Who must comply with POPIA?

The Protection of Personal Information Act (POPIA) is South Africa’s data privacy law. In terms of its overall intention the regulation is similar to the EU’s General Data Protection Regulation (GDPR), but is unlike the GDPR in terms of where the data processing takes place.

POPIA also applies to personal information collected not only about living persons but about businesses, trusts, body corporates and other similar kinds of organisations whereas the GDPR applies only to living persons.

Most organisations (this includes businesses, websites and legal entities) in South Africa need to comply with POPIA, but not all. So which of them need to comply?

To make reading easier, we’ll refer to organisations – including businesses, websites and legal entities – in this blog as “you”.

Location of processing vs location of data subject

POPIA has more to do with where you process personal data than where or who your data subject is. This is different to the GDPR, which says you must comply if you process personal information belonging to data subjects in the EU even if you’re not located in the EU.

You must comply with POPIA if:

  1. You’re located in South Africa.
  2. You’re located outside of South Africa, but process personal information in South Africa.

So to work out if you need to comply or not, you can ask:

  1. Is your company registered in South Africa?
  2. Are your computers or servers in South Africa?

If you answer yes to either of these questions, you’ll need to get going with mapping your data, and working out how you can amend your systems to become compliant.

Generally speaking you don’t need to comply if:

  1. You’re not based in South Africa
  2. None of your processing equipment is in South Africa

There are some instances where POPIA obviously doesn’t apply, such as if the data subject is deceased, and others where you can apply for at least a partial exemption.

Gaining exception from POPIA

Very few organisations will be granted an exemption from POPIA. However, if you meet certain requirements, you can apply to the POPIA Regulator for an exemption to perhaps some of the processing conditions. To qualify for an exemption, you need to show that your processing is, amongst other examples:

  1. in the interests of national security or the prevention, detection and prosecution of offences,
  2. fostering compliance with other legal provisions,
  3. important for the economic and financial interests of a public body,
  4. for historical, statistical or research purposes,
  5. of special importance in terms of freedom of expression.

OR, you need to show that you processing is of definite benefit to the data subject and outweighs any interference with their privacy.

Journalists are in an interesting category and there are specific rules that apply to them. As a journalist, you can collect, process or share personal data for journalistic purposes. However, if as a journalist you process information for non-journalistic purposes, then you are subject to POPIA.


If you don’t want to comply with POPIA, you could move out of SA and process the personal information from another country.

If you need help working out whether you need to comply, and how, we can help.

Book time with our compliance expert

Step 1 of 2

  • Sign up for your
    Free Trial

    Please complete the form to sign up for your free trial. For all our other products, please contact us for a consultation.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

The reseller zone is currently out getting a facelift as we look to integrate it with our backup platform, as it stands you can overview your clients on our new backup console. If you don't know what console that is, please reach out to us.

Give us a call:

Send us a WhatsApp:

Drop us an email:

After hours support:

After hours hosting support:

Log a support request

  • Hidden
  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

We are taking all necessary precautions around the COVID-19 situation. Our offices are closed and our team members have each been set up to work remotely in self-isolation at home. As far as possible IronTree will maintain business as usual. All our resources such as server platforms, transactional capacity, telephony and electronic communications, including video meeting facilities, have been configured in the cloud and are 100% operational. Please feel free to contact us if you require our assistance. Stay safe!
One of our team members will be happy to help answer any questions you have!
Just click the chat icon in the right-hand corner.