For many, the answer is a simple yes. For a few, the answer is more complicated.
You need to comply if:
- your organisation is domiciled in South Africa, or
- your organisation is not domiciled in South Africa but processes personal information in South Africa (uses means or equipment in South Africa to process personal information).
This is important to understand because POPIA can apply even if your organisation is domiciled outside South Africa. Your organisation does not need to comply if it is domiciled and processes personal information outside of South Africa. In this respect, POPIA is not like the GDPR and Kenyan Data Protection Act, which require you to comply if your organisation processes the personal information (from anywhere) of data subjects in the territory. POPIA focuses on the location of processing rather than the location of the data subject. We explain this in more detail below.
POPIA is about where you process and not who your data subjects are
If you do need to comply, you can find out how we can help you. For example, you might need a South Africa representative for POPIA. The risks are significant and there is no time to lose – POPIA already commenced on the 1st of July 2021.
The responsible party must comply?
POPIA requires someone called the responsible party to do all sorts of things. The responsible party is called the controller in most parts of the world. Who is this responsible party? Are you a responsible party? The responsible party is the person “which, alone or in conjunction with others, determines the purpose of and means for processing personal information.” There are often many organisations that have relationships regards data processing and often the question is – Who is responsible for data protection in your relationships? Note – it is the responsible party and not the operator.
The responsible party could be a:
- public body, including government departments, municipalities, and any institution performing a public power
- private body, including a partnership
- natural person who carries or has carried on any trade, business, or profession, but only in such capacity
- juristic person – either former or existing
Which responsible parties does the POPI Act apply to?
If you answer yes to either of the following questions, you have to comply with POPIA.
Are we domiciled in South Africa?
Domiciled is a Latin word that simply means reside or be based in South Africa. So, if you are a legal entity (like a company or trust) that is registered in South Africa, you’re domiciled in South Africa. If you’re a natural person living in South Africa, you’re domiciled in South Africa. This question is like the question for the application of the GDPR – Are we established in the European Union? Very similar considerations apply.
Do we process personal information in South Africa?
More precisely, does your organisation make use of means or equipment located in South Africa to process personal information? If so, POPIA applies and you must comply. Examples of means or equipment includes:
- a user’s personal computer (PC) or MacBook,
- a mobile or fixed line phone,
- any recording equipment, like a recorder,
- any computer hardware or software,
- cameras,
- books, sensors,
- terminals, servers, or data centres.
The net is actually therefore very broad – if for example your website is accessible by someone in South Africa on their computer or mobile phone and you collect their personal information, you process in South Africa and therefore must comply. It is not true that organisations domiciled outside South Africa do not need to comply with POPIA and that the regulator cannot enforce POPIA against them.
If you use means or equipment in South Africa to process personal information, you must comply. This holds true even if you are domiciled outside South Africa.
However, there is an exception. If you use equipment (like a fibre optic cable) only to forward information through South Africa, POPIA does not apply to you.
Remember that process means processing by the responsible party (controller) or by an operator on its behalf (processor). So, if your operator is using means or equipment in South Africa to process personal information for you, you will have to comply.
Note that POPIA says “makes use of” not owns or controls. So if you use your or someone else’s equipment in South Africa to process personal information, you must comply.
It does not matter who your data subjects are
If you are a company registered in South Africa but only process the personal information of Europeans, you have to comply with POPIA (and the GDPR) to protect the personal data of Europeans. And if you are an organisation domiciled in Europe and process in Europe the personal information of South African data subjects (for example, to offer them goods or services), you don’t need to comply with POPIA. You would, however, need to comply with the GDPR regards South African data subjects.
But if you are domiciled outside of South Africa but you use means or equipment in South Africa to process personal information, you must comply with POPIA.
If you are domiciled outside of South Africa and are considering outsourcing some processing to a South African company, remember that this will trigger you to have to comply with POPIA.
If you outsource processing to South Africa, you’ll have to comply with POPIA
Who is exempt from POPIA?
But hang on some processing is excluded. POPIA provides a few exemptions. If you answer yes to any of the following questions, you do not have to comply with POPIA.
- Do we process personal information that is not entered into a record?
- Do we process personal information in the course of purely household activities?
- Is the information we process de-identified so that it no longer amounts to personal information?
- Are we a public body that protects national security?
- Are we a public body that prosecutes offenders?
- Are we a cabinet (and its committees) or the executive council of a province?
- Are we a court referred to in s166 of the Constitution and process for judicial functions?
- Do we process for purely journalistic, artistic or literary purposes?
Your responsible party might make you agree to comply
If you answered no to the questions, you might still need to comply with the POPI Act in the responsible party-operator (controller-processor) relationship. Are you domiciled outside South Africa and process lots of personal information outside South Africa for South African organisations? If you are an operator for a responsible party who must comply, you are not obliged by law to comply with the POPI Act. However, your responsible party will probably contractually oblige you to comply. It might be worthwhile to prepare your company for those obligations beforehand.
We can help you find answers
Unfortunately, sometimes answering these questions can be harder than it appears. To find answers for our clients, we have done lots of research and read about these questions and the issues that they raise.
- Determine whether or not your specific organisation has to comply by consulting privately with Michalsons or obtaining a legal opinion on whether or not your specific organisation must comply.
A last word
POPIA encourages an organisation outside South Africa not to outsource processing to South Africa. And, in some cases, it fails to protect South African data subjects from harm because organisations outside South Africa that do not use means or equipment in South Africa to process personal information don’t need to comply. For these reasons, the South African Parliament needs to amend POPIA as soon as possible. It should be brought in line with the extra-territorial provisions in most modern data protection laws. The regulator can play a role proposing the amendments.
