Get compliant with POPIA with Ayottaz

Understand if your business is impacted by Protection of Personal Information Act (POPI Act)

What is POPIA?

The Protection of Personal Information Act (POPIA) is South Africa’s data protection law.

South Africa’s POPIA is the latest major data privacy law in the world to be modelled closely after the EU’s GDPR – empowering its citizens with enforceable rights over their personal information, establishing eight minimum requirements for data processing (e.g. introducing consent as a required legal basis), creating a broad definition of personal information for comprehensive end-user protection, as well as forming the Information Regulator (SAIR) as lead enforcer and supervisor of the law


Who does POPIA apply to?

The POPIA applies to any company or organization processing personal information in South Africa, who is domiciled in the country, or not domiciled but making use of automated or non-automated means of processing in the country. 

You need to comply if:

  • your organisation is domiciled in South Africa, or
  • your organisation is not domiciled in South Africa, but processes personal information in South Africa.

Whether or not you process in South Africa can be difficult to answer. This is important to understand, because POPIA can apply even if your organisation is domiciled outside South Africa.

Your organisation does not need to comply if it is domiciled and processes outside of South Africa. 

Responsible Party

is a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.


is a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

What does POPIA mean for businesses?

If your business is located in South Africa and/or  you process the personal information of South African customers, you are required to comply with POPIA. This means before you can process any of your customers’ personal information you’ll need to ask for their consent. For example, when a customer checks out on your online store and enters their email address, you’ll have to get their consent before you can save it to your database for future marketing purposes.

To be POPIA compliant you’ll also need to ensure all the personal information you store is secure, and that your customers have the ability to access, correct or delete any of their data that you have already collected.

Data Privacy

Rights under POPIA

Other Rights

Under POPIA, personal information may only be processed if the data subject (or a competent person where the data subject is a child) expressly consents to the processing of the personal information, unless the exclusions with regard to consent apply. The consent of the data subject is not required where the processing of personal information:

  • is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
  • complies with an obligation imposed by law on the responsible party;
  • protects a legitimate interest of the data subject;
  • is necessary for the proper performance of a public law duty by a public body; and
  • is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied

It is to be noted that a data subject may withdraw his/her consent at any time

To be POPIA compliant you’ll also need to ensure all the personal information you store is secure, and that your customers have the ability to access, correct or delete any of their data that you have already collected.

What are the penalties under POPIA?

Any person who hinders, obstructs or unlawfully influences the Information Regulator, fails to comply with an information or enforcement notice, gives false evidence before the Information Regulator on any matter after having been sworn in or having made an affirmation, contravenes the conditions insofar as they relate to processing of an account number (i.e. unique identifier) of a data subject, knowingly or recklessly, without the consent of the responsible party, obtains, discloses, or procures the disclosure, sale, or offers to sell an account number of a data subject to another person, is guilty of an offence. This person is liable on conviction to a fine or imprisonment (or both) for a period of no longer than ten years, or to a fine or imprisonment for a period not exceeding 12 months (or both) in respect of the other offences created by POPIA. Currently, the maximum fine which may be imposed is ZAR 10 million (approx. €520,000), although this may change once further regulations are promulgated. Responsible parties have a right of appeal against a decision of the Information Regulator and a data subject has the right to institute a civil action for damages in a court against a responsible party for breach of any provision of POPIA.



the maximum fine which may be imposed is ZAR 10 million

Ayottaz can simplify your POPIA compliance journey

There’s no ‘one size fits all” approach to preparing for POPIA. Rather, each business needs to know exactly what needs to be achieved to comply and who is the data controller who has taken responsibility for ensuring it happens. You are expected to put into place comprehensive but proportionate governance measures.  

That could be the responsibility of an individual in a small business, or even a whole department in a multinational corporation. Either way, budgets, systems and personnel will all need to be considered to make it work.

Under POPIA provisions, companies need to implement appropriate technical and organisational measures. This could include data protection provisions (staff training, internal audits of processing activities, and reviews of HR policies), technical updations, mapping of your data as well as continuing documentation on processing activities.  


Data Privacy

Connect with us now for your  initial POPIA consultation 

Currently, nearly all of the information and marketing material available regarding data privacy emphasizes technical expertise and the requirements of experts in order to manage compliance. All of this seems extremely daunting to a small to medium-sized business that lacks the resources to onboard such resources. Ayottaz acts as an unbiased interface between enterprises and service providers. We are in the unique position to assure quality products and services to enterprises without any allegiance to a particular product or service. Getting the first mover’s advantage and using the platform to build long-lasting relationships with our customers will help us stay ahead of the competition in the future.