Personal Information (POPIA)
Also known as: Personal Data, PI, PII.
What is Personal Information?
Personal information, under section 1 of POPIA, is information relating to an identifiable, living natural person and, where applicable, to an identifiable, existing juristic person. It includes identifiers, contact details, biometric data, financial history, opinions, employment information and online identifiers. A special-personal-information subset under section 26 receives heightened protection.
Drafted and reviewed by
Attorney & Founder, My-Contracts.co.za · Legal Practice Council of South Africa (LPC F17333)
Definition and context
Section 1 of the Protection of Personal Information Act 4 of 2013 defines personal information as information relating to an identifiable, living natural person and, where applicable, an identifiable, existing juristic person — a definition broader than the GDPR, which covers natural persons only. The section lists a non-exhaustive set of examples: race, gender, marital status, national origin, age, language, education, medical, financial, criminal or employment history; identifying numbers, symbols, email addresses, physical addresses, telephone numbers, location information, online identifiers; biometric information; personal opinions, views or preferences; correspondence that is implicitly or explicitly private; the views or opinions of another individual about the person; and the name of the person if it appears with other personal information or if disclosure of the name itself would reveal information about the person.
Section 26 carves out a more sensitive category — "special personal information" — consisting of religious or philosophical beliefs, race or ethnic origin, trade-union membership, political persuasion, health or sex life, biometric information, and criminal behaviour. Processing of special personal information is prohibited unless one of the section 27 exemptions applies (consent, establishment or defence of a right in law, public interest, research, or specific statutory authority). Section 34 adds extra protection for information concerning children, requiring parental or guardian consent under section 35.
Drafting implication: a privacy notice and operator agreement must identify the categories of personal information processed, flag any special personal information or children\'s information, and align the lawful basis with the correct Chapter 3 condition. The SALRC\'s 2019 POPIA Commentary and the Information Regulator\'s Enforcement Notices (e.g. Department of Justice, July 2023) consistently emphasise that the starting point of compliance is correct classification of the information being processed.
Where this term lives in law
Protection of Personal Information Act 4 of 2013
Sections: 1, 11, 26, 27, 34, 35
Regulates the processing of personal information by public and private bodies in South Africa.
Frequently asked questions
What counts as personal information under POPIA?
Any information relating to an identifiable, living natural person or existing juristic person — including names, ID numbers, contact details, biometric information, online identifiers, financial history, opinions, and any data that on its own or combined with other data could identify the person.
Does POPIA protect information about companies?
Yes — uniquely among major data-protection laws. POPIA's definition of personal information covers identifiable, existing juristic persons. However, the eight conditions are applied with appropriate modification, and many rights (e.g. access under section 23) work differently for juristic persons.
What is special personal information under POPIA?
Section 26 categorises information about religious or philosophical beliefs, race or ethnic origin, trade-union membership, political persuasion, health, sex life, biometric data, and criminal behaviour as special personal information. Its processing is prohibited unless a section 27 exemption applies.
Is an email address personal information?
Yes. Section 1 expressly lists email addresses as an example of personal information. Even work email addresses that identify an individual are personal information — a point the Information Regulator emphasised in its 2023 direct-marketing guidance.
Contract templates using this term
3 templates reference Personal Information (POPIA).