The “who’s who” of POPI

“I own a local cellphone and electronics store. We collect personal information from our clients, and quite often have to pass on information to third parties such as cellular providers etc. in order to provide our services. I’m not sure where our business fits into the picture with POPI and what my responsibilities are? Can you provide some clarity?”

The Protection of Personal Information Act 4 of 2013 (“POPI”), which has been signed into law, but has not yet come fully into effect, protects our rights to privacy by setting conditions and requirements for the processing of ‘personal information’, which is any information relating to a living natural person or an identifiable legal entity and includes, amongst others, information such as names, birth dates, identity/registration numbers, passport numbers, demographic information, occupational information, health information, contact information etc. POPI also relates to the ‘processing’ of such information, which includes, amongst others, the collection, use, storage, deletion or destruction of personal information, etc.

POPI establishes a number of role players with specific rights and responsibilities under POPI. The subject of the protection afforded by POPI is the ‘data subject’ which is a person (natural person or legal entity) to whom the personal information relates. This can be a new or existing client, a prospective client, a supplier, or any other person whose personal information is being processed by your organisation. Data subjects can also be resident anywhere in the world and will qualify as a data subject if their personal information is processed by a responsible party in South Africa. 

On the other side of the coin is the ‘responsible party’ who is the party who must comply with POPI. The responsible party is the party that processes the personal information, determines the purpose for which the personal information is needed and who can even outsource a part or all of the processing of the personal information to a third party who is referred to as an ‘operator’ in terms of POPI. Importantly though, despite the processing being outsourced to an operator, the responsible party still remains responsible for such processing, making it imperative that processing of personal information by operators must also be compliant with POPI.

The personal information your cellphone store receives when opening cellular accounts will qualify as personal information in respect of those clients who will also be seen as data subjects for purposes of POPI. Your actions of collection, storing and passing such information on to cellular providers will qualify as processing and since you determine the purpose of the processing, will qualify your business in this context as a responsible party under POPI. This means that POPI will apply to your business and that you will need to ensure that all your processing actions in relation to personal information are compliant with POPI.

Given that you also pass personal information on to other parties for specific actions in respect thereof, this may also be seen as passing information on to operators. This would require that you put proper operator agreements in place to ensure that the operators meet the requirements of POPI as you remain responsible for the operator’s actions in terms of POPI.

Our advice is to seek the assistance of a POPI specialist to review your business and how you process personal information to ensure that the correct compliance framework, procedures, client forms and contracts are put in place to ensure you meet all facets of POPI.

September 7, 2017
Fee or tax? The court decides

Fee or tax? The court decides

With effect from 1 July 2025, the City of Cape Town introduced three new charges on residential rate bills. These charges were challenged by the South African Property Owners’ Association (SAPOA) and AfriForum, who argued that they were unlawful and improperly calculated. The dispute culminated in court applications seeking declaratory orders that the charges were invalid because they were inconsistent with the Constitution, national legislation, and the City’s own By-Laws.

Pay first… maybe not

Pay first… maybe not

For decades, the South African Revenue Service (“SARS”) has relied on the “pay now, argue later” rule as a cornerstone of tax administration. This principle permits SARS to collect disputed taxes before the underlying dispute has been resolved, often placing significant financial strain on taxpayers. While the rule serves an important fiscal purpose, it also raises critical questions regarding fairness, proportionality, and the limits of administrative discretion.

Sign up to our newsletter

Pin It on Pinterest