South Africa: The development of codes of conduct under POPIA

The effective date for South Africa's data privacy law, the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') is fast approaching and in anticipation of D-Day (1 July 2021), organisations need to address their compliance requirements to avoid possible penalties. PR de Wet and Hayley Levey, from VDT Attorneys Inc, provide an overview of what codes of conduct are and the benefits of subscribing to a code of conduct, following Information Regulator's recent publication of Guidelines to Develop Codes of Conduct, Checklist for Submission of Application for Approval of a Proposed Code of Conduct, and Standard for Making and Dealing with Complaints in a Code of Conduct.

Published guidelines to develop codes of conduct

Relating to the aspect of enabling compliance, POPIA makes provision for codes of conduct to be issued. Chapter 7 of POPIA sets out the framework details for the issuing of codes of conduct and the Information Regulator (POPIA’s supervisory authority) has, in terms of Section 65 of POPIA, recently published the Guidelines to Develop Codes of Conduct (‘the Guidelines’) relating to the development of codes of conduct which aims, amongst other things, to:

  • assist bodies to develop and issue codes of conduct or to apply for approved code of conduct;
  • set-out a complaints procedure in relation to codes of conduct; and
  • provide a process for the review, varying and revocation of an approved codes of conduct.

What are codes of conduct?

Codes of conduct are essentially voluntary sector or industry guidelines that seek to apply a unified standard across a particular sector, professional body, or industry to assist members thereof, in implementing appropriate measures to ensure compliance with the provisions of POPIA.

Who can issue codes of conduct?

Codes of conduct can be issued through the Information Regulator’s own initiative subject to affected stakeholder consultation, or through the prescribed application process by a body which the Information Officer believes holds sufficient representation of a class of bodies, or of any industry, profession or vocation.

Notification of intention to develop codes of conduct required

Any relevant body, industry, or sector that intends developing a code of conduct is required to first notify the Information Regulator of its intention thereof and the Information Regulator must be kept informed throughout the process of the development of the proposed code of conduct.

Minimum requirements for a code of conduct

The requirements of a code of conduct include:

  • the incorporation of all of POPIA’s conditions for lawful processing of personal information (to this extent a code of conduct does not replace the relevant provisions of POPIA);
  • any failure to comply with an issued code is deemed to be a breach of the conditions for the lawful processing thereof;
  • a code of conduct should be limited to provisions which outline the specific obligations of relevant bodies bound by a code and any mandatory requirements under POPIA; and
  • any matters unrelated to the conditions for the lawful processing of personal information should not form part of a code to be approved by the Information Regulator.

Regulator’s notification that codes of conduct have been issued

Upon a code of conduct being issued, the Information Regulator is required to publish a notification to this extent, in the Government Gazette, which indicates amongst other things that such code has been issued and its effective date.

What are the possible benefits of subscribing to a code of conduct?

Possible benefits of adhering to issued codes of conduct include:

  • nurturing and promoting accountability and openness within the particular sector, body, or industry to which the codes are issued;
  • assisting members of bodies, sectors, or industries with guidance on how to implement compliance measures pursuant to POPIA’s conditions for lawful processing within their particular industry (i.e. a sector-specific POPIA compliance framework);
  • abiding by codes of conduct which have been approved by the Information Regulator are effectively an endorsement of good industry practice when it comes to data protection standards within such body, sector, or industry;
  • the potential to build your organisation’s brand and foster trust and confidence with data subjects including your customers, vendors, suppliers, and personnel, by showing commitment to safeguard their personal data and upheld their Constitutional right to privacy; and
  • assisting in how to approach key data protection implementation areas bearing the general landscape of processing within such sector, industry, or body (for e.g., how to approach breach notifications).

The published Guidelines are effective from 1 March 2021 and sectors, industries, and bodies wanting to develop a set of codes can proceed to draft and apply for issue thereof in terms of the applicable required process set out in the Guidelines, together with consideration of the provisions of Chapter 7 of POPIA.

PR de Wet Director
Hayley Levey Associate
VDT Attorneys Inc, Pretoria


1. See:
2. See:
3. See:

May 20, 2024
Mediation – a go-to option for divorcing couples

Mediation – a go-to option for divorcing couples

At the heart of divorce proceedings, lies an intense personal battle between spouses. Enter mediation as a growing alternative dispute resolution mechanism aiming to preserve relationships and protect the psychological and emotional well-being of children and adults by avoiding drawn-out and combative court proceedings. In this article, we take a brief look at mediation as a go-to option for divorcing couples in South Africa.

Outstanding charges, body corporates and sales in execution

Outstanding charges, body corporates and sales in execution

Recently our Supreme Court of Appeal had to consider whether a purchaser was entitled to only pay for outstanding levies of a sectional title property that was sold in an execution sale or also the other outstanding charges such as water, sewerage etc. where the terms of the execution sale only required payment of the outstanding levies. In effect, the court had to consider whether a body corporate could be forced to accept a lesser amount because of the terms of a sale in execution.

Sign up to our newsletter

Pin It on Pinterest