Last review date: 28 December 2023

☒ omnibus – all personal data

☒ sector-specific — e.g., financial institutions, governmental bodies

• Electronic Communications and Transactions Act, 1998
• Consumer Protection Act, 2008
• Labour Relations Act, 1995
• Employment Equity Act, 1998
• Basic Conditions of Employment Act, 1997
• National Health Act, 2003

☒ constitutional

Last review date: 28 December 2023

The Protection of Personal Information Act, 2013 ("POPIA") was signed into law in 2013 and only came into force on  1 July 2021.

POPIA promotes the protection of personal information processed by public and private bodies, introduces minimum requirements for the processing of personal information, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law.

POPIA sets out the essential parameters for the lawful processing of personal information, including:

• eight "core-information-protection principles";
• a number of substantive issues concerning, inter alia, the processing, collection and transfer of personal information, including that:
  • personal information may only be processed in a fair and lawful manner;
  • personal information be processed for specific, explicitly defined and legitimate reasons;
  • the steps required to make affected data subjects aware of the processing and the purposes of the processing of personal information;
  • personal information may only be kept for as long as it is required to fulfil the purpose for which it was collected; and
  • personal information may only be transferred cross-border subject to certain requirements
• responsible parties (i.e. data controllers) being required to:
  • appoint an Information Officer and Deputy Information Officer to ensure compliance with the lawful processing conditions set out in POPIA and deal with data subject rights requests in terms of POPIA and the Promotion of Access to Information Act. 2000 ("PAIA") as well as complaints from data subjects who seek to enforce POPIA;
  • develop, implement, monitor and maintain a data protection and privacy compliance framework;
  • undertake a personal information impact assessment
  • maintain documentation of all processing;
  • develop, monitor and maintain a manual in terms of sections 14 (public bodies) and 51 (private bodies) in terms of PAIA;
  • conduct internal training sessions on the requirements of POPIA
  • work with the Information Regulator in relation to any investigations undertaken by the Information Regulator in respect of the responsible party; and
  • secure the integrity and confidentiality of personal information in its possession or under its control and ensure that it is appropriately safeguarded against loss, destruction or unlawful access;
• exemptions from the information protection principles;
• the rights of data subjects regarding unsolicited electronic communications and automated decision making;
• the establishment of the Information Regulator to exercise certain powers and to perform certain duties and functions in terms of POPIA and PAIA; and
• enforcement mechanisms.

Last review date: 28 December 2023

The Cybercrimes Act 19 of 2020 ("Cybercrimes Act") was signed into law in June 2021 and came into force on 1 December 2021. It brings the country's cybersecurity legislation in line with global standards. The Cybercrimes Act compels electronic communications service providers and financial institutions to act when they become aware that their computer systems have been involved in a cybersecurity breach and which constitutes an offence under the Cybercrimes Act and to report such breaches to the South African Police Service within 72 hours of becoming aware of the breach, and preserve any information, which may be of assistance in the investigation. Non-compliance with this provision is a criminal offence and monetary fines can be imposed. The Cybercrimes Act further criminalizes harmful data messages, such as those that invite or threaten violence or damage to property, as well as those that contain intimate images. Data is broadly defined in the Cybercrimes Act as "electronic representations of information in any form." The Cybercrimes Act also criminalizes cyber fraud, extortion, forgery and the theft of incorporeal property. Also listed as an offence is the unlawful accessing of a computer system, data storage medium or personal data. Those found guilty of a cybersecurity offence face hefty fines and lengthy prison sentences of up to 15 years.

Last review date:  28 December 2023

In September 2021, the Information Regulator requested that public comments be submitted on the Amendment of the Regulations Relating to the Protection of Personal Information, 2018 ("Draft Regulations"). The Draft Regulations outline the procedure to be followed in certain circumstances contemplated in POPIA, including:

• Guidance for data subjects on how to object to the processing of their personal information.
• Guidance on how data subjects can request the correction, destruction or deletion of their personal information.
• Guidance on how responsible parties can request a person's consent to process their personal information for unsolicited electronic direct marketing.
• How data subjects can go about submitting a complaint to the Information Regulator.

Cyberattack obligations: There are obligations provided for in the Cybercrimes Act on electronic communications service providers and financial institutions relating to cybercrimes, however these obligations are not yet in force.