extract :
No mention of the subject rignt related to Citizens outside their jurisdiction
2021
Reference :
South Africa Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
There is not definition of the data subject that makes reference that a citizen outside the jurisdiction are considered as personal data
2021
Reference :
Data breach | DataGuidance
Information on data breach regulation - ZAF
Extracts :
Extract :
No mention of the subject rignt related to Persons within their jurisdiction
2021
Reference :
South Africa Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
Section 1 of POPIA defines personal information broadly to include information relating to an identifi_x0002_able, living, natural person, and where relevant, an identifiable, existing juristic person, including:
2021
Reference :
Data breach | DataGuidance
Information on data breach regulation - ZAF
Extracts :
Extract :
No mention of the subject rignt related to Legal entities
2021
Reference :
South Africa Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
Section 1 of POPIA defines personal information broadly to include information relating to an identifi_x0002_able, living, natural person, and where relevant, an identifiable, existing juristic person, including:
2021
Reference :
Data breach | DataGuidance
Information on data breach regulation - ZAF
Extracts :
Extract :
"POPIA will apply not only to responsible parties domiciled in South Africa but also responsible parties
outside of South Africa that use means to process in South Africa (unless such means are only used to
forward the information through South Africa)."
2021
Reference :
South Africa Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"Data controller: A 'responsible party' is a public or private body that determines the purpose and means for processing personal information of a data subject.
Data processor: An 'operator' is a party that processes personal information on behalf of a responsible party, without coming under the direct authority of the responsible party."
2022
Reference :
South Africa Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
OPIA was promulgated into law on 26 November 2013, and is in full force and effect as at 1 July 2021.
POPIA is wide in its scope and application and impacts all persons, both natural and juristic, subject to
certain exclusions detailed therein, all persons who process personal information.
2021
Reference :
Data breach | DataGuidance
Information on data breach regulation - ZAF
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
South Africa Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Section 109: If a responsible party is alleged to have committed an offence in terms of this Act, the Regulator may cause to be delivered by hand to that person (hereinafter referred to as the infringer) an infringement notice which must contain the particulars contemplated in subsection (2)."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"See Section 109(2)(c), above, which sets a fine maximum of ZAR 10 million (approx. €490,000)."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"POPIA does not provide equivalent provisions."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"Section 107: Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of – (a) Section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment;"
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Section 99(1): A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act as referred to in Section 73, whether or not there is intent or negligence on the part of the responsible party."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"Section 107: Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of – (a) Section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment;"
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"POPIA does not contain equivalent provisions regarding a DPIA.
However, Section 109 (3) notes that any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information will be considered as part of determining the appropriate fine.
Furthermore, Regulation 4(1)(b) of the Regulations Relating to POPIA states that, as part of the responsibilities of information officers, a PIIA must be done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"POPIA does not refer to 'pseudonymisation.' "
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"Section 22: (1) Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify – [...] (b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"ection 22(1): Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify – (a) the Regulator."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"Section 21(2): The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"There is no right to data portability."
2022
Reference :
Data Protection in different countries | Linklaters
Database for comparing other databases for the same information on data protection
Link to reference Extracts :
Extract :
"8.7. Right not to be subject to automated decision-making
POPIA also prohibits automated processing of personal information where the data subject will be subjected
to a decision which has legal consequences for the data subject or which affects the data subject
to a substantial degree. There are certain exceptions to this prohibition."
2021
Reference :
South Africa Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"POPIA contemplates the collection of personal information directly from the data subject, except in
some instances, for example, where the information is already contained in, or derived from, a public
record, or has deliberately been made public by the data subject, or where collection of the information
from another source would not prejudice a legitimate interest of the data subject.
See Condition 6 on Openness, specifically Section 18 of POPIA, regarding notification to data subject
when collecting personal information."
2021
Reference :
South Africa Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"8.2. Right to access
A data subject, having provided adequate proof of identity, has the right to request the responsible
party to confirm, free of charge, whether or not the responsible party holds personal information about
that particular data subject. The data subject may then request a description of the personal information,
including information about third parties who have had access to the information, within a reasonable
time and at a prescribed fee (if any). In addition, the information must be provided to the data subject
in a reasonable manner and in a form that is generally understandable."
2021
Reference :
South Africa Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.2. Right to access
A data subject, having provided adequate proof of identity, has the right to request the responsible
party to confirm, free of charge, whether or not the responsible party holds personal information about
that particular data subject. The data subject may then request a description of the personal information,
including information about third parties who have had access to the information, within a reasonable
time and at a prescribed fee (if any). In addition, the information must be provided to the data subject
in a reasonable manner and in a form that is generally understandable.
Such a request by a data subject may be refused by the responsible party on the grounds for refusal or
access to records as set out in PAIA. In this regard, it is important to note that PAIA differentiates between
records held by public bodies and private bodies and the instances in which access to records
may be refused by these respective bodies. Public bodies and private bodies may refuse access to
records where, inter alia, (i) the disclosure would involve the unreasonable disclosure of personal information
about a third party; (ii) the record contains trade secrets of a third party; (iii) the record contains
confidential information of a third party; or (iv) the record contains legally privileged documents.
The data subject may also request the responsible party to correct, delete, or destroy personal information
about the data subject in its possession or under its control."
2021
Reference :
South Africa Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.4. Right to erasure
POPIA allows a data subject the right to request that a responsible party correct or delete personal information
that is inaccurate, irrelevant and excessive, or which the responsible party is no longer autho-
You have -19073 days left in your
trial.
Upgrade to gain access to unlimited
articles
Upgrade
Now !
South Africa - Data Protection Overview | Guidance Note | DataGuidance https://www.dataguidance.com/notes/south-africa-data-protection-overview
25 of 28 3/21/22, 1:23 PM
rised to retain."
2021
Reference :
South Africa Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Section 72 of POPIA prohibits the international transfer of personal information unless the recipient is subject to a law, binding corporate rules, or binding agreement which provide an adequate level of protection."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Section 72 also provides the following grounds for data transfers: • the data subject consents to the transfer;
• the transfer is necessary for the performance of a contract
between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
• the transfer is for the benefit of the data subject, and – (i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and (ii) if it were reasonably practicable to obtain such consent, the data subject would be likely to give it."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"Section 72 establishes that binding corporate rules may be used for international data transfers. POPIA does not, though, refer to standard contractual clauses or codes of conduct in relation to cross-border data flows."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The storage of employees tax information outside of South Africa requires the prior written approval of the South African Revenue Service ("SARS")."
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
No information found, assumed to take a value of "No".
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Chapter 6 is dedicated to the processing activities subject to prior authorisation. Section 57: the responsible party must obtain prior authorisation from the Regulator, in terms of Section. 58, prior to any processing if that responsible party plans to (a) process any unique identifiers of data subjects; (b) process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties; (c) process information for the purposes of credit reporting; or (d) transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"POPIA provides for a similar position as the GDPR's data protection officer ('DPO') in the form of an in-
formation officer."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"POPIA does not contain provisions on this matter, see PAIA for further information."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"Section 55: (1) An information officer's responsibilities include –
(a) the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
(b) dealing with requests made to the body pursuant to POPIA;
(c) working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
(d) otherwise ensuring compliance by the body with the provisions of POPIA; and
(e) as may be prescribed.
(2) Officers must take up their duties in terms of POPIA only after the responsible party has registered them with the Regulator."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
"POPIA does not contain provisions on this matter, see PAIA for further information."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
There is no information in the legal text.
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
There is no information on this in the legal text.
Extract :
Extracts :
Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"POPIA does not contain provisions on this matter, see PAIA for further information."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference | Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| Competition Commission (CC) | Regulator | Independant agency | 1998 | |
| Independent Communications Authority of South Africa (ICASA) | Regulator | Independant agency | 2000 | |
| Financial Sector Conduct Authority (FSCA) | Regulator | Under the government authority | 2018 | |
| Companies and Intellectual Property Commission (CIPC) | Regulator | Under the government authority | 2008 | |
| National Consumer Commission (NCC) | Regulator | Under the government authority | 2008 | |
| Ministry of Communications and Digital Technologies | Regulator | Ministry | ||
| Information Regulator | POPIA | Regulator | Independant agency | 2013 |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| Protection of Personal Information Act (POPIA) | General privacy/data protection law | 2013 | Active | 2022 |