The Protection of Personal Information Act

The Protection of Personal Information Act

Finally, as of 1 July 2020, the remaining provisions of the Protection of Personal Information Act (POPIA) have become effective. We all now have one year to reach a state where we are compliant with this legislation. This period could possibly be extended, but we cannot rely on this occurring.

When does POPIA apply?

POPIA applies (with exceptions) to the processing of personal information in a record by, or on behalf of, a responsible party.

It is important to understand the meaning of the words: ‘processing’, ‘personal information, ‘record’, and ‘responsible party.

Personal information is widely defined and includes almost all information about a living, identifiable person (and where applicable juristic persons), including race, gender, pregnancy, marital status,  medical history, contact details, biometric information, their personal opinions amongst other information (note for POPIA purposes, personal information about a deceased person is not personal information). It does not include de-identified information.

Processing is also widely defined and includes almost anything one does with personal information, including, receiving or collecting it, storing it (electronically or physically), filing it, or destroying it.

record means any recorded information regardless of the form in which it is recorded. So a record includes electronic and paper information, x-rays, photos, labels, drawings, graphs, maps, etc which is in the possession of the responsible party (whether or not they created it).


A retirements fund's administrator (operator) processes personal information for and on behalf of a retirement fund (responsible party).

responsible party means the person who determines the purpose and means for processing information. In the retirement funds context, it will be mainly retirement funds (and employers) that are responsible parties. Their service providers, such as administrators and consultants will be operators. Operators process information for, or on behalf of, responsible parties. As an example, a retirement fund determines how its operators will process the personal information of the fund’s members (and others). Thus, the fund enters into an administration agreement with the administrator determining the purposes for which that administrator will process personal information on its behalf.

The Eight Conditions

Responsible parties are required to comply with the Eight Conditions when they process personal information for the first time and every time.  Importantly, they must also ensure that their operators comply with the Eight Conditions. Thus, it becomes important for responsible parties to ensure they are contracting with operators that are POPIA compliant. Many responsible parties will seek to contractually tie in their operators to ongoing POPIA compliance.

While POPIA provides us with Conditions it also provides a number of ‘exceptions’ or ‘authorisations’. If your processing falls into one of these ’exceptions’ or ‘authorisations’ the Condition then does not apply. This makes POPIA fairly complex to implement as one needs to understand the Conditions as well as the ‘exceptions’ or ‘authorisations’ that apply to the Conditions or one of the Conditions.

This does not give us much information about each Condition. It is necessary to dig a little deeper to understand the Eight Conditions. The Eight Conditions consist of more than eight requirements which are just grouped into the Eight Conditions. In the diagram below the number corresponds to the Condition number and there is often more than one requirement per Condition.

So, in more detail, the Eight Conditions with which responsible parties must comply when processing personal information appear below.

*PI refers to Personal Information
**RP refers to Responsible Person

There are more requirements in POPIA than just the Eight Conditions

It is not enough to simply comply with the Eight Conditions. There are many other provisions of POPIA, which we need to understand and with which we need to comply, for example:

With the exception of a brief discussion concerning special personal information and Information Officers, we have not discussed these other requirements in this note.

Special personal information

Special personal information is personal information that is very confidential and requires special protection.

The classes of special personal information are:

The general rule, under POPIA, is that the responsible party must not process special personal information. However, they may process special personal information if one of the following applies to us:

  • The list of general authorisations that apply to all special personal information (for example they have consent from the data subject or the processing is necessary for the establishment, exercise or defence of a right or obligation in law); or
  • One of the specific authorisations set out in POPIA which applies to a specific class of special personal information applies to the responsible party. For example: for the class of health information, pension funds (and their administrators) may process health information if the processing is necessary for the implementation of laws (e.g. the Pension Funds Act), pension regulations, etc. Thus, if we are a pension fund processing health information because we are required to do so by law, then we may process it.

It is probable that in the future the Information Regulator will consider setting further rules with respect to these specific authorisations, especially with respect to the class of health and sex life.

Information Officers

Every responsible party must have an Information Officer. The Information Officer is automatically the head of a juristic person (like a company or a fund). The head of a juristic person is generally the Chief Executive Officer (CEO) or someone the CEO has authorised to be the Information Officer. In a retirement fund context, this may be the Principal Officer of a fund or whomever the Principal Officer has authorised to hold this position.

Information Officers have to be registered with the Information Regulator and the Information Regulator has issued a draft notice concerning registration requiring these registrations to be done by 31 March 2021 on prescribed forms. The Information Officer can appoint Deputy Information Officers but remains responsible for his/her statutory obligations. Information Officers and Deputy Information Officers must receive appropriate training and keep abreast of the latest developments in POPIA and the Promotion of Access to Information Act.

The draft notice referred to above sets out some of the statutory duties of Information Officers, which are:

  • The encouragement of compliance by the body with the Eight Conditions for the lawful processing of personal information. For example, an Information Officer may develop a policy on how employees should implement the Eight Conditions for the lawful processing of personal information;
  • Dealing with the various requests that can be made to the body pursuant to POPIA. Internal measures are developed together with adequate systems to process requests for or access to information;
  • Submission of a detailed report about requests to the Information Regulator;
  • Working with the Information Regulator in relation to investigations in relation to the body (including prior authorisations);
  • A personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
  • manual is developed, monitored, maintained and made available as prescribed in section 51 of PAIA, as amended by POPIA (this must be provided on request for a fee);
  • compliance framework is developed, implemented, monitored and maintained; and
  • Internal awareness sessions are conducted regarding the provisions of POPIA, regulations made in terms of POPIA, codes of conduct, or information obtained from the Information Regulator.


Assuming the Fund is the responsible party, the following actions are required to be compliant with POPIA on an ongoing basis:

1. There must be a written contract between the responsible party and all identified operators to, among other things, ensure that the operator/s establishes and maintains security measures (s19).

2. In terms of S5(a)(i) members must be notified that their personal information is being collected. The member (data subject) has the right to be aware of:

  • the information being collected and where the information is not collected from the data subject, the source from which it is collected;
  • the name and address of the responsible party;
  • the purpose for which the information is being collected;
  • whether or not the supply of the information by that data subject is voluntary or mandatory;
  • the consequences of failure to provide the information;
  • any particular law authorising or requiring the collection of the information.

3. S19 states that the responsible party must review and implement security measures to:

  • Secure integrity and confidentiality of the personal information
  • Take appropriate, reasonable, technical, and organizational measures to: assess risks, implement safeguards, test, and update.

4. Appoint an Information Officer. The default would be that the Principal Officer would be the Information Officer.


Welcome to our website.

1. Introduction

This Cookie Policy explains how we use cookies and similar technologies on our website This policy is designed to help you understand what cookies are, how we use them, and the choices you have regarding their use.

2. What Are Cookies

Cookies are small text files that are stored on your device (computer, tablet, or mobile phone) when you visit certain websites. They are widely used to enhance your online experience by remembering your preferences and actions over time. Cookies are not harmful and do not contain personal information like your name or payment details.

3. How We Use Cookies

We use cookies for various purposes, including:

    • Essential Cookies: These cookies are necessary for the basic functioning of our website. They enable you to navigate our site, use its features, and access secure areas.
    • Analytical/Performance Cookies: These cookies help us understand how visitors use our website. They provide information about which pages are visited most frequently, how long visitors stay on each page, and whether they encounter any error messages. This data helps us improve the performance and usability of our website.
    • Functionality Cookies: These cookies allow our website to remember choices you make (such as your username, language, or region) and provide enhanced, personalised features.
    • Targeting/Advertising Cookies: These cookies are used to deliver advertisements that are relevant to your interests. They may also limit the number of times you see an ad and help measure the effectiveness of ad campaigns.


4. Your Cookie Choices

You have the option to manage your cookie preferences. You can usually modify your browser settings to accept, reject, or delete cookies. Please note that if you choose to block or delete cookies, some features of our website may not function properly.

5. Third-Party Cookies

We may allow third-party service providers to use cookies on our website for the purposes outlined in Section 3. These providers may also collect information about your online activities over time and across different websites.

6. Updates to This Policy

We may update this Cookie Policy from time to time to reflect changes in technology, law, or our data practices. Any changes will become effective when we post the revised policy on our website.

7. Contact Us

If you have any questions about our Cookie Policy or how we use cookies on our website, please contact us at

By continuing to use our website, you consent to the use of cookies as described in this Cookie Policy.