Privacy Policy vs POPIA Data Protection Policy
The external-facing privacy notice vs the internal compliance playbook required by POPIA
Privacy Policy vs POPIA Data Protection Policy — what's the difference?
A Privacy Policy is the external-facing notice to data subjects required by POPIA section 18 — it explains what personal information is collected and why. A POPIA Data Protection Policy is the internal compliance playbook required by Condition 7 (s.19-22) and s.55 — the operational controls, roles, and procedures the organisation follows.
Drafted and reviewed by
Attorney & Founder, My-Contracts.co.za · Legal Practice Council of South Africa (LPC F17333)
The two options at a glance
Privacy Policy (external)
POPIA s.18
A Privacy Policy is the public-facing notice published on a website, app, or at the point of collection that discharges the responsible party's POPIA section 18 duty to notify data subjects. It must state the purpose of collection, whether supply is voluntary or mandatory, the consequences of failing to supply the information, any legal basis for collection, the names of recipients or categories of recipients, whether the information will be transferred across borders, and the data subject's rights under sections 23-25 (access, correction, deletion, objection). Where direct marketing is involved, POPIA s.69 (and CPA s.32-33 for unsolicited direct marketing) impose additional opt-in or opt-out requirements.
When to use
Use as the primary public-facing document on any website that collects personal information, in mobile apps, at point-of-sale collection, in employment onboarding where employees are data subjects, and on any form that captures personal information — the notice must be given at or before collection.
POPIA Data Protection Policy (internal)
POPIA Condition 7 + s.55
A POPIA Data Protection Policy is the internal compliance playbook discharging the responsible party's Condition 7 (security safeguards, s.19-22) and s.55 (Information Officer) obligations. It documents the risk-assessment process, the technical and organisational measures deployed (access controls, encryption, backups, logging), the incident-response procedure, the sub-processor / operator management regime under s.21, training requirements, retention schedules under Condition 5 (s.14), cross-border transfer rules under s.72, data subject request procedures, and the governance structure. The Information Officer appointed under s.55 is responsible for implementing and maintaining the policy. It is an internal document — not published — and should be reviewed at least annually.
When to use
Use as the foundational internal document for every organisation processing personal information. Mandatory in substance for all responsible parties, and specifically demanded by the Information Regulator on audit under s.89. Small organisations may have a single short policy; large organisations typically break it into component policies (security, incident response, retention, training, third-party management).
Summary
South African POPIA compliance requires two distinct documents that are frequently confused. The external Privacy Policy discharges the section 18 notification obligation: at or before collection, the data subject must be told the responsible party\'s identity, the purpose of collection, whether the information is mandatory, the consequences of not supplying it, any law authorising collection, the recipients, cross-border transfer, and the data subject\'s rights under sections 23-25. The internal Data Protection Policy discharges Condition 7 (security safeguards under s.19-22): risk assessment, access controls, incident response, sub-processor management, operator agreements under s.21, training, and the Information Officer\'s role under s.55. Cross-border transfers are governed by s.72. Condition 6 (openness, s.17-18) and the requirement to document processing under s.14 connect the two. Publishing only a privacy policy without an internal data-protection playbook is a common compliance failure — the Information Regulator can issue enforcement notices under s.95 and impose administrative fines up to R10 million under s.109.
Privacy Policy vs POPIA Data Protection Policy
How the external notice and the internal playbook map to POPIA's eight conditions.
| Aspect | Privacy Policy (external) | POPIA Data Protection Policy (internal) |
|---|---|---|
| Primary purpose | Notice to data subjects | Internal compliance playbook |
| POPIA anchor | Section 18 (Condition 6 — openness) | Conditions 1-8; specifically s.19-22 and s.55 |
| Audience | Public / data subjects | Staff, Information Officer, Regulator on audit |
| Typical location | Website footer, app settings, point-of-collection form | Intranet, policy register, compliance file |
| Core content | Purpose, categories, rights, contacts, cross-border | Risk assessment, controls, IR, training, operators |
| Information Officer role | Named as contact | Owns the policy; accountable under s.55(1) |
| Updated when | Material change in processing | Annually or on material operational change |
| Legal status if missing | Breach of s.18 — s.95 enforcement | Breach of Condition 7 — s.95 enforcement |
| Cross-border (s.72) | Must disclose transfer | Must govern transfer mechanism + DPA |
| Operator obligations (s.21) | Disclose operator categories | Require written operator agreement |
| Direct marketing (s.69) | Must disclose + opt-in/opt-out | Must operate consent register |
| Regulator enforcement | s.95 compliance notice; s.109 fine | s.95 compliance notice; s.109 fine |
What you need to know
The eight POPIA conditions and which document they sit in
POPIA structures all lawful processing around eight conditions in Chapter 3. Condition 1 (Accountability, s.8) requires the responsible party to ensure the other conditions are complied with — this is the governance hook that justifies the internal data protection policy. Condition 2 (Processing Limitation, s.9-12) requires lawful, minimal, consent-based processing — the privacy policy tells data subjects the purpose; the internal policy defines how consent is captured and tracked. Condition 3 (Purpose Specification, s.13-14) limits retention — the external policy discloses retention periods; the internal policy operationalises deletion.
Condition 4 (Further Processing Limitation, s.15) restricts secondary use — internal procedures check compatibility; external notices describe it. Condition 5 (Information Quality, s.16) requires accuracy — operational in nature, mostly internal. Condition 6 (Openness, s.17-18) is where the external privacy policy lives: s.17 requires documented processing, s.18 requires notification to data subjects. Condition 7 (Security Safeguards, s.19-22) is the internal policy\'s core: s.19 mandates appropriate technical and organisational measures, s.20 addresses information-processing contracts, s.21 mandates written operator agreements, s.22 requires incident notification. Condition 8 (Data Subject Participation, s.23-25) gives data subjects access, correction, and deletion rights — the external policy describes them; the internal policy operationalises the response procedure.
Section 55 appoints the Information Officer (by default the CEO or head of the organisation, or a designated person) with duties under s.55(1) to encourage compliance, handle requests, work with the Regulator, and develop a compliance framework. The Information Officer must also be registered with the Information Regulator on the prescribed form.
What must the external privacy policy contain?
Section 18(1) lists the mandatory elements: the information being collected, where the information is collected from, the name and address of the responsible party, the purpose of collection, whether supply is voluntary or mandatory, the consequences of failing to supply it, any law authorising or requiring collection, the fact of any cross-border transfer and the level of protection in the destination country, the recipients or categories of recipients of the information, the nature of the data subject\'s rights under Chapter 3 and Chapter 5 (access, correction, objection, complaint to the Information Regulator), and the right to lodge a complaint.
In practice, South African privacy policies must also align with PAIA section 51 (the manual), CPA section 11 (right to restrict direct marketing), and the ePrivacy overlay in the ECTA. A well-drafted privacy policy includes: a definitions section tracking POPIA\'s language; a processing matrix (data category / purpose / legal basis / retention); cross-border transfer disclosures with s.72 justification; cookie and tracking disclosures (ECTA s.45 overlay); direct-marketing opt-in mechanism (s.69); data subject request channel (typically a named Information Officer email); and Regulator complaint information.
Common drafting failures: (a) blanket consent clauses that do not specify the purpose; (b) generic "we may share with partners" disclosures that do not identify categories; (c) missing cross-border sections; (d) failure to match the retention claims to internal practice; (e) missing s.72 adequacy analysis for cross-border transfers to non-adequate jurisdictions.
What must the internal data protection policy contain?
The internal policy discharges Condition 7 and s.55 and is expected to cover: (a) scope and definitions; (b) governance and roles (Information Officer, deputy Information Officers under s.56, data-protection committee if applicable); (c) risk assessment methodology and output (s.19(2) requires identification of reasonably foreseeable internal and external risks); (d) technical safeguards (access control, encryption at rest and in transit, network segmentation, logging and monitoring, backup and recovery); (e) organisational safeguards (clear-desk, acceptable use, role-based access, joiner/mover/leaver procedures); (f) third-party and operator management (s.21 written agreements with sub-processors, due-diligence checklist, audit rights); (g) cross-border transfer framework (s.72 adequacy, binding corporate rules, standard contractual clauses, data subject consent); (h) incident response (s.22 detection, containment, notification to the Regulator and affected data subjects without undue delay, including reasonable grounds to believe standard); (i) data subject request procedure (acknowledgement, verification, processing within s.23 time limits); (j) retention and destruction (s.14 schedules by category); (k) training and awareness (annual staff training, role-specific for Information Officer and processors); (l) monitoring and audit (regular internal review, remediation tracking, annual management report).
A mature organisation also maintains a Record of Processing Activities under s.17, which is the primary document the Regulator requests on audit. The internal policy should cross-refer to the RoPA, the privacy policy, operator agreements, and the PAIA manual. Without an internal policy the responsible party cannot demonstrate accountability under Condition 1, and administrative penalties under s.109 (up to R10 million or imprisonment on enumerated offences) become difficult to defend.
The privacy policy faces outward — it tells data subjects what you do. The data protection policy faces inward — it tells your team how to do it. POPIA requires both.
The statutes involved
Protection of Personal Information Act 4 of 2013
Regulates the processing of personal information by public and private bodies in South Africa.
Electronic Communications and Transactions Act 25 of 2002
Governs electronic transactions, digital signatures, and e-commerce in South Africa.
Consumer Protection Act 68 of 2008
Protects consumer rights in transactions for goods and services within South Africa.
Frequently asked questions
Do I need both a privacy policy and a data protection policy?
Yes. They serve different POPIA obligations. The privacy policy is the external notification required by s.18 — if you collect personal information from data subjects (employees, customers, visitors), you must tell them in substance what is in s.18(1). The data protection policy is the internal compliance framework required by Condition 7 (s.19-22) and s.55 — it governs how your organisation actually protects personal information day-to-day. Publishing only a privacy policy without an internal playbook is a common failure pattern: on audit, the Information Regulator asks for the internal policy, the risk assessment, operator agreements, training records, and the incident-response procedure. If the only document available is the public-facing notice, Condition 7 is breached and enforcement under s.95 follows. For a small organisation the two documents can be short — but they must exist as distinct artifacts with distinct audiences.
What are the maximum penalties for a POPIA breach?
Under s.107 and s.109 of POPIA, the Information Regulator may impose administrative fines up to R10 million for specified breaches (including failure to comply with an enforcement notice, breach of cross-border transfer rules, interference with a data subject's rights). Criminal penalties include a fine or imprisonment for up to 12 months (general offences) and up to 10 years for obstruction of the Regulator, breach of account-number-related processing, and specified aggravated offences. In addition, data subjects may bring civil actions under s.99 for damages, including damages for distress — no proof of fault is required where the responsible party has breached a condition. In practice, the first-order exposure for most organisations is the reputational damage and civil-class-action risk attending a publicly notified security compromise under s.22 — the fine is the headline but rarely the largest financial impact.
When must I notify the Information Regulator of a data breach?
Section 22 requires notification "as soon as reasonably possible" after the responsible party has reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person. The notification must go to both the Information Regulator and the affected data subjects (unless identity cannot be established). The Regulator's current guidance is that notification should normally occur within 72 hours of establishing reasonable grounds — this aligns with GDPR practice. The notification must include a description of the possible consequences, the measures the responsible party intends to take, what the data subject can do, and the identity of the unauthorised person where known. Delaying notification to investigate is permissible only to determine scope — once reasonable grounds exist, notification cannot be withheld further. The internal data protection policy must prescribe a detection-to-notification workflow to meet this timeline.
Can I transfer personal information outside South Africa?
Yes, but only if s.72 is satisfied. The responsible party may transfer personal information to a third party in a foreign country if one of the following applies: (a) the recipient is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection substantially similar to POPIA; (b) the data subject consents to the transfer; (c) the transfer is necessary for the performance of a contract between the data subject and the responsible party; (d) the transfer is in the interests of the data subject and it is not reasonably practicable to obtain consent. Most multinational organisations rely on (a) — binding corporate rules or standard contractual clauses back-to-back with their operators. The internal data protection policy should contain a cross-border transfer register documenting each transfer, the legal basis, the recipient jurisdiction, and the safeguards relied on. The external privacy policy must disclose the existence of cross-border transfers under s.18(1)(h).
Who is the Information Officer and what do they do?
Section 55 designates the Information Officer as the person responsible for ensuring the responsible party's compliance with POPIA. For a juristic person the default is the head of the organisation (CEO) unless another person is designated in writing. The Information Officer's duties under s.55(1) include: encouraging compliance with the conditions for lawful processing; dealing with requests made to the responsible party; working with the Information Regulator on investigations; otherwise ensuring compliance; and developing a compliance framework, performing personal-information-impact assessments, developing a PAIA manual, and ensuring internal awareness. The Information Officer must be registered with the Information Regulator on the prescribed form. Deputy Information Officers under s.56 may be designated to share the load. Critically, the Information Officer's authority and resources must be adequate — appointing the CEO but giving them no compliance team is a governance failure.
Is a generic online privacy policy template compliant with POPIA?
Usually not, for two reasons. First, generic templates are often based on GDPR or US state-law models and do not track POPIA's language — references to "legitimate interest", "data controller", or "opt-out of sale" do not map cleanly onto POPIA's responsible-party / operator / purpose-specification framework. Second, a compliant privacy policy requires organisation-specific content: the actual purposes of processing, the actual recipients, the actual retention periods, the actual cross-border transfers, and the actual data subject channels. A template that is not populated with your organisation's real processing is not a s.18 notification — it is fiction. Best practice is to start from a POPIA-specific template, complete a Record of Processing Activities under s.17, and tailor the policy to reflect that RoPA. The Information Regulator has publicly criticised cut-and-paste privacy policies during audits.
This privacy policy vs popia data protection policy page answers
- POPIA privacy policy requirements 2026
- POPIA section 18 notification obligations
- data protection policy template south africa
- information officer POPIA section 55
- operator agreement POPIA section 21
- cross border transfer section 72 POPIA
- POPIA breach notification 72 hours
- record of processing activities POPIA
- POPIA fines section 109 enforcement
- PAIA manual POPIA privacy policy