The information regulator will publish a Gated Communities Code of Conduct under POPIA, specifying how a gated access community may process visitors’ personal information. According to the regulator on 5 March 2025, there has been a public outcry on this issue and therefore the information regulator will respond by publishing a code of conduct on its own initiative.

The regulator said the following “The Regulator will develop a Code of Conduct for the processing of personal information by gated access communities. This code aims to ensure that such communities adhere to the provisions of POPIA when handling the personal data of residents and visitors.”

This is not a guidance note but a code of conduct which carries more weight.

What is a gated access community?

It isn’t defined. Many would say it is an area with restricted access, typically featuring controlled entrances (gates) and often walls or fences to enhance security and privacy. A gated or walled community. It would definitely include residential property community schemes (like an estate with a body corporate). It will impact a trustee of a body corporate or an executive of a Home Owner’s Association.

It will apply to both residential and commercial properties with access control

What about commercial properties (like office parks)?  Yes, this code of conduct will probably apply. This means it will impact the facilities manager of many corporates in South Africa.

Overview of the Gated Communities Code of Conduct

We don’t yet know what the regulator plans to cover in this code of conduct, but some topics come to mind.

  1. Application to gated communities.
  2. The personal information that a gated community can collect from an owner or visitor.
  3. Accountability and responsibility of role players.
  4. The notices a gated community must display.
  5. The outsourcing of security to third-party service providers.
  6. The verification of people’s identity and profiling of visitors.
  7. Restriction on further processing and the sharing of personal information with third parties.

When will the Code of Conduct for the Processing of Personal Information by Gated Access Communities be finalised?

We don’t know. The Regulator must follow the process in Chapter 7 of POPIA. Once the regulator publishes a draft and obtains public input, it will publish the code of conduct in the government gazette. The code will come into effect 28 days after the regulator issues the code and publishes a notice in the government gazette.

We will monitor these developments and will update this post with further developments.

According to the regulator’s plan it will be completed by 31 March 2026.

Actions you can take

  • Be alerted to future developments by subscribing to the Michalsons newsletter or on LinkedIn.
  • If you are a gated community, influence the development of this Gated Access Community Code of Conduct by asking for our assistance.
  • Take steps to comply with data protection laws by joining our programme and working through the lens for data protection for community schemes or module on controlling physical access to premises.