Responsible Party (POPIA)
Also known as: Data Controller, Controller.
What is Responsible Party?
A responsible party, under section 1 of POPIA, is the public or private body that, alone or with others, determines the purpose and means of processing personal information. It is equivalent to the GDPR "controller" and carries primary statutory liability for POPIA compliance, including the eight conditions for lawful processing in Chapter 3.
Drafted and reviewed by
Attorney & Founder, My-Contracts.co.za · Legal Practice Council of South Africa (LPC F17333)
Definition and context
Section 1 of the Protection of Personal Information Act 4 of 2013 defines a responsible party as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. The "purpose and means" test mirrors the controller concept under the EU GDPR and is the single most important status determination in POPIA compliance — the responsible party bears primary statutory liability for the eight conditions in Chapter 3.
Under section 8, the responsible party must ensure the conditions for lawful processing are given effect, even when processing is outsourced to an operator. Sections 19 to 22 place specific duties on the responsible party: implement appropriate technical and organisational security measures, conclude a written contract with every operator, notify the Information Regulator and data subjects of security compromises, and respond to data-subject access requests under section 23. The Information Regulator\'s enforcement notices and administrative fines (up to R10 million under section 109) are directed at the responsible party.
In drafting, care must be taken where two or more parties jointly determine purpose and means — for example a franchisor and franchisee, or an insurer and broker. They become joint responsible parties and must regulate responsibility between them contractually. A party that processes information only on the instructions of another is an operator, not a responsible party, and its contractual obligations are governed by section 21.
Where this term lives in law
Protection of Personal Information Act 4 of 2013
Sections: 1, 8, 19, 20, 21, 22, 23, 109
Regulates the processing of personal information by public and private bodies in South Africa.
Frequently asked questions
What is a responsible party under POPIA?
Section 1 of POPIA defines it as a public or private body or person that, alone or with others, determines the purpose and means of processing personal information. It is the South African equivalent of the GDPR controller and carries primary compliance liability.
Can there be more than one responsible party for the same processing?
Yes. Where two or more bodies jointly determine purpose and means, they are joint responsible parties and each is liable for POPIA compliance. A joint-controller-style agreement should allocate responsibilities between them.
Is the responsible party liable if the operator causes a breach?
Yes. Section 19 places primary security and compliance duties on the responsible party and section 21 requires it to contractually impose security duties on the operator. The responsible party remains accountable to the Information Regulator and to data subjects.
What fines can a responsible party face?
Section 109 of POPIA allows administrative fines of up to R10 million, plus criminal sanctions of up to 10 years imprisonment for serious offences under sections 100 to 106. Civil damages under section 99 are also available to data subjects.
Contract templates using this term
6 templates reference Responsible Party (POPIA).