South African POPIA

South Africa

18 domains

32 controls

South Africa Protection of Personal Information Act 4 of 2013.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (18)

Automated Decisions

1 controls

Controls in the Automated Decisions domain of South African POPIA — 1 controls
Code	Title	Description
s.71	Automated Decision Making	A data subject may not be subject to a decision based solely on the automated processing of personal information intende...

Children's Data

1 controls

Controls in the Children's Data domain of South African POPIA — 1 controls
Code	Title	Description
s.34-35	Personal Information of Children	Processing personal information of children is prohibited unless carried out with the prior consent of a competent perso...

Condition 1 Accountability

1 controls

Controls in the Condition 1 Accountability domain of South African POPIA — 1 controls
Code	Title	Description
s.8	Accountability	The responsible party must ensure that the conditions for lawful processing and all measures giving effect to those cond...

Condition 2 Processing Limitation

4 controls

Controls in the Condition 2 Processing Limitation domain of South African POPIA — 4 controls
Code	Title	Description
s.10	Minimality	Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and...
s.11	Consent, Justification and Objection	Processing must be supported by consent, contractual necessity, legal obligation, protection of a legitimate interest, p...
s.12	Collection Directly from Data Subject	Personal information must be collected directly from the data subject except in defined circumstances such as public rec...
s.9	Lawfulness of Processing	Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the dat...

Condition 3 Purpose Specification

2 controls

Controls in the Condition 3 Purpose Specification domain of South African POPIA — 2 controls
Code	Title	Description
s.13	Collection for Specific Purpose	Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or ac...
s.14	Retention and Restriction of Records	Records of personal information must not be retained longer than necessary for the purpose, unless required by law, cont...

Condition 4 Further Processing Limitation

1 controls

Controls in the Condition 4 Further Processing Limitation domain of South African POPIA — 1 controls
Code	Title	Description
s.15	Further Processing to be Compatible with Purpose of Collection	Further processing of personal information must be in accordance with or compatible with the purpose for which it was co...

Condition 5 Information Quality

1 controls

Controls in the Condition 5 Information Quality domain of South African POPIA — 1 controls
Code	Title	Description
s.16	Quality of Information	The responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate,...

Condition 6 Openness

2 controls

Controls in the Condition 6 Openness domain of South African POPIA — 2 controls
Code	Title	Description
s.17	Documentation	The responsible party must maintain documentation of all processing operations under its responsibility as required by t...
s.18	Notification to Data Subject When Collecting Personal Information	When collecting personal information the responsible party must ensure the data subject is aware of the information bein...

Condition 7 Security Safeguards

4 controls

Controls in the Condition 7 Security Safeguards domain of South African POPIA — 4 controls
Code	Title	Description
s.19	Security Measures on Integrity and Confidentiality	The responsible party must secure the integrity and confidentiality of personal information by taking appropriate, reaso...
s.20	Information Processed by Operator or Person Acting Under Authority	Operators and persons acting under the authority of the responsible party who have access to personal information must p...
s.21	Security Measures Regarding Information Processed by Operator	Operators must process personal information only with the responsible party's knowledge or authorisation, and must estab...
s.22	Notification of Security Compromises	Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised...

Condition 8 Data Subject Participation

3 controls

Controls in the Condition 8 Data Subject Participation domain of South African POPIA — 3 controls
Code	Title	Description
s.23	Access to Personal Information	A data subject is entitled to request confirmation of whether the responsible party holds their personal information, an...
s.24	Correction of Personal Information	A data subject may request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out...
s.25	Manner of Access	The provisions of PAIA sections 18 and 53 apply to requests for access to personal information, including the prescribed...

Cross-Border Transfers

1 controls

Controls in the Cross-Border Transfers domain of South African POPIA — 1 controls
Code	Title	Description
s.72	Transfers of Personal Information Outside Republic	Personal information may only be transferred outside South Africa where the recipient is subject to a law, binding corpo...

Data Subject Participation

1 controls

Controls in the Data Subject Participation domain of South African POPIA — 1 controls
Code	Title	Description
Reg.5	Request for Access, Correction and Objection Forms	The Regulations prescribe Form 1 (objection to processing), Form 2 (request for correction or deletion), Form 3 (applica...

Direct Marketing

2 controls

Controls in the Direct Marketing domain of South African POPIA — 2 controls
Code	Title	Description
s.69	Direct Marketing by Means of Unsolicited Electronic Communications	Processing personal information for direct marketing by means of unsolicited electronic communications is prohibited unl...
s.70	Directories	A data subject whose personal information appears in a public directory must be informed free of charge of the purpose o...

Enforcement

1 controls

Controls in the Enforcement domain of South African POPIA — 1 controls
Code	Title	Description
s.99-100	Civil Remedies and Offences	Data subjects may institute civil action for damages for breach of POPIA. Offences under the Act carry penalties includi...

Implementation

1 controls

Controls in the Implementation domain of South African POPIA — 1 controls
Code	Title	Description
Effective.July2021	Commencement and Transitional Period	POPIA commenced on 1 July 2020 with a one year transitional period. Full enforcement began 1 July 2021. Responsible part...

Information Officer

2 controls

Controls in the Information Officer domain of South African POPIA — 2 controls
Code	Title	Description
Reg.4	Responsibilities of Information Officer (Regulations)	An Information Officer must develop, implement, monitor and maintain a compliance framework, ensure a personal informati...
s.55-56	Information Officer Duties and Registration	Every responsible party must designate an Information Officer who is automatically the head of a private body, and may a...

Prior Authorisation

2 controls

Controls in the Prior Authorisation domain of South African POPIA — 2 controls
Code	Title	Description
s.57	Prior Authorisation by Information Regulator	Responsible parties must obtain prior authorisation from the Information Regulator before processing personal informatio...
s.58	Notification to Regulator	The Information Regulator must be notified of processing requiring prior authorisation, and the responsible party must n...

Special Personal Information

2 controls

Controls in the Special Personal Information domain of South African POPIA — 2 controls
Code	Title	Description
s.26-27	Special Personal Information Prohibition and Exemptions	Processing of special personal information (religion, race, trade union membership, political persuasion, health, sex li...
s.28-33	Authorisation for Specific Categories of Special Information	Sections 28 to 33 set out the specific authorisations and conditions for processing each category of special personal in...

Frequently Asked Questions

What is South African POPIA?

South African POPIA is a compliance framework from South Africa with 18 domains and 32 controls. South Africa Protection of Personal Information Act 4 of 2013. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does South African POPIA have?

South African POPIA has 32 controls organised across 18 domains. The largest domains are Condition 2 Processing Limitation (4 controls), Condition 7 Security Safeguards (4 controls), Condition 8 Data Subject Participation (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does South African POPIA map to?

South African POPIA does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with South African POPIA compliance?

Start your South African POPIA compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about South African POPIA requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 32 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required