• Protection of Personal Information Act, 2013 (Act No. 4 of 2013)
  • Notice No. 912 of 2013
  • Act
  • Preamble
  • Chapter 1 : Definitions and Purpose
    • 1. Definitions
    • 2. Purpose of Act
  • Chapter 2 : Application Provisions
    • 3. Application and interpretation of Act
    • 4. Lawful processing of personal information
    • 5. Rights of data subjects
    • 6. Exclusions
    • 7. Exclusion for journalistic, literary or artistic purposes
  • Chapter 3 : Conditions for Lawful Processing of Personal Information
    • Part A : Processing of personal information  in general
      • Condition 1 : Accountability
        • 8. Responsible party to ensure conditions for lawful processing
      • Condition 2 : Processing limitation
        • 9. Lawfulness of processing
        • 10. Minimality
        • 11. Consent, justification and objection
        • 12. Collection directly from data subject
      • Condition 3 : Purpose specification
        • 13. Collection for specific purpose
        • 14. Retention and restriction of records
      • Condition 4 : Further processing limitation
        • 15. Further processing to be compatible with purpose of collection
      • Condition 5 : Information quality
        • 16. Quality of information
      • Condition 6 : Openness
        • 17. Documentation
        • 18. Notification to data subject when collecting personal information
      • Condition 7 : Security safeguards
        • 19. Security measures on integrity and confidentiality of personal information
        • 20. Information processed by operator or person acting under authority
        • 21. Security measures regarding information processed by operator
        • 22. Notification of security compromises
      • Condition 8 : Data subject participation
        • 23. Access to personal information
        • 24. Correction of personal information
        • 25. Manner of access
    • Part B : Processing of special personal information
      • 26. Prohibition on processing of special personal information
      • 27. General authorisation concerning special personal information
      • 28. Authorisation concerning data subject's religious or philosophical beliefs
      • 29. Authorisation concerning data subject's race or ethnic origin
      • 30. Authorisation concerning data subject's trade union membership
      • 31. Authorisation concerning data subject's political persuasion
      • 32. Authorisation concerning data subjects's health or sex life
      • 33. Authorisation concerning data subject's criminal behaviour or biometric information
    • Part C : Processing of personal information of children
      • 34. Prohibition on processing personal information of children
      • 35. General authorisation concerning personal information of children
  • Chapter 4 : Exemption from Conditions for Processing of Personal Information
    • 36. General
    • 37. Regulator may exempt processing of personal information
    • 38. Exemption in respect of certain functions
  • Chapter 5 : Supervision
    • Part A : Information Regulator
      • 39. Establishment of Information Regulator
      • 40. Powers, duties and functions of Regulator
      • 41. Appointment, term of office and removal of members of Regulator
      • 42. Vacancies
      • 43. Powers, duties and functions of Chairperson and other members
      • 44. Regulator to have regard to certain matters
      • 45. Conflict of interest
      • 46. Remuneration, allowances, benefits and privileges of members
      • 47. Staff
      • 48. Powers, duties and functions of chief executive officer
      • 49. Committees of Regulator
      • 50. Establishment of Enforcement Committees
      • 51. Meetings of Regulator
      • 52. Funds
      • 53. Protection of Regulator
      • 54. Duty of confidentiality
    • Part B : Information Officer
      • 55. Duties and responsibilities of Information Officer
      • 56. Designation and delegation of deputy information officers
  • Chapter 6 : Prior Authorisation
    • 57. Processing subject to prior authorisation
    • 58. Responsible party to notify Regulator if processing is subject to prior authorisation
    • 59. Failure to notify processing subject to prior authorisation
  • Chapter 7 : Codes of Conduct
    • 60. Issuing of codes of conduct
    • 61. Process for issuing codes of conduct
    • 62. Notification, availability and commencement of code of conduct
    • 63. Procedure for dealing with complaints
    • 64. Amendment and revocation of codes of conduct
    • 65. Guidelines about codes of conduct
    • 66. Register of approved codes of conduct
    • 67. Review of operation of approved code of conduct
    • 68. Effect of failure to comply with code of conduct
  • Chapter 8 : Rights of Data Subjects regarding Direct Marketing by means of Unsolicited Electronic Communications, Directories and Automated Decision Making
    • 69. Direct marketing by means of unsolicited electronic communications
    • 70. Directories
    • 71. Automated decision making
  • Chapter 9 : Transborder Information Flows
    • 72. Transfers of personal information outside Republic
  • Chapter 10 : Enforcement
    • 73. Interference with protection of personal information of data subject
    • 74. Complaints
    • 75. Mode of complaints to Regulator
    • 76. Action on receipt of complaint
    • 77. Regulator may decide to take no action on complaint
    • 78. Referral of complaint to regulatory body
    • 79. Pre-investigation proceedings of Regulator
    • 80. Settlement of complaints
    • 81. Investigation proceedings of Regulator
    • 82. Issue of warrants
    • 83. Requirements for issuing of warrant
    • 84. Execution of warrants
    • 85. Matters exempt from search and seizure
    • 86. Communication between legal adviser and client exempt
    • 87. Objection to search and seizure
    • 88. Return of warrants
    • 89. Assessment
    • 90. Information notice
    • 91. Parties to be informed of result of assessment
    • 92. Matters referred to Enforcement Committee
    • 93. Functions of Enforcement Committee
    • 94. Parties to be informed of developments during and result of investigation
    • 95. Enforcement notice
    • 96. Cancellation of enforcement notice
    • 97. Right of appeal
    • 98. Consideration of appeal
    • 99. Civil remedies
  • Chapter 11 : Offences, Penalties and Administrative Fines
    • 100. Obstruction of Regulator
    • 101. Breach of confidentiality
    • 102. Obstruction of execution of warrant
    • 103. Failure to comply with enforcement or information notices
    • 104. Offences by witnesses
    • 105. Unlawful acts by responsible party in connection with account number
    • 106. Unlawful acts by third parties in connection with account number
    • 107. Penalties
    • 108. Magistrate's Court jurisdiction to impose penalties
    • 109. Administrative fines
  • Chapter 12 : General Provisions
    • 110. Amendment of laws
    • 111. Fees
    • 112. Regulations
    • 113. Procedure for making regulations
    • 114. Transitional arrangements
    • 115. Short title and commencement
  • Schedule
    • Laws Amended by Section 10
• Regulations
  • Regulations relating to the Protection of Personal Information, 2018
    • Notice No. R. 1383 of 2018
    • 1. Definitions
    • 2. Objection to the processing of personal information
    • 3. Request for correction or deletion of personal information or destruction or deletion of record of personal information
    • 4. Responsibilities of Information Officers
    • 5. Application for issuing code of conduct
    • 6. Request for data subject's consent to process personal information
    • 7. Submission of complaint
    • 8. Regulator acting as conciliator during investigation
    • 9. Pre-investigation proceedings of Regulator
    • 10. Settlement of complaints
    • 11. Assessments
    • 12. Informing the parties of developments regarding investigation
    • 13. Short title
    • Forms
      • Form 1 : Objection to the processing of personal information
      • Form 2 : Request for correction or deletion of personal information or destroying or deletion of record of personal information
      • Form 3 : Application for the issue of a code of conduct
      • Form 4 : Application for the consent of a data subject for the processing of personal information for the purpose of direct marketing
      • Form 5 : Complaint regarding interference with the protection of personal information/complaint regarding determination of an adjudicator
      • Form 6 : Notice to parties-Conciliation meeting
      • Form 7 : Notice to parties-Conciliation regarding interference
      • Form 8 : Notice to parties of intention of regulator to investigate a complaint
      • Form 9 : Notice to parties-settlement meeting regarding interference
      • Form 10 : Notice to parties-settlement regarding interference
      • Form 11 : Request for an assessment
      • Form 12 : Notification
      • Form 13 : Notice to parties not to issue an enforcement notice
      • Form 14 : Referral to enforcement committee
      • Form 15 : Enforcement notice
      • Form 16 : Cancellation or variation of enforcement notice
      • Form 17 : Notice of appeal
      • Form 18 : Substitution or setting aside of enforcement notice
      • Form 19 : Notice of dismissal of appeal
• Notices
  • Commencement of Section 1, Part A of Chapter 5 and Sections 112 and 113
    • Notice No. R.25 of 2014
  • Commencement of Regulations relating to the Protection of Personal Information published under GN R1383 in GG42110 of 14 December 2018
    • Notice No. 75 of 2021
  • Information Regulator
    • Notice No. 297 of 2021
    • Notice No. 560 of 2021
• Proclamations
  • Commencement of certain Sections of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013)
    • Proclamation No. R. 21 of 2020
• Codes of Conduct
  • Guidelines to Develop Codes of Conduct
    • Notice No. 75 of 2021
    • Part 1 - Introduction: The Legislative Framework
      • 1. Purpose of POPIA and the need for a code of conduct
      • 2. Objectives of the guidelines
      • 3. Definitions
      • 4. Who should use these guidelines
      • 5. Purpose of these guidelines
      • 6. Reasons for developing a code of conduct
      • 7. Criteria for developing a code of conduct
      • 8. Understanding of POPIA
      • 9. Administrative mechanisms
      • 10. Resource requirements
      • 11. Notice of intention to develop a code of conduct
      • 12. Code of conduct requirements under POPIA
    • Part 2 - Issuing of a Code of Conduct by the Information Regulator (regulator)
      • 13. General principles applicable to issuing of a code of conduct
      • 14. Other matters that may be included in a code of conduct
      • 15. Drafting style
      • 16. Processing for issuing of code of conduct
      • 17. Openness and transparency
      • 18. Notice of consideration for a code of conduct
      • 19. Notification
      • 20. Register for approved codes of conduct
    • Part 3 - Code Governance
      • 21. Governance arrangements
      • 22. Bodies bound by a code of conduct
      • 23. Identifying relevant bodies bound by a code of conduct
      • 24. Monitoring compliance with a code of conduct
      • 25. Reporting on compliance with a code of conduct
    • Part 4 - Complaints Handling
      • 26. Purpose of a complaints handling procedure
      • 27. Who may submit a complaint
      • 28. The complaints process
      • 29. Responsibilities of the Independent Adjudicator
    • Part 5 - Reviewing, Varying and Revocation of an approved code of conduct
      • 30. Review of the operation of an approved code of conduct
      • 31. Variations to an approved code of conduct
      • 32. The form and manner of the application to vary an approved code of conduct
      • 33. Revocation of an approved code of conduct
      • 34. The form and manner of the application to revoke an approved code of conduct
      • 35. Review
  • Notice in terms of section 62(1) of the Act Code of Conduct: The Banking Association South Africa (BASA)
    • Notice No. 2601 of 2022
  • Notice in terms of section 62(1) of the Act Code of Conduct: Credit Bureau Association (CBA)
    • Notice No. 2602 of 2022