The POPIA Amendment Regulations commenced with immediate effect on 17 April 2025. These amended regulations cover new proposed rules of procedure, administrative fines, and expand the data subject’s rights to their personal information.  In this post, we summarise the regulations, enable you to download them, and list what actions to take.

What do the POPIA Amendment Regulations deal with?

  • New and updated definitions: Definitions such as “complainant” and “complaint” clarify who may lodge matters with the regulator. The addition of “day”, “office hours”, “writing” and “relevant body/bodies” ensures that the timing of submissions, validity of electronic communications and the scope for sector-wide codes of conduct are all unambiguous.
  • Revised objection process: Data subjects may object to processing free of charge, via various channels of communication, on a form substantially similar to Form 1. You must alert the data subject to this right at collection, and record any telephone objections (Regulation 2; Section 11 (3) POPIA).
  • Updated correction or deletion requests: Data subjects may request correction, deletion or destruction of personal information at any time and free of charge using Form 2 through multiple channels. A responsible party is required to respond to the data subjects within 30 days. (Regulation 3; Section 24(1) POPIA).
  • Amended information officer duties: Regulation 4 is trimmed to exclude the information officer’s responsibility to develop and maintain a PAIA manual as well as provide copies to the data subject upon request. This does not remove the PAIA manual obligation itself, but rather, this responsibility falls under the provisions of PAIA. The information officer is now required to ensure that their organisation’s compliance frameworks are “continually improved”. (Regulation 4)

You should not interpret this amendment to mean that information officers are not responsible for a PAIA manual. This deletion categorises the requirement for a PAIA manual as a requirement under PAIA.

  • Direct marketing consent: Consent must still be “written”, but can now be obtained via any method “reasonably accessible” to the data subject. This includes e-mail, telephone, SMS, WhatsApp, fax or automated calling. Direct marketers may not infer consent from silence or pre-ticked boxes. Consent obtained via telephone or automated calling machine must be recorded (and transcribed), and a copy must be made available to the data subject upon request. (Regulation 6; Section 69(2) POPIA).
  • Expanded complaints procedure: Regulation 7 broadens who may submit complaints to the regulator and prescribes multiple channels in which a complainant may submit a complaint. The regulator is also required to acknowledge receipt of the complaint and issue a reference number within 14 days. (Regulation 7; Section 74; 76(1)(e) and 92(1) POPIA).
  • Streamlined forms: Regulation 12 has been streamlined to delete Forms 17 to 19 of the Regulations, 2018. Forms 1 to 5 have also been updated and must replace the legacy forms.
  • Administrative fines and instalments: Regulation 13 is a new provision to the Amendment Regulations. Responsible parties can negotiate instalment plans when issued with an infringement notice. The regulator will assess affordability on a case-by-case basis.

Actions you can take

  • Download the POPIA Amendment Regulations and read them together with the first POPIA Regulations, 2018.
  • Update your organisation’s processes and policies immediately by ensuring that they reflect the changes made in the POPIA Amendment Regulations.
  • Review and update your consent mechanisms by switching to explicit “opt-in” and saving telephone recordings as proof.
  • Replace your legacy forms by rolling out new Forms 1 to 5 on your website, emails, and call-centre scripts.
  • Keep abreast of any updates to the POPIA Regulations by visiting our main POPIA regulations page.