Skip to main content




South Africa's Protection of Personal Information Act (POPIA) aims to promote the protection of personal information processed by public and private bodies and to introduce certain conditions so as to establish minimum requirements for the processing of personal information. The version used in this section is POPIA 2021.


3A_11. Processing of personal information in general – Consent, justification and objection310. Request user consent
3A_13. Purpose specification - Collection for specific purpose189. Specify the purpose of data collection
3A_14. Purpose specification - Retention and restriction of records360. Remove unnecessary sensitive information
3A_15. Further processing to be compatible with purpose of collection315. Provide processed data information
3A_16. Quality of information062. Define standard configurations
3A_18. Notification to data subject when collecting personal information315. Provide processed data information
3A_19. Security measures on integrity and confidentiality of personal information062. Define standard configurations
176. Restrict system objects
185. Encrypt sensitive information
229. Request access credentials
264. Request authentication
3A_21. Security measures regarding information processed by operator161. Define secure default options
262. Verify third-party components
3A_23. Access to personal information122. Validate credential ownership
228. Authenticate using standard protocols
229. Request access credentials
264. Request authentication
3A_24. Correction of personal information316. Allow rectification requests
9_72. Transfers of personal information outside Republic024. Transfer information using session objects
030. Avoid object reutilization
153. Out of band transactions
176. Restrict system objects
181. Transmit data using secure protocols