Contact
Privacy Impact Assessments | Privacy Law Reform

South Africa: The development of codes of conduct under POPIA

The effective date for South Africa's data privacy law, the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') is fast approaching and in anticipation of D-Day (1 July 2021), organisations need to address their compliance requirements to avoid possible penalties. PR de Wet and Hayley Levey, from VDT Attorneys Inc, provide an overview of what codes of conduct are and the benefits of subscribing to a code of conduct, following Information Regulator's recent publication of Guidelines to Develop Codes of Conduct, Checklist for Submission of Application for Approval of a Proposed Code of Conduct, and Standard for Making and Dealing with Complaints in a Code of Conduct.

Published guidelines to develop codes of conduct

Relating to the aspect of enabling compliance, POPIA makes provision for codes of conduct to be issued. Chapter 7 of POPIA sets out the framework details for the issuing of codes of conduct and the Information Regulator (POPIA’s supervisory authority) has, in terms of Section 65 of POPIA, recently published the Guidelines to Develop Codes of Conduct (‘the Guidelines’) relating to the development of codes of conduct which aims, amongst other things, to:

  • assist bodies to develop and issue codes of conduct or to apply for approved code of conduct;
  • set-out a complaints procedure in relation to codes of conduct; and
  • provide a process for the review, varying and revocation of an approved codes of conduct.

What are codes of conduct?

Codes of conduct are essentially voluntary sector or industry guidelines that seek to apply a unified standard across a particular sector, professional body, or industry to assist members thereof, in implementing appropriate measures to ensure compliance with the provisions of POPIA.

Who can issue codes of conduct?

Codes of conduct can be issued through the Information Regulator’s own initiative subject to affected stakeholder consultation, or through the prescribed application process by a body which the Information Officer believes holds sufficient representation of a class of bodies, or of any industry, profession or vocation.

Notification of intention to develop codes of conduct required

Any relevant body, industry, or sector that intends developing a code of conduct is required to first notify the Information Regulator of its intention thereof and the Information Regulator must be kept informed throughout the process of the development of the proposed code of conduct.

Minimum requirements for a code of conduct

The requirements of a code of conduct include:

  • the incorporation of all of POPIA’s conditions for lawful processing of personal information (to this extent a code of conduct does not replace the relevant provisions of POPIA);
  • any failure to comply with an issued code is deemed to be a breach of the conditions for the lawful processing thereof;
  • a code of conduct should be limited to provisions which outline the specific obligations of relevant bodies bound by a code and any mandatory requirements under POPIA; and
  • any matters unrelated to the conditions for the lawful processing of personal information should not form part of a code to be approved by the Information Regulator.

Regulator’s notification that codes of conduct have been issued

Upon a code of conduct being issued, the Information Regulator is required to publish a notification to this extent, in the Government Gazette, which indicates amongst other things that such code has been issued and its effective date.

What are the possible benefits of subscribing to a code of conduct?

Possible benefits of adhering to issued codes of conduct include:

  • nurturing and promoting accountability and openness within the particular sector, body, or industry to which the codes are issued;
  • assisting members of bodies, sectors, or industries with guidance on how to implement compliance measures pursuant to POPIA’s conditions for lawful processing within their particular industry (i.e. a sector-specific POPIA compliance framework);
  • abiding by codes of conduct which have been approved by the Information Regulator are effectively an endorsement of good industry practice when it comes to data protection standards within such body, sector, or industry;
  • the potential to build your organisation’s brand and foster trust and confidence with data subjects including your customers, vendors, suppliers, and personnel, by showing commitment to safeguard their personal data and upheld their Constitutional right to privacy; and
  • assisting in how to approach key data protection implementation areas bearing the general landscape of processing within such sector, industry, or body (for e.g., how to approach breach notifications).

The published Guidelines are effective from 1 March 2021 and sectors, industries, and bodies wanting to develop a set of codes can proceed to draft and apply for issue thereof in terms of the applicable required process set out in the Guidelines, together with consideration of the provisions of Chapter 7 of POPIA.

PR de Wet Director
prdw@vdt.co.za
Hayley Levey Associate
hayleyl@vdt.co.za
VDT Attorneys Inc, Pretoria

 

1. See: https://www.dataguidance.com/legal-research/guidelines-develop-codes-conduct-issued-under
2. See: https://www.dataguidance.com/legal-research/checklist-submission-application-approval
3. See: https://www.dataguidance.com/legal-research/standard-making-and-dealing-complaints-code

May 20, 2024
Culture vs style: When workplace dress codes cross the line

Culture vs style: When workplace dress codes cross the line

by | Jan 16, 2026 | , , , ,

Dress codes are a familiar part of many workplaces, yet employers often fail to calibrate how far they are allowed to go in regulating employee personal appearance. While employers may enforce standards of neatness, safety and professionalism, these rules cannot override constitutional rights, nor can they operate in a discriminatory manner. A recent reminder of this emerged from the Supreme Court of Appeal, where the court had to consider the fairness of dismissing correctional officers for refusing to cut their dreadlocks, contrary to the employer’s dress code.

Competition Commission guidelines on confidential information

Competition Commission guidelines on confidential information

by | Jan 16, 2026 | , ,

The Competition Commission of South Africa (“Competition Commission”) identified a need to guide merger parties and stakeholders on claiming confidentiality over information. In September 2025, the Competition Commission issued Guidelines on the Commission’s handling of confidential information (“Guidelines”), which, however, are not binding on the Competition Commission, the Competition Tribunal or the Competition Appeal Court, but must be taken into account by these authorities when interpreting and applying the Competition Act 89 of 1998 (“Competition Act”).

Termination of joint ownership, rights in question: PIE Act explained

Termination of joint ownership, rights in question: PIE Act explained

by | Jan 16, 2026 | , , ,

In a recent Western Cape court case where the court ordered the termination of joint ownership of properties, an interesting question arose as to whether the termination of joint ownership did not amount to an eviction contrary to the Prevention of Illegal Eviction from and Unlawful Occupation of Land Act, 19 of 1998 (PIE Act)? We look at the requirements for the termination of joint ownership by our courts and whether this can infringe on the PIE Act.

Sign up to our newsletter

Pin It on Pinterest