POPIA
All SectorsProtection of Personal Information Act
POPIA is South Africa's comprehensive data protection law that regulates the processing of personal information. It applies to all entities handling personal data, including government tenders involving personal information. The Act establishes eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. POPIA compliance is increasingly a requirement in ICT and service tenders involving personal data.
Eight Processing Conditions
Lawful processing requires compliance with eight conditions including accountability, processing limitation, and security safeguards (Section 8-25).
Information Officer Requirement
Every entity must register an Information Officer with the Information Regulator.
Data Breach Notification
Data breaches must be reported to the Information Regulator and affected data subjects (Section 22).
Cross-Border Data Transfer
Personal information may only be transferred outside South Africa if the recipient country has adequate data protection laws (Section 72).
- Register Information Officer with the Information Regulator
- Conduct a personal information impact assessment for tender requirements
- Implement security safeguards for personal data processing
- Establish data breach notification procedures
- Ensure data processing agreements with third-party contractors include POPIA-compliant clauses
- Review cross-border data transfer implications for international subcontractors