The Protection of Personal Information Act 4 of 2013 (POPIA) gives several rights to anyone whose personal information is being collected, stored, or used. In the language of POPIA, these people are referred to as “data subjects”.[1]
“Personal information” is broadly defined in POPIA to include any information about a living individual (or, when relevant, an organisation) that can be used to identify them. This includes:
- Demographic details (like race, gender, and age);
- Health, educational, financial, criminal, or employment history;
- Identifiers like ID numbers, email addresses, and phone numbers;
- Biometric data (like fingerprints or facial recognition);
- Personal views, opinions, or preferences;
- Private correspondence;
- Opinions others may have about the person;
- Names, when combined with other personal information, or when revealing the name alone would give away personal details.[2]
This note summarises the rights conferred on data subjects. Please note that while these summaries are generally accurate, some nuance has been excluded in the interest of accessibility. If you require further information about any particular right, please refer to the relevant section of POPIA.
General rights of a data subject
Section 5 of POPIA confers a general right on any data subject to have their information “processed in accordance with the conditions for lawful processing of personal information” as described in Chapter 3 of the Act.[3] It then singles out several more specific rights held by all data subjects. To understand what this means, it will be useful to consider each specified right in turn.
Notification rights
Right to be notified about the collection of personal data: You have the right to be notified when your personal information is being collected.[4] Anyone collecting such information must take reasonable steps to ensure that you are aware of what information is being collected, why it is being collected, where this information came from (if it was not supplied by you directly), and anything else that may be relevant.[5] This notification ought to take place before the data has been collected (unless you are already aware the information is being collected), or else as soon as is practical, after the data has been collected.[6]
There are certain instances where this requirement will not apply, such as where you have previously consented to not being notified,[7] where the information has been anonymised,[8] and where non-compliance is necessary in the interests of national security.[9]
Right to be notified of security compromises: If somebody who has your personal information has reason to believe that your information has been accessed by an unauthorised person then they must notify both you and the Information Regulator, as soon as reasonably possible, in writing.[10] They should also provide sufficient information about the compromise so that you can take protective measures against any potential consequences of the compromise – including what the possible consequences are, what steps they will take, and advice on what steps you should take.[11]
Right to access personal information
You have the right to request from others – free of charge – whether they hold any personal information about you.[12] Where they do hold such information, you have the right to request a record or description of this information, including information on whether this information has been accessed or handled by others. There may be a fee attached to requesting this detailed information; where this is the case, you are entitled to be given a fee estimate in writing prior to receiving the information.[13]
There are certain scenarios where this right may not apply, such as where the requested information forms part of certain records of the South African Revenue Service or is otherwise commercially confidential.[14] In such cases, all information except that which is not permitted to be shared must be disclosed.[15]
Right to correct or delete personal information
You have the right to request that anyone that has your personal information correct or delete this information, where this information is inaccurate, irrelevant, excessive, out of date, misleading, or unlawfully obtained; or where they are no longer lawfully authorised to retain it.[16]Anyone who receives such a request is obliged, as soon as reasonably possible, to correct or destroy the information as is necessary, and to provide credible evidence to prove that they have in fact taken appropriate action.[17] Where agreement cannot be reached on correction/deletion, you can request that your request to have this information altered was made, even if it was not honoured.[18]
Right to object
You have the right to object to your personal information being processed, where there is a good reason to object. This applies in situations where the justification for processing the information is that it protects your legitimate interests, it is necessary for the performance of a public law duty, or it is in the interests of the person who holds your information (the responsible party or a third party).[19]
Further, section 11(3)(b) of POPIA provides that a data subject may object to the processing of their information for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications (detailed below).
Right not to have information processed for direct marketing
You have the right not to have your personal information processed for the purpose of direct marketing by means of unsolicited electronic communications.[20]
In terms of section 69(1) of POPIA, the processing of personal information for the purpose of direct marketing through any form of electronic communication (including telephone, fax, SMS or email) is prohibited unless the data subject has consented to it or they are a customer of the Responsible Party.
Right to not be subjected to automated decision-making
“Automated decision-making” refers to the process of using automated systems (such as artificial intelligence models that learn from patterns in large amounts of data) to make decisions.
You have the right not to be subjected to decisions that are made solely on the basis of automated systems, where this decision would have a legal consequence for you or otherwise affect you to a substantial degree.[21] A legal consequence is something that affects someone’s legal rights. Something that affects someone ‘to a substantial degree’ is more difficult to define but could include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.
In practice, this right can be challenging to enforce because it requires decisions to be based ‘solely’ on an automated process. In practice, a human is often at least nominally involved in the decision-making process, even if they are taking direction from an automated system and are unable to explain how the system arrives at its decisions.
This right does not apply in certain instances, such as when the decision is taken as part of a contract,[22] or if the decision is governed by a law or code of conduct which specifies measures for protecting your interests by allowing you to make representations in response to a decision, and by providing you with sufficient information to understand the logic underlying how the automated decision was made.[23] Again, in practice this can be a very challenging requirement to satisfy, as the logic that underlies these systems is often opaque even to the people that operate them.
Right to submit a complaint
You have the right to submit a complaint to the Information Regulator regarding any infringements on the rights detailed in this document, and any interference with your personal information more generally.[24]
If you wish to submit a complaint to the Information Regulator, you should complete the prescribed form (POPIAComplaints@inforegulator.org.za.
More information about the process is available here.
Right to institute civil proceedings
You have the right to institute civil proceedings in any court with jurisdiction against any entity that unlawfully interferes with the protection of your personal information (for example, by failing to comply with the provisions discussed above).[25] It is not necessary to prove either ill-intent or negligence on the part of the interferer. After hearing proceedings, and if the court is convinced of your case, they are entitled to award an amount they deem to be just and fair.[26][26]
[1] These rights are enumerated in section 5 of POPIA.
[2] Id.
[3] Section 5 of POPIA. All subsequent references are made to POPIA.
[4] Section 5(a)(i).
[5] Section 18(1)(a)-(h).
[6] Section 18(2)(a)-(b).
[7] Section 18 (4)(1)(a).
[8] Section 18(4)(1)(f)(i)
[9] Section 18(4)(1)(c)(iv). For a full list of exceptions, see section 18(4)(1)(a)-(f).
[10] Section 22(1)-(2).
[11] Section 22(4)(1) and Section 22(5).
[12] Section 23(1)(a).
[13] Section 23(3).
[14] Section 23(4).
[15] Section 23(4).
[16] Section 24(1)(a)-(b).
[17] Section 24(2)(a)-(c).
[18] Section 24(2)(d).
[19] Section 11(3)(a).
[20] Section 5(f).
[21] Section 71(1).
[22] Section 71(2)(a)
[23] Sections 71(2)(b) and 71(3).
[24] Section 74(1).
[25] Section 99(1) read with section 73.
[26] Section 99(3).