MICROSOFT WHITE PAPER ON

PERSONAL INFORMATION
ACT, 2013 (POPIA)
The Protection of Personal Information Act, 2013 (POPIA) came into effect on 1 July 2020. The 12-month grace
period for compliance commenced on 1 July 2020.This means that private and public bodies, and anyone else who
determines the purpose of, and means for, processing personal information (processing entities) now have until
30 June 2021 to comply with the Act’s comprehensive requirements.

This White Paper sets out key provisions in POPIA but should not be read as an exhaustive summary of its
provisions. Likewise, the controls detailed below should not be considered as representative of Microsoft’s
entire control framework. Furthermore, Microsoft’s continuous development of its cloud service capabilities,
combined with its focus on supporting and facilitating customers’ compliance efforts, means that customers
should consult their Microsoft representative for more information on available compliance technologies at
the time of reading this White Paper.

Below we set out a high-level overview of the instances in which POPIA

will apply to processing activities and the obligations which come with POPIA.

AM I SUBJECT TO POPIA? AM I PROCESSING WHAT IS PERSONAL

• POPIA APPLIES TO JURISTIC AND
PERSONAL INFORMATION? INFORMATION?
NATURAL PERSONS:
“Processing” is defined broadly to include PERSONAL INFORMATION IS:
- Who are domiciled in South Africa; or
various actions that can be taken in relation • Information relating to an identifiable,
- Who are not domiciled in South Africa
to personal information, including its collection, living natural OR juristic person.
but use automated or non-automated
receipt, storage and use.
means in South Africa, unless the personal
YES YES POPIA defines personal information very broadly, to
information is only forwarded through
include a wide range of information that can be used
South Africa.
to identify a data subject.

• SO IF YOU PROCESS PERSONAL

Notably, POPIA refers to the personal information of
INFORMATION IN SOUTH AFRICA:
juristic entities, meaning that businesses will be able
POPIA will apply to you even if you are not
to enforce their data protection rights under POPIA.
domiciled in South Africa.

NO POPIA DOES NOT APPLY

YES

WHO CAN PROCESS PERSONAL INFORMATION?

Determining whether a
person is a responsible party
or an operator will not
always be an easy exercise.

A person will have to assess its

A RESPONSIBLE PARTY processing activities very closely.
OPERATOR
A responsible party is the person or entity that An operator processes personal information for,
determines the purpose and means of processing The distinction is important, or on behalf of, a responsible party in terms of
a contract or mandate.
personal information (i.e. determines the destiny of the
information) and can act independently or jointly with because it affects the rights
other responsible parties. and obligations that fall on
responsible parties and operators
RESPONSIBLE PARTY respectively. OPERATOR
OBLIGATIONS UNDER POPIA OBLIGATIONS UNDER POPIA

GENERAL PROCESSING PRINCIPLES OPERATOR CONTRACTS

Operators must comply with the provisions of
A RESPONSIBLE PARTY MUST COMPLY WITH ALL the contract concluded with a responsible party.
8 CONDITIONS FOR LAWFUL PROCESSING, NAMELY:
DATA BREACH
1 ACCOUNTABILITY:
You will be responsible for
ensuring POPIA compliance
5 INFORMATION QUALITY:
You must keep personal information
records accurate and up to date
Operators must notify the responsible
party immediately of any suspected or actual
data breach.

2 PROCESSING LIMITATION:
You must only process that
information which you require
6 OPENNESS:
You must disclose certain information
to data subjects (i.e that their
information is being collected, where

3 PURPOSE SPECIFICATION:
Personal information must be
collected for a specific purpose
it is collected from and how it
is used
RESPONSIBLE PARTY / OPERATOR
7 EXAMPLES
SECURITY SAFEGUARDS:

4 FURTHER PROCESSING
LIMITATION:
Further processing of personal
You must secure the integrity and
confidentiality of personal information

information (i.e. outside original

purpose) must be compatible with
the original purpose of collection
8 DATA SUBJECT PARTICIPATION:
You must allow data subjects to
access their personal information
You manage your employee
data on your IT systems
You are likely a

You are appointed to provide You are Likely an

payroll services to your client Operator

OPERATOR DATA SECURITY

CONTRACTS AND BREACH You provide information about You are likely a
Responsible parties must conclude a your patient to a medical insurer
written contract with operators to
NOTIFICATION Responsible Party
If there is a data breach, the responsible
ensure that the operators establish
party may have to inform the affected
and maintain measures that secure You send marketing emails to You are likely an
individuals and the Information
the integrity and confidentiality of your client’s customer list Operator
Regulator.
personal information.

INFORMATION PROCESSING
OFFICER JUSTIFICATION
Responsible parties must appoint an
A responsible party must make sure
processing in these circumstances: FOR MORE INFORMATION
CONTACT
Information Officer who is responsible
• With consent
for overseeing their compliance with
• For performance of a contract
the provisions of POPIA.
• In compliance with a legal obligation
• Legitimate interests
PRIVACY NOTICES • Public law duty. CONTACT PERSONS
Responsible parties must tell individuals
how their personal information is Andrea Campbell
collected, why it is collected and
RECORD RETENTION
POPIA restricts the instances in which E-MAIL: [email protected]
how it will be used. CALL: 27 (11) 361 7804
personal information can be retained by
a responsible party.
TRANS-BORDER Asif Valley
INFORMATION E-MAIL: [email protected]
CALL: 27 (11) 361 8057
FLOWS
POPIA sets out restrictions on when
Colin Erasmus
personal information can be
E-MAIL: [email protected]
transferred outside South Africa.
CALL: 27 (11) 361 7185