Privacy Policy
Template — South Africa
An attorney-drafted Privacy Policy template designed specifically for South African organisations. This comprehensive, legally compliant document discloses how your business collects, uses, stores, shares, and protects personal information — covering all eight conditions for lawful processing under POPIA Sections 13-25, data subject rights, Information Officer obligations, cross-border data transfers, data breach notification procedures, and Information Regulator registration requirements. Built for businesses of all sizes, from startups to enterprises, that process personal information of customers, employees, suppliers, or website visitors in South Africa.
What is a Privacy Policy in South Africa?
A Privacy Policy is the public-facing notification required by Section 18 of the Protection of Personal Information Act 4 of 2013 (POPIA) — the mechanism through which a responsible party informs data subjects of the collection, use, sharing, and safeguarding of their personal information under POPIA's eight conditions for lawful processing in Sections 8 to 25.
Drafted and reviewed by
Attorney & Founder, My-Contracts.co.za · Legal Practice Council of South Africa (LPC F17333)
Last legal review
Privacy Policy TL;DR
Every South African organisation that processes personal information must have a Privacy Policy that addresses POPIA's eight conditions for lawful processing: accountability (Section 8), processing limitation (Sections 9-12), purpose specification (Sections 13-14), further processing limitation (Section 15), information quality (Section 16), openness (Sections 17-18), security safeguards (Sections 19-22), and data subject participation (Sections 23-25). It must identify the Information Officer registered under Section 55 with the Information Regulator, describe the lawful basis for each processing purpose, disclose cross-border transfers under Section 72, explain data subject rights, and set out breach notification procedures under Section 22. The Consumer Protection Act requires plain and understandable language under Section 22 of the CPA. The Promotion of Access to Information Act 2 of 2000 requires every private body to maintain a complementary Section 51 manual. Non-compliance carries fines of up to R10 million and imprisonment for up to 10 years under POPIA Section 107.
Also known as: Privacy Notice, Data Protection Notice, POPIA Privacy Policy, Information Privacy Policy, Data Privacy Statement.
Why Your Business Needs This Agreement
No Privacy Policy — Fundamental POPIA Non-Compliance
An organisation that processes personal information without a Privacy Policy is in direct breach of POPIA's openness condition (Condition 6, Section 18), which requires notification to data subjects when their personal information is collected. The Information Regulator has publicly stated that every organisation processing personal information must have a Privacy Policy — and its assessment activities specifically check for the existence and adequacy of this document. Without a Privacy Policy, the organisation cannot demonstrate compliance with POPIA, cannot properly respond to data subject access requests, and is exposed to enforcement action, administrative fines of up to R10 million, and criminal prosecution.
Generic International Template That Does Not Address POPIA
Many South African businesses use Privacy Policy templates downloaded from international websites — documents drafted for GDPR, CCPA, or other jurisdictions that do not reference POPIA, do not address the eight conditions for lawful processing, do not mention the Information Regulator, and do not comply with South Africa's specific requirements for cross-border data transfers, Information Officer designation, or the PAIA manual. These templates create a false sense of compliance while leaving the organisation exposed to every enforcement risk that POPIA was designed to address.
No Information Officer Designated or Registered
Every private body in South Africa has a default Information Officer under POPIA Section 55 — the CEO or head of the organisation — but many businesses have not formally designated this role, appointed Deputy Information Officers for operational privacy management, or registered the Information Officer with the Information Regulator. The Information Regulator has specifically identified the failure to register Information Officers as a widespread compliance gap and has indicated it will take enforcement action against non-compliant organisations. Without a designated Information Officer, data subject requests go unanswered, breach notifications are not coordinated, and the organisation has no point of accountability for POPIA compliance.
No Data Breach Response Capability
POPIA Section 22 requires notification of the Information Regulator and affected data subjects "as soon as reasonably possible" after discovering a data breach. Organisations without a documented incident response plan, without staff trained to identify and report breaches, and without notification templates and procedures cannot meet this obligation. The delay between discovery and notification — often weeks or months in organisations without breach response capabilities — compounds the harm to data subjects and increases the severity of the Information Regulator's response. Criminal penalties for failure to notify include imprisonment for up to 10 years.
Processing Personal Information Without a Lawful Basis
POPIA requires a specific lawful basis for every processing activity — consent, contractual necessity, legal obligation, legitimate interest, or one of the other Section 11 grounds. Organisations that process personal information without identifying and documenting the lawful basis for each processing purpose are in breach of the processing limitation condition (Condition 2). This is particularly common with marketing activities (using customer data for marketing without consent or a legitimate interest assessment), employee monitoring (tracking employee activity without a lawful basis or adequate notification), and data sharing (providing personal information to third parties without a legal basis or data subject notification).
No POPIA Operator Agreements with Third-Party Service Providers
POPIA Sections 20-21 require a written contract with every "operator" — any third party that processes personal information on behalf of the responsible party. This includes cloud hosting providers, payroll bureaus, marketing platforms, customer support outsourcing, and IT managed service providers. Many South African businesses share personal information with these service providers without any written agreement addressing processing conditions, security measures, breach notification, data return/destruction, and data subject rights. The responsible party remains liable for the operator's processing — if the operator suffers a data breach or misuses personal information, the responsible party is accountable to the Information Regulator and affected data subjects.
What is a Privacy Policy?
The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's comprehensive data protection legislation — and compliance is not optional. Every South African organisation that "processes" "personal information" of an identifiable, living, natural person (or, in certain circumstances, a juristic person) must comply with POPIA. The definitions are deliberately broad: "processing" includes any operation performed on personal information, whether automated or manual — collection, recording, storage, updating, retrieval, consultation, use, sharing, distribution, merging, restriction, degradation, erasure, or destruction. "Personal information" includes names, ID numbers, contact details, financial information, employment history, biometric data, opinions, correspondence, and any information that can be used to identify a specific individual.
POPIA establishes eight conditions for lawful processing that every Privacy Policy must address: (1) Accountability — the responsible party must ensure compliance with all conditions and must be able to demonstrate that compliance; (2) Processing limitation — personal information must be processed lawfully, for a specific purpose, with the data subject's knowledge, and only to the extent that it is adequate, relevant, and not excessive; (3) Purpose specification — personal information must be collected for a specific, explicitly defined, and lawful purpose, and must not be retained longer than necessary; (4) Further processing limitation — personal information must not be processed for a purpose incompatible with the original collection purpose; (5) Information quality — the responsible party must take reasonable steps to ensure personal information is complete, accurate, not misleading, and updated where necessary; (6) Openness — the responsible party must maintain documentation of all processing activities and notify data subjects when their personal information is collected; (7) Security safeguards — the responsible party must secure the integrity and confidentiality of personal information through appropriate technical and organisational measures; and (8) Data subject participation — data subjects must be able to access, correct, and delete their personal information.
The Privacy Policy is the primary mechanism through which an organisation fulfils its transparency obligations under POPIA's openness condition (Condition 6, Section 18). It must notify data subjects of the identity of the responsible party, the purpose of processing, whether the supply of information is voluntary or mandatory, the consequences of failure to provide the information, the legal basis for processing, the categories of recipients, the existence of cross-border transfers, the data subject's rights, and the right to lodge a complaint with the Information Regulator.
A generic international Privacy Policy drafted for GDPR or CCPA will not satisfy POPIA — the eight conditions, the Information Officer, and the Section 22 breach notification are uniquely South African requirements.
The Information Regulator — South Africa's independent data protection authority established under POPIA Section 39 — has been increasingly active in enforcement. It has issued enforcement notices, conducted assessments, and signalled its intention to impose the significant penalties provided by the Act. Section 107 provides for criminal penalties including fines of up to R10 million and imprisonment for up to 10 years for serious contraventions, including the obstruction of the Information Regulator, failure to comply with enforcement notices, and unlawful processing of special personal information or account numbers. Section 99 provides for civil remedies, including compensation for patrimonial and non-patrimonial damages suffered by data subjects.
Every organisation must designate an Information Officer — the person responsible for ensuring POPIA compliance, handling data subject requests, managing data breach notifications, and serving as the point of contact for the Information Regulator. Under Section 55, the head of a private body (typically the CEO) is the default Information Officer unless the function is formally delegated. Deputy Information Officers can be appointed under Section 56 to handle day-to-day privacy operations. The Information Officer must be registered with the Information Regulator.
This attorney-drafted Privacy Policy template is fully compliant with POPIA (Sections 1-115), the Electronic Communications and Transactions Act 25 of 2002 (ECTA), the Promotion of Access to Information Act 2 of 2000 (PAIA — which requires every private body to have a PAIA manual), and relevant sector-specific legislation including the Financial Intelligence Centre Act 38 of 2001, the National Credit Act 34 of 2005, and the Basic Conditions of Employment Act 75 of 1997 for employee personal information.
Who Needs This
Want early access to the Privacy Policy template?
We'll email you the moment early access opens
What a POPIA-Compliant Privacy Policy Must Include
Clauses required by the eight conditions for lawful processing and the Information Regulator's guidance.
| Clause | Required By | Key Reference |
|---|---|---|
| Identity and contact details of the responsible party | Protection of Personal Information Act 4 of 2013 | Section 18(1)(a) |
| Categories of personal information collected | Protection of Personal Information Act 4 of 2013 | Section 18(1)(b) |
| Specific, explicit and lawful purpose for processing | POPIA Condition 3 — purpose specification | Section 13 |
| Lawful basis for processing | Protection of Personal Information Act 4 of 2013 | Section 11 |
| Categories of recipients and operators | POPIA openness condition | Section 18(1)(c)–(d) |
| Cross-border transfer disclosure and safeguards | Protection of Personal Information Act 4 of 2013 | Section 72 |
| Data subject rights (access, correction, deletion, objection) | POPIA data subject participation | Sections 23–25; Section 11(3) |
| Security safeguards implemented | POPIA security condition | Sections 19 and 20 |
| Breach notification procedure | Protection of Personal Information Act 4 of 2013 | Section 22 |
| Information Officer details and registration | Protection of Personal Information Act 4 of 2013 | Sections 55 and 56 |
| Retention periods aligned with legal requirements | POPIA Condition 3 | Section 14 |
| Right to lodge complaint with the Information Regulator | POPIA data subject rights | Section 74 |
POPIA compliance is mandatory for every South African organisation that processes personal information — there is no small business exemption or minimum threshold
The Information Regulator can impose administrative fines of up to R10 million and criminal prosecution can result in imprisonment for up to 10 years under POPIA Section 107
Every private body must have a designated Information Officer registered with the Information Regulator — the CEO is the default if no formal designation is made
Data breach notification must be made to the Information Regulator and affected data subjects "as soon as reasonably possible" under Section 22 — organisations need a documented incident response plan
Cross-border data transfers under POPIA Section 72 require the recipient country to have adequate protection, or data subject consent, or another enumerated safeguard — simply using international cloud services without assessment is non-compliant
Key Clauses Included
This Privacy Policy template covers 12 essential sections, each drafted by South African attorneys.
Information We Collect
Comprehensive disclosure of the categories of personal information collected — organised by source and type. Categories include: identity information (name, ID number, date of birth, gender, nationality), contact information (physical address, email, phone numbers), financial information (bank details, payment card numbers, transaction history, credit information), technical information (IP address, browser type, device identifiers, location data collected through websites and apps), usage information (browsing history, search queries, clickstream data), employment information (for employee privacy), and special personal information under POPIA Section 26 (religious or philosophical beliefs, race, ethnic origin, trade union membership, political persuasion, health data, sexual life, biometric information, and criminal behaviour). For each category, the section identifies the source (directly from the data subject, from third parties, or automatically collected) and whether providing the information is mandatory or voluntary.
How & Why We Process Your Information
Maps every processing purpose to a specific POPIA condition for lawful processing under Section 11 — ensuring each purpose has a legitimate legal basis. Processing purposes typically include: performing a contract with the data subject (Section 11(1)(b)), complying with a legal obligation (Section 11(1)(c)), protecting the data subject's legitimate interests (Section 11(1)(d)), performing a public law duty (Section 11(1)(e)), and pursuing the legitimate interests of the responsible party (Section 11(1)(f), subject to a balancing test against the data subject's rights). Where consent is the basis (Section 11(1)(a)), the section explains how consent is obtained, that consent can be withdrawn at any time, and the consequences of withdrawal.
Information Sharing & Third-Party Recipients
Identifies the categories of third parties with whom personal information is shared — including service providers (IT hosting, payment processors, marketing platforms, courier companies), professional advisors (auditors, attorneys, accountants), group companies (subsidiaries and holding companies), regulatory authorities (SARS, CIPC, the Information Regulator, sector regulators), and other parties where required by law (courts, law enforcement). For each category, the section specifies the purpose of sharing, the legal basis, and the safeguards in place. Where personal information is processed by third-party "operators" under POPIA Section 20-21, the section confirms that written operator agreements are in place specifying processing conditions, security measures, and data subject rights.
Cross-Border Data Transfers
Discloses whether personal information is transferred outside South Africa — to cloud service providers, international group companies, or service providers in other jurisdictions. Under POPIA Section 72, cross-border transfers are permitted only if: the recipient country has adequate data protection laws, the transfer is necessary for the performance of a contract, the data subject consents, or the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent. The section identifies the countries to which data is transferred, the safeguards in place (binding corporate rules, contractual clauses, consent), and the adequacy assessments conducted. For common services, this includes disclosing that data is transferred to the United States (Google, Microsoft, AWS), the European Union (various service providers), and other jurisdictions.
Data Retention Periods
Specifies the retention period for each category of personal information, the legal or operational basis for each retention period, and the secure destruction procedure when retention periods expire. POPIA Section 14 requires that personal information be retained only for as long as necessary for the purpose for which it was collected, or as required by law. Typical retention periods in South Africa include: financial and tax records (5 years from submission under the Tax Administration Act 28 of 2011), employment records (3 years after termination under the Basic Conditions of Employment Act 75 of 1997), contractual records (3 years after expiry under the Prescription Act 68 of 1969), and marketing consent records (for the duration of the consent plus a reasonable period). The section also addresses the secure destruction methods used — digital sanitisation, physical shredding, and certification of destruction.
Data Subject Rights Under POPIA
Explains each right that data subjects have under POPIA, in plain language: the right to be notified that personal information is being collected (Section 18), the right to access personal information held about them (Section 23), the right to request correction or deletion of inaccurate, misleading, or unlawfully processed information (Section 24), the right to object to the processing of personal information on reasonable grounds (Section 11(3)), the right to object to direct marketing (Section 11(3)(b), and Section 69 specifically for electronic marketing), the right not to be subject to a decision based solely on automated processing (Section 71), and the right to lodge a complaint with the Information Regulator (Section 74). For each right, the section provides the procedure for exercising it, the required information, the expected response timeline, and any applicable fees.
Security Measures & Safeguards
Describes the technical and organisational security measures implemented to protect personal information — as required by POPIA Section 19. Technical measures include: encryption of personal information in transit (TLS/SSL) and at rest (AES-256), access controls and authentication (role-based access, multi-factor authentication), network security (firewalls, intrusion detection systems), regular security assessments and penetration testing, and automated monitoring and alerting. Organisational measures include: staff privacy awareness training, confidentiality agreements for all personnel with access to personal information, documented information security policies, incident response procedures, and regular security audits by independent assessors. The section also addresses the duty under Section 19(2) to notify the Information Regulator and affected data subjects of any security compromise.
Data Breach Notification
Sets out the organisation's data breach notification procedures in compliance with POPIA Section 22. Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, the responsible party must notify the Information Regulator and the affected data subjects as soon as reasonably possible. The notification must include: the nature of the breach, the personal information affected, the measures taken to address the breach, recommended steps the data subject should take to mitigate harm, and the contact details of the Information Officer. The section also explains what constitutes a notifiable breach, the investigation process, and the timeline for notifications.
Direct Marketing & Electronic Communications
Addresses the use of personal information for direct marketing — subject to POPIA Section 69 and ECTA Section 45. Under POPIA, existing customers may be contacted for direct marketing of similar products or services without prior consent (the "soft opt-in"), provided they are given a reasonable opportunity to opt out at the time of initial collection and on every subsequent communication. For prospective customers who are not existing clients, prior consent is required. ECTA Section 45 requires that unsolicited electronic communications include the sender's identity and a functional opt-out mechanism. The section explains how consent is obtained, how opt-out requests are processed, and the timeline for implementing opt-out requests.
Special Personal Information & Children's Information
Addresses the processing of special personal information under POPIA Sections 26-33 (religious beliefs, race, ethnic origin, trade union membership, political persuasion, health data, sexual life, biometric information, and criminal behaviour) and children's personal information under Section 35. Processing of special personal information is generally prohibited unless one of the specific exemptions in Sections 27-33 applies — such as consent, establishment of a legal claim, compliance with legislation, or processing by an insurance company. Processing of children's personal information requires the consent of a competent person (parent or guardian). The section discloses whether the organisation processes these categories, the specific exemption relied upon, and the additional safeguards in place.
Information Officer & Contact Details
Provides the contact details of the designated Information Officer (or Deputy Information Officer) — including name, position, physical address, email address, and phone number. Explains the Information Officer's role in ensuring POPIA compliance, handling data subject requests, coordinating data breach notifications, and serving as the liaison with the Information Regulator. Includes the POPIA registration reference number (once registered) and the process for submitting data subject requests or privacy complaints. This section also provides the Information Regulator's contact details for complaints that cannot be resolved directly with the organisation.
Policy Updates & Effective Date
Explains how data subjects will be notified of material changes to the Privacy Policy — including the notification channels (email, website notice, in-app notification for registered users), the effective date of changes, and whether material changes require renewed consent or fresh notification under POPIA Section 18. Includes a version history or changelog for transparency, and confirms that the most current version of the policy is always available on the organisation's website.
South African Law Compliance
Protection of Personal Information Act 4 of 2013
POPIA is the primary South African legislation requiring a Privacy Policy and governing all aspects of personal information processing. It establishes eight conditions for lawful processing (Sections 8-25): accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Section 18 requires notification to data subjects when their information is collected. Section 22 requires breach notification to the Information Regulator and affected data subjects. Sections 23-25 establish data subject rights (access, correction, deletion). Section 69 regulates direct marketing. Sections 26-35 restrict the processing of special personal information and children's information. Section 72 restricts cross-border data transfers. Section 107 provides for criminal penalties including fines of up to R10 million and imprisonment for up to 10 years.
Electronic Communications and Transactions Act 25 of 2002
ECTA complements POPIA for online data processing. Section 43 requires e-commerce websites to display specific information including privacy practices and data handling procedures. Section 45 restricts unsolicited electronic communications and requires opt-out mechanisms — directly relevant to email marketing, SMS marketing, and push notifications. Section 51 addresses the protection of personal information collected through electronic transactions, requiring service providers to use the information only for the purposes agreed with the data subject. ECTA's data protection provisions operate alongside POPIA, and where both apply, the more protective provision prevails.
Promotion of Access to Information Act 2 of 2000
PAIA requires every private body (including companies) to compile and make available a PAIA manual (Section 51) that describes the records held by the organisation and the procedures for requesting access. The Privacy Policy should reference the PAIA manual and explain how data subjects can exercise their right of access to personal information through both POPIA (Section 23, which is the primary mechanism for data subject access requests) and PAIA (which provides a broader right of access to records). The Information Regulator now administers both POPIA and PAIA, creating a unified enforcement framework.
Cybercrimes Act 19 of 2020
The Cybercrimes Act reinforces the security obligations in the Privacy Policy. Section 14 criminalises the unlawful acquisition of data, Section 16 criminalises unlawful interference with data, and Section 17 criminalises unlawful interference with computer systems. These provisions strengthen the legal framework protecting personal information against cyberattacks. Section 54 imposes obligations on electronic communications service providers to report certain offences to the South African Police Service within 72 hours. The Privacy Policy's security measures and breach notification procedures should be drafted with awareness of the Cybercrimes Act's requirements.
Basic Conditions of Employment Act 75 of 1997
The BCEA is relevant to the Privacy Policy's treatment of employee personal information. Employers process significant quantities of employee personal data — identification documents, bank details, medical information for occupational health, disciplinary records, and performance evaluations. The BCEA requires retention of employment records for specified periods (at least 3 years after termination), which intersects with POPIA's retention limitation condition. The Privacy Policy must address employee personal information processing, the lawful basis (employment contract, legal obligation), and the retention periods aligned with both BCEA and POPIA requirements.
South African businesses are lining up for My-Contracts — be first in when we launch
POPIA vs GDPR — Key Differences for SA Businesses
Many South African businesses serve international customers or use EU-based services. Understanding how POPIA and GDPR differ helps you comply with both frameworks.
| Feature | POPIA (South Africa) | GDPR (European Union) |
|---|---|---|
| Scope | Applies to processing of personal information of identifiable natural and juristic persons in South Africa | Applies to processing of personal data of natural persons in the EU, or by EU-based controllers/processors |
| Juristic persons protected | Yes — POPIA protects personal information of companies, trusts, and other juristic persons | No — GDPR only protects natural persons (individuals) |
| Regulator | Information Regulator (South Africa) | Data Protection Authorities in each EU member state, coordinated by the EDPB |
| Lawful bases for processing | Six grounds under Section 11: consent, contract, legal obligation, legitimate interest of data subject, public law duty, legitimate interest of responsible party | Six grounds under Article 6: consent, contract, legal obligation, vital interests, public task, legitimate interests |
| Consent withdrawal | Data subject may withdraw consent, but no specific requirement for consent to be as easy to withdraw as to give | Article 7(3) expressly requires withdrawal to be as easy as giving consent |
| Data breach notification | Section 22: notify the Information Regulator and data subjects "as soon as reasonably possible" — no fixed deadline | Article 33: notify the supervisory authority within 72 hours of becoming aware of the breach |
| Cross-border transfers | Section 72: permitted to countries with adequate protection, or with consent, or contractual necessity | Chapter V: permitted to adequate countries (adequacy decision), or with SCCs, BCRs, or other safeguards |
| Maximum fines | Administrative fines up to R10 million; criminal penalties up to 10 years imprisonment under Section 107 | Administrative fines up to EUR 20 million or 4% of global annual turnover, whichever is higher |
| DPO / Information Officer | CEO is the default Information Officer under Section 55 — must be registered with the Information Regulator | DPO required only for specific categories of controllers/processors under Article 37 |
| Right to data portability | Not expressly provided — data subjects have access rights under Section 23 but no specific portability right | Expressly provided under Article 20 — data subjects can receive their data in a structured, machine-readable format |
| Children's data | Section 35: processing requires consent of a competent person (parent/guardian) — no specified age threshold in the Act | Article 8: consent required from parent/guardian for children under 16 (member states may lower to 13) |
Create Your Privacy Policy in Minutes
Our guided wizard walks you through every clause — no legal knowledge required. Attorney-drafted, South African law compliant.
Conduct a personal information processing audit
Map every processing activity across the organisation before writing a word of the Privacy Policy. For each activity identify the data subject category (customers, employees, suppliers, website visitors, candidates, beneficiaries), the information categories involved (general personal information under Section 1 and any special personal information under Section 26), the source (directly from the data subject, from third parties, or automatic collection through cookies and devices), the processing purpose, the Section 11 lawful basis (consent, contract, legal obligation, legitimate interest of data subject, public-law duty, or legitimate interest of responsible party), every recipient and operator, any cross-border transfer with the Section 72 safeguard relied on, and the retention period. This audit is the factual basis for both the Privacy Policy and the PAIA Section 51 manual and must be refreshed whenever processing changes.
Identify and designate your Information Officer
The CEO or head of the private body is the default Information Officer under Section 55 of POPIA and bears personal accountability — register them with the Information Regulator using the prescribed form. Appoint one or more Deputy Information Officers under Section 56 to handle operational privacy work in each department or processing area, document their responsibilities in writing, and publish their names in the Privacy Policy. Allocate a privacy compliance budget, integrate the role into the organisation's risk and audit framework, and ensure the Information Officer has direct reporting access to the executive or board. The Information Regulator has identified the failure to register Information Officers as a priority enforcement target.
Complete the template with your audit results and operational details
Populate every section of the template from the audit: categories of personal information, processing purposes mapped to lawful bases, recipient categories, cross-border transfers with Section 72 justification, retention schedules aligned to the Tax Administration Act (5 years), BCEA (3 years post-termination), Prescription Act (3 years contractual), and FICA (5 years), security measures actually in place, data subject rights procedures, breach notification process, Information Officer contact details, and the Information Regulator's complaint address. Every statement must be factually accurate — the Information Regulator will treat a mismatch between the stated policy and actual practice as itself a breach of POPIA's openness condition. Close any gap between policy and practice before publication.
Review for POPIA compliance and plain language accessibility
Walk the completed policy against each of the eight POPIA conditions and tick off where each is addressed. Verify every processing purpose has an identified and defensible lawful basis (not merely "consent" as a blanket); that every cross-border transfer names the country, the recipient, and the Section 72 ground; that data subject rights are described with clear exercise procedures and response timelines; and that the breach notification section reflects the actual incident-response runbook, not an aspirational ideal. Apply the CPA Section 22 plain-language test — hand the draft to a colleague with average literacy and no legal training and ask them to summarise their rights; if they struggle, the language is too dense. Cross-reference the PAIA Section 51 manual for consistency.
Publish, distribute, and maintain
Publish the Privacy Policy at a permanent URL linked from the footer of every page of the website and from every data-collection point (registration forms, contact forms, checkout, employment applications, supplier onboarding). Reference the policy in customer terms and conditions, employment contracts, service provider agreements, and operator agreements. Build an annual review cycle: reassess processing activities, refresh retention periods against legislative amendments, and update for new data categories, new third-party processors, new cross-border transfers, and Regulator guidance. Keep a version history accessible from the policy page and notify data subjects of material changes through email and in-product banners at least 30 days before the effective date.
Operationalise data subject rights and Section 22 breach response
The Privacy Policy promises rights and a breach response — the organisation must actually deliver both. Stand up a monitored inbox or form for Section 23 access requests, Section 24 correction and deletion requests, and Section 11(3) objections to processing, with identity-verification procedures and a documented 30-day response SLA (the Regulator's working benchmark). Build an incident response plan that detects a security compromise, contains it, assesses scope, documents the facts, and notifies the Information Regulator and affected data subjects "as soon as reasonably possible" as required by Section 22 (the Regulator uses a 72-hour working benchmark). Rehearse the breach runbook annually; a plan that has never been tested fails in the first real incident.
Integrate the PAIA Section 51 manual and operator agreements
POPIA and the Promotion of Access to Information Act 2 of 2000 work together. Every private body must maintain a Section 51 PAIA manual describing the records held, the categories of data subjects, and the procedure for access requests — publish it on the website and submit to the Information Regulator. Under Sections 20-21 of POPIA, every third party that processes personal information on your behalf — cloud hosts, payroll bureaus, analytics providers, marketing platforms, customer support outsourcers — is an "operator" and must be bound by a written operator agreement addressing processing scope, confidentiality, security measures, breach notification, data return or destruction, and audit rights. Inventory every operator and close the gap.
Frequently Asked Questions
A Privacy Policy is a public-facing legal document that explains how your organisation collects, uses, stores, shares, and protects personal information. Under POPIA, it fulfils the "openness" condition for lawful processing (Condition 6, Section 18) — which requires the responsible party to notify data subjects when their personal information is collected, informing them of the identity of the responsible party, the purpose of processing, whether the supply of information is voluntary or mandatory, the categories of recipients, and the data subject's rights. Additionally, ECTA Section 43 requires online businesses to have accessible privacy policies. While POPIA does not use the term "Privacy Policy," the notification and transparency requirements effectively mandate one. Failure to comply can result in enforcement notices from the Information Regulator, administrative fines of up to R10 million, criminal prosecution under Section 107 (imprisonment for up to 10 years for serious contraventions), and civil damages claims from affected data subjects under Section 99.
This privacy policy page answers
- POPIA privacy policy template South Africa
- do I need a privacy policy under POPIA
- POPIA eight conditions for lawful processing
- cross-border data transfer Section 72
- Information Officer registration
- POPIA vs GDPR differences
- data subject access request POPIA
- data breach notification South Africa
- special personal information POPIA
- PAIA manual and privacy policy
Terms used in this Privacy Policy
Definitions, statutory basis, and cross-links to every template that uses each term.
What You Get With This Template
Drafted specifically for South African law — addresses all eight POPIA conditions for lawful processing with section-by-section compliance mapping
Comprehensive coverage of data subject rights with clear, plain-language exercise procedures and response timelines
Information Officer section with registration guidance for compliance with the Information Regulator's requirements
Data breach notification provisions aligned with POPIA Section 22 — including notification content requirements, timeline obligations, and documentation procedures
Cross-border data transfer disclosures with POPIA Section 72 safeguard assessments for common international service providers (Google, Microsoft, AWS)
Retention period framework aligned with South African legislation — Tax Administration Act (5 years), BCEA (3 years), Prescription Act (3 years), and FICA (5 years)
ECTA and PAIA integration — addressing online transparency requirements and the relationship between the Privacy Policy and the PAIA manual
Customisable template with clearly marked fields for organisation-specific details, processing purposes, third-party recipients, and Information Officer contact details
Related contract comparisons
Attorney-drafted side-by-side comparisons that feature this contract.