POPIA (South Africa)

Overview

Field	Value
Pack ID	`south-africa/popia`
Full title	Protection of Personal Information Act 4 of 2013 (POPIA)
Regulator	Information Regulator of South Africa
Jurisdiction	South Africa (ZA)
Effective date	July 2021 (full enforcement)

What comply54 enforces

POPIA is South Africa's comprehensive data privacy framework, broadly aligned with GDPR. comply54 enforces the agent-facing conditions of POPIA:

Cross-border transfers (§72)

POPIA §72 requires that the destination country has adequate protection before personal information is transferred outside South Africa.

Destination	Decision
South Africa	`allow`
AU/SADC adequacy partner	`allow`
Non-adequate country + consent	`escalate` — IR notification
Non-adequate country, no consent	`deny`
Any country, special data (biometric/health)	`deny`

Special personal information (§26)

POPIA §26 imposes strict controls on biometric data, race, health information, and criminal records — prohibiting cross-border transfer in all cases:

result = compliance.check(
    action="export_data",
    params={"destination_country": "US", "data_type": "biometric"},
)
# decision: deny — "POPIA §26: Special personal information cannot be transferred cross-border"

Processing personal information requires at least one lawful basis (consent, legitimate interest, contract, legal obligation):

result = compliance.check(
    action="process_data",
    params={"data_type": "customer_pii"},
    context={"consent_documented": False, "legitimate_interest": False},
)
# decision: escalate — lawful basis required

Input fields used

Field	Path	Description
Action	`input.action`	`"export_data"`, `"process_data"`, `"send_to_external"`
Destination country	`input.params.destination_country`	ISO 3166-1
Data type	`input.params.data_type`	`"biometric"`, `"customer_pii"`, `"health"`, `"financial"`
Consent documented	`input.context.consent_documented`	Boolean
Legitimate interest	`input.context.legitimate_interest`	Boolean

Messages returned

POPIA §72: Cross-border transfer to US requires adequacy confirmation or consent
POPIA §26: Special personal information (biometric) — cross-border transfer prohibited
POPIA §11: No lawful basis for processing — consent or legitimate interest required

Overview​

What comply54 enforces​

Cross-border transfers (§72)​

Special personal information (§26)​

Consent (§11)​

Input fields used​

Messages returned​

Regulatory references​