The Protection of Personal Information Act (POPI) was passed in South Africa in 2013. The purpose of the POPI Act is to safeguard individuals from data security breaches, theft, and discrimination. In this article we will cover what POPI means for South African institutions and data processors. Continue reading to find out what the POPI Act entails and how to comply with the law.

What is the POPI Act in South Africa?

POPI stands for the Protection of Personal Information Act No. 4 of 2013. It is similar to the European Union’s General Data Protection Regulation (GDPR), so you can consider our POPI Act as the South African version of European regulation.

In a nutshell, POPI applies rules for the correct handling of personal data of South Africans. It is comprised of eight general conditions as well as three less descript conditions. Just like the GDPR, the POPI Act in South Africa makes entities accountable for breaches of personal data. It also gives South Africans rights in terms of unsolicited electronic communications.

Who Does POPI Apply to?

A data processor is someone who uses automated or non-automated means to process personal information in the Republic of South Africa. The term “responsible party” refers to an entity that collects personal information for a data processor. For a more detailed breakdown of who falls within the scope of POPIA, see our article on who POPIA applies to.

“Automated” refers to the use of technology that processes data automatically based on a data processor’s instructions.

POPI controls your business’s use of a citizen’s personal information. Personal information is considered: “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”

Who is Exempt from POPI?

POPI primarily applies to people or groups in South Africa who process data for commercial purposes.

The law lists several exclusions that will exempt you from having a claim, such as:

  • Data that is processed for personal reasons
  • Data that was de-identified and can’t be reinstated
  • Data processed by or for a public body associated with the justice system, law enforcement, or national security.
  • Data processed by the province’s Cabinet, committees or Executive Council.

The data also includes any processing done for literary or artistic expression or for the purpose of journalism. The POPI has deemed processing for these purposes to be a matter of public interest and any limits on the processing is considered an infringement on free expression.

POPIA Enforcement and Recent Developments

Since POPIA came into full effect on 1 July 2021, the Information Regulator has steadily increased its enforcement activity. Notable actions include a R5 million fine against the Department of Justice and Constitutional Development following a 2021 security compromise, and a further R5 million fine against the Department of Basic Education in November 2024 for publishing matric results using examination numbers in breach of an enforcement notice. The maximum administrative fine under POPIA is R10 million, with criminal prosecution possible in severe cases.

In April 2025, the Information Regulator published amended POPIA Regulations that simplify the processes for data subjects to object to processing, request corrections or deletions, and provide consent for direct marketing. Data subjects may now submit these requests free of charge via WhatsApp, SMS, email, telephone, or in person. The amendments also introduced an e-Services Portal for mandatory reporting of data breaches, and the number of reported security compromises has risen sharply — from 202 in the 2021/22 financial year to over 2 800 in the 2025/26 financial year to date.

Employers handling employee data should also be aware of their obligations under POPIA — our guide on the application of POPIA in the workplace covers this in detail.

We hope that this has given you a better understanding of what the POPI Act is in South Africa.


Updated 14 April 2026 — Added Information Regulator enforcement actions, the April 2025 POPIA Regulation amendments, and data breach reporting statistics.