Ina Opperman

By Ina Opperman

Business Journalist

Your personal information will become protected in 41 days

It is high time, as the Popi Act was promulgated in 2013.

If you go anywhere these days you are required to fill in your personal details so that you can be contacted if someone who was in the same place and the same time as you tests positive for Covid-19.

Before the pandemic you had to enter your personal information whenever you entered a building or secured estate or business park.

The good news is that your personal information will become protected in 41 days when some provisions of the Protection of Personal Information (Popi) Act come into effect for everybody who has access to your personal information.

With impersonation fraud, where fraudsters take your personal information to spend money in your name, increasing an astounding 377% last year and marketing communication bombarding us on all possible platforms, consumers are rightly concerned about how their personal information is used and stored.

ALSO READ: Identity theft up by 337% in 2020, fraud summit hears

Sections 2 to 38, 55 to 109, 111 and 114 of the Popi Act came into operation on 1 July 2020, with section 114 giving entities 12 months to get ready to comply with the act from 1 July 2021. It is high time, as the act was promulgated in 2013.

Purpose of the Popi Act

The purpose of the Popi Act is to:

  • Protect your constitutional right to privacy by safeguarding your personal information when it is processed by a responsible party, subject to justifiable limitations to balance your right to privacy against other rights and particularly the right of access to information and protecting important interests, including the free flow of information
  • Regulate the way personal information is processed by establishing conditions in line with international standards that prescribe the minimum requirements for lawful processing of your personal information
  • Provide rights and remedies to protect your personal information from processing that is not in line the Act and
  • Establish voluntary and compulsory measures, including the establishment of an Information Regulator to ensure to promote, enforce and fulfil your rights.

These are your rights

According to section 5, your rights are to:

  • have your personal information processed according to the conditions for the lawful processing of personal information
  • establish whether a responsible party holds your personal information and request access to it
  • request, where necessary, the correction, destruction or deletion of your personal information
  • object on reasonable grounds to processing of your personal information
  • object to the processing of your personal information at any time if it is used for direct marketing
  • refuse that your personal information is processed for direct marketing using unsolicited electronic communications
  • refuse to be subject to a decision based solely on automated processing of your personal information to provide a profile of you
  • complain to the Regulator about the alleged interference with the protection of your personal information
  • institute civil proceedings if somebody interferes with the protection of your personal information.


According to section 6 of the act, it does not apply to the processing of personal information in the course of a purely personal or household activity or when it is done by or on behalf of a public body that involves national security, including the identification of financing terrorist and related activities, defence or public safety or to prevent or detect unlawful activities and prosecute offenders.

ALSO READ: One day before WhatsApp privacy policy update kicks in – how safe are you?

Conditions for legitimate use

The protection of your personal information form part of eight different conditions that will ensure your rights are protected, namely accountability, limited use, purpose specification, limited further use, information quality, openness, security safeguards and data subject participation.


The Regulator can grant an exemption for processing personal information even if it is in breach of a condition if it is in the public interest or it has a clear benefit for you and others that outweighs the chance of interference.

Public interest includes national security, the prevention, detection and prosecution of offences, important economic and financial interests, compliance with legal provisions, historical, statistical or research activity or freedom of expression.


The personal information of children may not be used without consent. It can only be used if it is necessary to establish, exercise or defend a legal right or obligation, comply with international public law, for historical, statistical or research purposes, has been made public already with consent.

ALSO READ: ‘WhatsApp needs our permission,’ says SA’s Information Regulator

Direct marketing

Section 69 of the act provides that processing of personal information for direct marketing is prohibited unless you gave permission or are a client of the entity. Entities can also only ask you once for permission.

If you are a client your information can only be used if it was obtained when you gave it while buying a product or service or for direct marketing. You must also get the opportunity to object free of charge to the use of your information gathered during direct marketing.

Communication for direct marketing must identify the entity and give an address where you can ask for the communication to be stopped.

Where to complain:

Visit the Regulator’s website on or send email to


Read more on these topics

business news