The Protection of Personal Information Bill 2009 (POPI or the Bill*) aims to bring South Africa in line with international data protection laws. The impact of this legislation will be far-reaching and will significantly affect the way companies collect, store and disseminate personal information. Members of our Information Law and Data Protection Group provide some insight into the implications of POPI in this series of Snapshots.

In previous Snapshots we discussed that the Bill sets out eight conditions that responsible parties will need to consider for the processing of personal information to be lawful. Accountability, the first condition, was examined in the previous Snapshot. This Snapshot considers Processing Limitation, the second of the eight conditions.

Condition 2: Processing Limitation

Lawfulness of processing

Personal information must be processed lawfully and in a reasonable manner that does not infringe on a data subject's privacy. Thus, a responsible party will need to develop procedures and policies to ensure that personal information is processed in a "reasonable manner".

Some considerations:

  • There must be clarity on the length of time and the reasons for which personal information will be retained. In determining appropriate retention periods, any statutory obligations imposed on a responsible party must be taken into consideration.
  • Once the purpose for which the personal information was obtained has ceased and it is no longer required, it may be anonymised, deleted or disposed of in a secure manner. To comply with this requirement, responsible parties are advised to assign specific responsibility and to introduce procedures to ensure that files are regularly purged.

Compliance may vary depending on the reason for which the information is processed. In time, objective guidelines are expected to be made available. These will assist responsible parties to assess whether their information processing is compliant.


Personal information may only be processed in a manner that is relevant, adequate and not excessive, bearing in mind the purpose for which it is used.

Consent, justification and objection

Personal information may only be processed if the processing:

  • has been consented to by the data subject or a competent person in the case of a minor;
  • is necessary to fulfil a contract that the data subject is party to;
  • complies with an obligation imposed on the responsible party by law;
  • is necessary to protect a data subject's legitimate interest;
  • is necessary for a public body to perform a public law duty properly; or
  • is necessary to pursue the legitimate interests of the responsible party or a third party to whom the information is given.

The responsible party bears the burden of proof to show that consent has been given. It is therefore prudent for companies to obtain such consent in writing. Consent may be withdrawn at any time, but the lawfulness of processing of personal information done before the withdrawal of the consent will not be affected.

A data subject may object to the processing of personal information:

  • in a specific manner, on reasonable grounds, unless the law permits that processing;
  • for purposes of direct marketing (other than unsolicited electronic communications).

Once a data subject has objected to the processing of personal information, a responsible party may no longer process this information.

Collection directly from data subject

Personal information must be collected directly from the data subject except when:

  • the information is obtained from a public record;
  • the data subject consents to another means of collection;
  • there is no prejudice to a legitimate interest of the data subject;
  • collection of information from another source is necessary, for example:
    • criminal investigations and prosecutions;
    • the collection of revenue by SARS;
    • proceedings in courts and tribunals;
    • the interest of national security; or
    • to maintain the legitimate interests of the responsible party or third party to whom the information is supplied;
  • compliance is not reasonably practicable in a particular instance; or
  • compliance would prejudice a lawful purpose of the collection.

Click here to read clauses 9 - 12 - Processing Limitation.

*The Bill has been adopted by the Portfolio Committee on Justice and Constitutional Development and by the National Assembly (NA). This Snapshot has been drafted using the latest version of the Bill as passed by the NA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.