Protection of Personal Information (POPIA) & the Right to Access to Information (PAIA)

Disclaimer & Website Terms of Use


People & Institutions

POPIA introduces five role players that must see to it that its lawful conditions for processing personal information are at all times complied with.


1. Information Regulator

The Information Regulator is the national, independent body that is empowered by POPIA to encourage, monitor and enforce compliance by Responsible Parties with the provisions of POPIA and PAIA. Before the Information Regulator came into being, the SA Human Rights Commission was tasked with upholding PAIA , but was severely hampered in its enforcement powers. This changes dramatically from 1 July, when the Information Regulator takes up its full position and powers.When a complaint is submitted to, or initiated by, the Information Regulator, it can decide to investigate, conciliate, take no further action (s77), or refer to the Enforcement Committee – an independent judicial tribunal established to adjudicate POPIA matters (a bit like the CCMA for labour disputes). Side note: we have been advised that complaints initiated at the SAHRC cannot be transferred to the Regulator – the Regulator starts its work on 1 July “de novo”.

2. Responsible Party

The Responsible Party (GDPR “controller”) is the person or company that determines the decision-making (“purpose and means”) for processing personal information, and is responsible and liable for compliance with POPIA and PAIA. Whatever the size of your company, or whatever the size of your data processing operations, POPIA applies. No specific categories of responsible parties have been excluded / Read more about exemptions here

3. Information Officer

The Information Officer is responsible for (ongoing) compliance by the Responsible Party with POPIA and PAIA. His or her duties include the encouragement of compliance with POPIA and managing requests from data subjects and the Regulator. Section 1 of POPIA and PAIA define the “head of a private body” as the Information Officer by default, and state that this should be either the CEO, an equivalent officer of the company or any other duly authorised person. However, the Regulator has slightly diverted from the Act’s definition in its authoritative interpretations in the Regulations of 2018 and the Guidance Note of 2021:-

  1. WHO : Information Officers (and Deputees, 7.2 and 8.2) MUST be “employees of the company at executive level.” (5.9) Deputy Information Officers must be appointed if the structure and size of the company and the expected data subject access requests (DSAR) necessitate this (7.3) Multinational companies must appoint an Information Officer in South Africa (7.6).
  2. WHAT : Duties of the Information Officer (and Deputees) in terms of POPIA are listed in the Regulations (4) and further specified in the Guidance Notice (6), and include the development and implementation of systems and procedures that ensure POPIA compliance, including a personal information impact assessment, compliance framework and POPIA/PAIA manual, staff education, and managing requests from data subjects and the Regulator. This may include personal liabilities for destroying, damaging, altering, concealing, falsifying or making a false record with intent to deny a right of access in terms of PAIA, for wilfully or in a grossly negligent manner failing to make available a PAIA manual as per section 51 of PAIA or for non-compliance with an Enforcement Notice.
  3. HOW : Information Officers (and Deputees) must be appointed by the Responsible Party in writing template C for IOs and template B for DIOs, and need to register, either online, via the POPIA online registration portal or by completing the official POPIA registration PDF form and e-mailing to or posting to PO Box 31533, Braamfontein, Johannesburg 2017


4. Operator

An Operator (GDPR “processor”) is an independent contractor that processes personal information on behalf of the Responsible Party. Section 20 and 21 of POPIA state that an operator may only act with the (written) knowledge or authorisation of the Responsible Party, and must treat personal information confidentially.

5. Data Subject

A Data Subject is the person the “personal information” relates to. Put differently, the person that may be ‘identified’ by the personal information. In South Africa (unlike in Europe) a data subject can be a person or a company.