← Frameworks / Data Protection

Protection of Personal Information Act (Act 4 of 2013)

South Africa's comprehensive data protection law, closely modelled on EU GDPR principles. Establishes 8 conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Covers responsible party obligations, information officers, data subject rights, transborder data flows, enforcement by the Information Regulator, and criminal offences. Mandatory for all public and private bodies processing personal information in South Africa.

Clauses: 30

Avg Coverage: 29.8%

Publisher: Republic of South Africa Version: 2013 (effective 2021)

POPIA → SP 800-53 SP 800-53 → POPIA Coverage Analysis

Clause	Title	SP 800-53 Controls
s5	Rights of data subjects	PT-01 PT-04 PT-05 PT-06
s8	Condition 1 — Accountability	PT-01 PM-01 PM-02 PM-03 PM-09 AU-01 AU-02 CM-13 PL-01
s9	Condition 2 — Lawfulness of processing	PT-01 PT-02
s10	Condition 2 — Minimality	AC-06 PT-07 CM-12
s11	Condition 2 — Consent, justification and objection	PT-02 PT-04
s12	Condition 2 — Collection directly from data subject	PT-05
s13	Condition 3 — Collection for a specific purpose	PT-01 PT-03 PT-05 CM-13
s14	Condition 3 — Retention and restriction of records	AU-11 SI-12 CM-12 MP-06
s15	Condition 4 — Further processing limitation	PT-03 PT-07 CM-13
s16	Condition 5 — Information quality	SI-01 SI-06 SI-07 SI-10 SI-18
s17	Condition 6 — Documentation by responsible party	AU-01 AU-02 CM-08 CM-12 CM-13 RA-02 PL-02
s18	Condition 6 — Notification to data subject when collecting personal information	AC-08 PT-05
s19	Condition 7 — Security measures on integrity and confidentiality of personal information	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AU-01 AU-02 AU-06 AU-09 CA-01 CA-02 CA-07 CM-01 CM-02 CM-03 CM-06 CM-07 CP-01 CP-02 CP-09 CP-10 IA-01 IA-02 IA-04 IA-05 IR-01 IR-04 MA-01 MA-02 MP-01 MP-02 MP-04 MP-06 PE-01 PE-02 PE-03 PL-01 PL-02 PM-01 PM-09 PS-01 PS-03 PS-06 RA-01 RA-03 RA-05 RA-07 SC-01 SC-07 SC-08 SC-12 SC-13 SC-28 SI-01 SI-02 SI-03 SI-04 SI-07
s20	Condition 7 — Information processed by operator	SA-09 PS-07 SR-01 SR-02 SR-03
s21	Condition 7 — Security measures regarding information processed by operator	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05
s22	Condition 7 — Notification of security compromises	IR-01 IR-02 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 AU-06
s23-24	Condition 8 — Access to personal information and correction of personal information	PT-06 SI-18
s25	Condition 8 — Manner of access	PT-06
s26-27	Prohibition on processing special personal information — general authorisation	AC-16 PT-01 PT-03 PT-07
s28-33	Authorisation for processing specific categories of special personal information	PT-07 AC-16
s34-35	Processing of personal information of children	PT-04 PT-07
s55	Information officer — duties and responsibilities	PM-02 PS-09
s56	Deputy information officers — designation and delegation	PS-09
s57-59	Prior authorisation by Information Regulator	CA-06 PT-02
s69	Direct marketing by means of unsolicited electronic communications	PT-04 PT-05
s70	Directories	PT-05
s71	Automated decision-making	PT-08
s72	Transborder information flows — transfers outside the Republic	AC-04 SA-09 SC-07
s73-99	Enforcement — complaints, investigations, and regulatory powers	AU-06 IR-06
s100-109	Offences, penalties, and administrative fines