{"id":335,"date":"2021-08-30T12:11:27","date_gmt":"2021-08-30T10:11:27","guid":{"rendered":"https:\/\/stage.usercentrics.com\/?post_type=knowledge&#038;p=13099"},"modified":"2025-06-26T12:09:07","modified_gmt":"2025-06-26T10:09:07","slug":"popia-vs-gdpr","status":"publish","type":"knowledge","link":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/","title":{"rendered":"POPIA vs GDPR: an overview"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-introduction\">Introduction<\/h2>\n\n\n<p><span style=\"font-weight: 400\">South Africa\u2019s Protection of Personal Information Act (POPIA) received Presidential assent in November of 2013. However, commencement of various sections coming into effect has been staggered over a number of years. Operations and activities to administrate POPIA had been limited until July 1st, 2020, the date the President announced when key remaining sections would go into effect. Organizations then had 12 months from that date to enact POPIA compliance requirements, and enforcement began as of July 1st, 2021.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">References to the act sometimes use POPI, or POPI Act, but the South African government and regulators have expressed a preference for use of POPIA, as POPI refers to the topic of protection of personal information generally, and not to the actual legal framework.<\/span><\/p>\n\n<div id=\"uc-cta_69ebaa1f9a7c1\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                            <div class=\"uc-cta__label like-label-m\">Website Audit<\/div>\n                                        <div class=\"uc-cta__heading no-default-margin\">Is your website privacy-compliant? Find out now!<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Find out your website\u2019s cookie compliance risk level in moments for the GDPR, CCPA, LGPD, and more. <\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"5cea0a5b-03a8-409a-b8c1-fde310626d4f\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics-poc.psapp.devdata-privacy-audit\/\" target=\"\"><span>Start now<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/06\/badge.png\" class=\"attachment-large size-large\" alt=\"Icon_badge\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69ebaa1f9a7c1\"));\n    <\/script>\n\n\n<p><span style=\"font-weight: 400\">So, what is POPIA compliance, and how does it compare to <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devgdpr\/\"><span style=\"font-weight: 400\">GDPR compliance<\/span><\/a><span style=\"font-weight: 400\">? Though older, POPIA has gotten less attention in the data privacy industry than the European Union\u2019s General Data Protection Regulation (GDPR). The GDPR was enacted in 2016, with enforcement beginning in May 2018.<\/span><\/p>\n<p><span style=\"font-weight: 400\">POPIA regulations, as well as the GDPR, use an \u201copt in\u201d model where consent collection is concerned, which is shared by other international regulations like Brazil\u2019s Lei Geral de Prote\u00e7\u00e3o de Dados Pessoais (<\/span><a href=\"https:\/\/usercentrics-poc.psapp.devlgpd\/\"><span style=\"font-weight: 400\">LGPD<\/span><\/a><span style=\"font-weight: 400\">). This model requires the consent of the data subject before any data is collected, shared or sold.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Read on to learn more about POPIA and the GDPR\u2019s similarities and differences regarding:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Who is responsible for protecting and processing personal data?<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Data subject rights<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Data subject requests and responses<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Where are POPIA and the GDPR applicable?<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Legal bases<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Data subject consent<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Who oversees POPIA and GDPR compliance?<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">What data subjects are covered by POPIA and the GDPR?<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">What kinds of personal data are protected?<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">\u201cSensitive\u201d or \u201cspecial\u201d categories of personal data<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Data subjects who are children<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">De-identification and anonymization of data<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Requirements, restrictions, exemptions and prohibitions for data processing<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Data transfer<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Data security and data breaches<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Penalties\u00a0\u00a0<\/span><\/li>\n<\/ul>\n\n<div id=\"uc-cta_69ebaa1f9ee8e\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                            <div class=\"uc-cta__label like-label-m\">Pricing plans<\/div>\n                                        <div class=\"uc-cta__heading no-default-margin\">The right plan for your growing business<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Whether you are a scrappy startup or a global enterprise, we have the right plan to help you achieve data compliance peace of mind.<\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"fbab7a06-9cee-4426-88fb-53c931c5245f\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics-poc.psapp.devpricing\/\" target=\"\"><span>Get started<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/03\/Icon-testing.png\" class=\"attachment-large size-large\" alt=\"Icon testing\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69ebaa1f9ee8e\"));\n    <\/script>\n\n\n<h2><span style=\"font-weight: 400\">Who is responsible for protecting and processing personal data?<\/span><\/h2>\n<p><span style=\"font-weight: 400\">POPIA defines a \u201cresponsible party\u201d in <\/span><a href=\"https:\/\/popia.co.za\/section-1-definitions\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 1<\/span><\/a><span style=\"font-weight: 400\"> as \u201c<\/span><em><span style=\"font-weight: 400\">a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for <\/span><\/em><em><span style=\"font-weight: 400\">processing personal information<\/span><\/em><i><span style=\"font-weight: 400\">\u201d.\u00a0<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400\">This is comparable to a \u201cdata controller\u201d in the GDPR\u2019s <\/span><a href=\"https:\/\/gdpr.eu\/article-4-definitions\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 4(7)<\/span><\/a><span style=\"font-weight: 400\">, defined as <\/span><em><span style=\"font-weight: 400\">\u201c<\/span><span style=\"font-weight: 400\">the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data<\/span><span style=\"font-weight: 400\">\u201d<\/span><\/em><i><span style=\"font-weight: 400\">.<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400\">Also in Section 1, POPIA defines an \u201coperator\u201d as <em>\u201c<\/em><\/span><em><span style=\"font-weight: 400\">a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party<\/span><\/em><span style=\"font-weight: 400\">\u201d<\/span><i><span style=\"font-weight: 400\">.<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400\">Whereas in the GDPR, also in Art. 4, the comparable entity is a \u201cprocessor\u201d, defined as <\/span><em><span style=\"font-weight: 400\">\u201c<\/span><span style=\"font-weight: 400\">a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller<\/span><span style=\"font-weight: 400\">\u201d<\/span><\/em><i><span style=\"font-weight: 400\">.<\/span><\/i><\/p>\n\n<div id=\"uc-cta_69ebaa1fa7d8c\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                            <div class=\"uc-cta__label like-label-m\">Webinar<\/div>\n                                        <div class=\"uc-cta__heading no-default-margin\">Consent Management goes international: Best Practices for the setup of your CMP<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>GDPR compliance requirements vary among countries. Make sense of legal interpretations whether you\u2019re in marketing, IT, ecommerce, and more.<\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"ee8f5ed7-2f13-4355-ab64-8cc0ca9491c5\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics-poc.psapp.devwebinar\/consent-management-goes-international-best-practices-for-the-setup-of-your-cmp\/\" target=\"\"><span>Watch now<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2020\/05\/Webinar.png\" class=\"attachment-large size-large\" alt=\"Icon_Webinar\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69ebaa1fa7d8c\"));\n    <\/script>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-data-subject-rights\">Data subject rights <\/h2>\n\n\n<p><span style=\"font-weight: 400\">A cornerstone of privacy regulations is the rights they give to individuals over their own data. Under POPIA, data subject rights are outlined in <\/span><a href=\"https:\/\/popia.co.za\/section-5-rights-of-data-subjects\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 5<\/span><\/a><span style=\"font-weight: 400\">. These include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">The right to be notified that personal information is\/has been collected<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">The right to be informed if a processor holds personal information of the data subject, and to request access to it<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">The right to request correction, destruction, or deletion of personal information of the data subject<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">To object to\/withdraw consent for the processing of personal information, in whole or for specific purposes<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">To not be subject to decisions made by automated processing of personal information that\u2019s intended to provide a profile of the data subject<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">To submit a complaint to the regulator regarding \u201calleged interference\u201d of data subject rights<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">To initiate civil proceedings regarding \u201calleged interference\u201d<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">Neither the GDPR nor POPIA regulations specify a right to not be subject to discrimination when exercising the other rights. This right is present in <\/span><a href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/california-consumer-privacy-act\/\"><span style=\"font-weight: 400\">California\u2019s privacy laws<\/span><\/a><span style=\"font-weight: 400\">, for example.<\/span><\/p>\n\n<div id=\"uc-cta_69ebaa1fa8b7b\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                            <div class=\"uc-cta__label like-label-m\">Article<\/div>\n                                        <div class=\"uc-cta__heading no-default-margin\">Not all user data is considered equal<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Definitions of personal data vary among privacy laws. Sensitive data has even more requirements. We can help make sense of it.<\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"20edb0e8-585e-4813-b68c-b6c3d29ef3ea\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics-poc.psapp.devknowledge-hub\/personally-identifiable-information-vs-personal-data\/\" target=\"\"><span>Learn more<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2020\/05\/Webinar.png\" class=\"attachment-large size-large\" alt=\"Icon_Webinar\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69ebaa1fa8b7b\"));\n    <\/script>\n\n\n<p><span style=\"font-weight: 400\">In the GDPR data subject rights are outlined in <\/span><a href=\"https:\/\/gdpr.eu\/tag\/chapter-3\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Chapter 3<\/span><\/a><span style=\"font-weight: 400\">, Art. 12-23. It provides a list of information that the controller must record in <\/span><a href=\"https:\/\/gdpr.eu\/article-15-right-of-access\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art.15<\/span><\/a><span style=\"font-weight: 400\">, pertaining to the right to be informed, which POPIA does not. This includes:<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(a)<\/strong> Name and contact details of the data controller;<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(b)<\/strong> Purposes of the processing;<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(c)<\/strong> The categories of personal data;<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(d)<\/strong> The categories of recipients, or the recipients, to whom the personal data will be disclosed;<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(e)<\/strong> The estimated period for which the data will be stored; and<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(f)<\/strong> A description of measures (technical, security, organization) adopted by the controller<\/span><\/p>\n<p><span style=\"font-weight: 400\">The GDPR provides data subjects with a right to data portability, which POPIA does not. Data portability refers to the ability to obtain and reuse one\u2019s personal data for one\u2019s own purposes, across different services.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">The GDPR specifies that data subjects be provided with information on how to exercise their right to object to data processing, though POPIA does not. The GDPR also provides exceptions to its right to erasure, aka \u201cright to be forgotten\u201d, which POPIA does not. These exceptions include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Freedom of expression and information<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Compliance with public interest purposes for public health<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Establishing, exercising, or defending legal claims, or<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Compliance with legal obligations for the purposes of public interest<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">Under <\/span><a href=\"https:\/\/gdpr.eu\/article-30-records-of-processing-activities\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 30<\/span><\/a><span style=\"font-weight: 400\">, the GDPR also exempts companies with fewer than 250 employees from certain record-keeping, which POPIA does not, unless the data processing is <\/span><i><span style=\"font-weight: 400\">\u201clikely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10\u201d.<\/span><\/i><\/p>\n<h2><span style=\"font-weight: 400\">Data subject requests and responses<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Under POPIA, access to the data subject\u2019s requested information must be provided:<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(i)<\/strong> within a reasonable time;<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(ii)<\/strong> at a prescribed fee, if any;<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(iii)<\/strong> in a reasonable manner and format; and<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(iv)<\/strong> in a form that is generally understandable<\/span><\/p>\n<p><span style=\"font-weight: 400\">There is a fair bit of leeway for interpretation of those requirements. Under the GDPR, though, action by the processor, such as correction, deletion, or providing a copy of personal data, must be provided free of charge unless the requests are \u201dmanifestly unfounded or excessive\u201d, which can be difficult for the processor to prove. Under both laws, processors are allowed to require verification of identity from the data subject making a request (<\/span><a href=\"https:\/\/popia.co.za\/section-23-access-to-personal-information\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 23<\/span><\/a><span style=\"font-weight: 400\"> of POPIA, <\/span><a href=\"https:\/\/gdpr.eu\/recital-64-identity-verification\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Recital 64<\/span><\/a><span style=\"font-weight: 400\"> of the GDPR).<\/span><\/p>\n<p><span style=\"font-weight: 400\">In <\/span><a href=\"https:\/\/popia.co.za\/section-24-correction-of-personal-information\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 24<\/span><\/a><span style=\"font-weight: 400\"> of POPIA, corrections or deletions of personal data must be done as soon as \u201creasonably practicable\u201d. It does not provide for correction or deletion of publicly available personal information, however. Under the GDPR, the processor has one month to respond to the data subject, ideally by completing the request, though under certain circumstances an extension of the time needed can be requested, up to two months.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Both laws also outline that information or personal data requested must be supplied in an accessible format (likely digital or possibly paper). Requests for information or copies of personal data can be made orally, digitally, or in writing per the GDPR. POPIA only notes that requests be made in the \u201cprescribed manner\u201d.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Where are POPIA and the GDPR applicable?<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Outlined under <\/span><a href=\"https:\/\/popia.co.za\/section-3-application-and-interpretation-of-act\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 3<\/span><\/a><span style=\"font-weight: 400\">, POPIA applies to any \u201cresponsible party\u201d that is:<\/span><\/p>\n<ol>\n<li><em><span style=\"font-weight: 400\">domiciled in the Republic; or<\/span><\/em><\/li>\n<li><em><span style=\"font-weight: 400\">not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic.<\/span><\/em><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400\">The Republic being South Africa specifically. Relevant personal data processed by the \u201cresponsible party\u201d is:<\/span><\/p>\n<p><em><span style=\"font-weight: 400\">\u201centered in a record by or for a responsible party by making use of automated or non-automated means: Provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof\u201d<\/span><span style=\"font-weight: 400\">.<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400\">This would cover data collection and processing online or in physical formats. Excluded from the use of automated or non-automated means if they are only being used to forward personal information through South Africa.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The GDPR protects the rights of European Union residents, so applies to organizations \u201cestablished\u201d in the EU and outside of the EU. This could be companies based there, or companies that are based elsewhere, but that process the data of EU residents. This is referred to as \u201cextraterritorial scope\u201d. Per <\/span><a href=\"https:\/\/gdpr.eu\/article-3-requirements-of-handling-personal-data-of-subjects-in-the-union\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 3<\/span><\/a><span style=\"font-weight: 400\">, this includes: <\/span><em><span style=\"font-weight: 400\">\u201c<\/span><span style=\"font-weight: 400\">offering goods or services, irrespective of whether a payment of the data subject is required<\/span><span style=\"font-weight: 400\">\u201d<\/span><\/em><span style=\"font-weight: 400\">, but also <\/span><em><span style=\"font-weight: 400\">\u201cthe monitoring of [data subjects\u2019] behaviour as far as their behaviour takes place within the Union\u201d<\/span><\/em><i><span style=\"font-weight: 400\">.<\/span><\/i><span style=\"font-weight: 400\"> So really, anything from collecting data on website visitor behavior, to processing ecommerce transactions, to recording newsletter signups could be relevant. It would also apply to both physical and digital data collection and processing.<\/span><\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-legal-bases\">Legal bases<\/h2>\n\n\n<p><span style=\"font-weight: 400\">A legal basis defines legal grounds for processing personal data. Further detail is provided regarding processing data classified as \u201csensitive\u201d, what the conditions are for valid consent, its provision and withdrawal, and certain other exemptions.<\/span><\/p>\n<p><a href=\"https:\/\/popia.co.za\/protection-of-personal-information-act-popia\/chapter-3-2\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Chapter 3<\/span><\/a><span style=\"font-weight: 400\"> of POPIA covers Conditions for Lawful Processing. <\/span><a href=\"https:\/\/popia.co.za\/section-11-consent-justification-and-objection\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 11<\/span><\/a><span style=\"font-weight: 400\"> establishes that personal information may only be processed if:<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(a)<\/strong> the data subject or a competent person where the data subject is a child consents to the processing;<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(b)<\/strong> processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(c)<\/strong> processing complies with an obligation imposed by law on the responsible party;<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(d)<\/strong> processing protects a legitimate interest of the data subject;<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(e)<\/strong> processing is necessary for the proper performance of a public law duty by a public body; or<\/span><\/p>\n<p><span style=\"font-weight: 400\"><strong>(f)<\/strong> processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The GDPR\u2019s legal bases are listed in <\/span><a href=\"https:\/\/gdpr.eu\/article-6-how-to-process-personal-data-legally\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 6<\/span><\/a><span style=\"font-weight: 400\"> and are very similar, with slight variances in wording though no substantive difference in intent. Both regulations have specific legal grounds regarding processing of special categories of data or \u201cspecial personal information\u201d, such as the requirement for explicit consent. In POPIA these are outlined in Sections 27-33. In the GDPR, Articles 7-9 cover these conditions.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Data subject consent<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Consent for data processing is probably the most common legal basis affecting consumers online. <\/span><span style=\"font-weight: 400\">Both POPIA and the GDPR include specifications regarding who can provide consent, the conditions under which consent can be obtained, and how it can be withdrawn by the data subject.<\/span><\/p>\n<p><span style=\"font-weight: 400\">POPIA defines consent in Section 1 as <em>\u201c<\/em><\/span><em><span style=\"font-weight: 400\">any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information\u201d<\/span><\/em><i><span style=\"font-weight: 400\">.<\/span><\/i><\/p>\n<p><span style=\"font-weight: 400\">Under the GDPR\u2019s <\/span><a href=\"https:\/\/gdpr.eu\/article-4-definitions\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 4<\/span><\/a><span style=\"font-weight: 400\">, the definition of consent is a little more detailed: <\/span><em><span style=\"font-weight: 400\">\u201cany freely given, specific, informed and unambiguous indication of the data subject\u2019s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her\u201d<\/span><\/em><span style=\"font-weight: 400\">.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Who oversees POPIA and GDPR compliance?<\/span><\/h2>\n<p><a href=\"https:\/\/popia.co.za\/section-17-documentation\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 17<\/span><\/a><span style=\"font-weight: 400\"> of POPIA requires a responsible party to <\/span><em><span style=\"font-weight: 400\">\u201cmaintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act\u201d<\/span><\/em><i><span style=\"font-weight: 400\">. <\/span><\/i><span style=\"font-weight: 400\">POPIA does not explicitly require that<\/span> <span style=\"font-weight: 400\">a representative be based within South Africa.\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/popia.co.za\/section-39-establishment-of-information-regulator\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 39<\/span><\/a><span style=\"font-weight: 400\"> outlines the establishment of a juristic person as an Information Regulator. This role would be more comparable to country-level regulators in the EU than to a company-level Data Protection Officer.<\/span><\/p>\n<p><span style=\"font-weight: 400\">POPIA outlines the Information Regulator\u2019s mandate as follows:<\/span><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(a)<\/strong> has jurisdiction throughout the Republic;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(b)<\/strong> is independent and is subject only to the Constitution and to the law and must be impartial and perform its functions and exercise its powers without fear, favour or prejudice;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(c)<\/strong> must exercise its powers and perform its functions in accordance with this Act and the Promotion of Access to Information Act; and<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(d)<\/strong> is accountable to the National Assembly.<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400\">In Section 1 POPIA also defines an \u201cinformation officer\u201d as \u201cof, or in relation to:<\/span><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(a)<\/strong> public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(b)<\/strong> private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;\u00a0<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400\">The information officer role would be closer to that of the Data Protection Officer (DPO) in the GDPR, with the difference that the scope of an \u201cinformation officer\u201d may be considered to be less expansive than a DPO. The requirements and responsibilities of an &#8220;information officer&#8221; are detailed in the <\/span><a href=\"https:\/\/www.gov.za\/documents\/promotion-access-information-act\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Promotion of Access to Information Act (PAIA)<\/span><\/a><span style=\"font-weight: 400\"> (Act 2 of 2000) and the POPIA regulations (<\/span><a href=\"https:\/\/popia.co.za\/section-55-duties-and-responsibilities-of-information-officer\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 55<\/span><\/a><span style=\"font-weight: 400\">), which include (but aren\u2019t limited to):\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">the encouragement of compliance\u00a0<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">dealing with requests<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">working with the Information Regulator in relation to investigations<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">otherwise ensuring compliance\u00a0\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">The GDPR is fairly detailed regarding representation, requiring a designated \u201crepresentative\u201d in the EU in <\/span><a href=\"https:\/\/gdpr.eu\/article-27-representatives-of-controllers-not-in-union\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 27<\/span><\/a><span style=\"font-weight: 400\"> and <\/span><a href=\"https:\/\/gdpr.eu\/recital-80-designation-of-a-representative\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Recital 80<\/span><\/a><span style=\"font-weight: 400\">, and more explicitly the designation of a Data Protection Officer in <\/span><a href=\"https:\/\/gdpr.eu\/article-37-designation-of-the-data-protection-officer\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 37<\/span><\/a><span style=\"font-weight: 400\">, applicable if:<\/span><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(a)<\/strong> The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(b)<\/strong> The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and\/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(c)<\/strong> The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.<\/span><\/em><\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-data-subjects-are-covered-by-popia-and-the-gdpr\">What data subjects are covered by POPIA and the GDPR?<\/h2>\n\n\n<p><span style=\"font-weight: 400\">Also under Section 1 of POPIA, a \u201cdata subject\u201d refers to <\/span><em><span style=\"font-weight: 400\">\u201cthe person to whom personal information relates\u201d<\/span><\/em><i><span style=\"font-weight: 400\">. <\/span><\/i><span style=\"font-weight: 400\">Adding a bit more clarification, however, Section 1 also defines a \u201cperson\u201d as <\/span><em><span style=\"font-weight: 400\">\u201ca natural person or a juristic person\u201d<\/span><\/em><i><span style=\"font-weight: 400\">. <\/span><\/i><span style=\"font-weight: 400\">Natural persons are human beings, <\/span><span style=\"font-weight: 400\">whereas juristic persons refer to entities like corporations that are recognized to be able to enjoy, and be subject to, legal rights and duties. <\/span><span style=\"font-weight: 400\">POPIA does not explicitly include nationalities or places of residence of data subjects protected by it.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Art. 4 of the GDPR defines a \u201cdata subject\u201d as <em>\u201c<\/em><\/span><em><span style=\"font-weight: 400\">an identified or identifiable natural person\u201d<\/span><\/em><span style=\"font-weight: 400\">. It does not include further clarification on the definition of a person, though there are several definitions that include \u201cpersonal\u201d, such as \u201cpersonal data\u201d or \u201cpersonal data breach\u201d. <\/span><a href=\"https:\/\/gdpr.eu\/recital-14-not-applicable-to-legal-persons\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Recital 14<\/span><\/a><span style=\"font-weight: 400\"> also clarifies that data subjects should be protected <em>\u201c<\/em><\/span><em><span style=\"font-weight: 400\">whatever their nationality or place of residence, in relation to the processing of their personal data\u201d<\/span><\/em><i><span style=\"font-weight: 400\">. <\/span><\/i><span style=\"font-weight: 400\">That said, in the same way POPIA protects the rights of South African residents, the GDPR protects the rights of EU residents, and not, for example, United States residents.<\/span><\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-kinds-of-personal-data-are-protected\">What kinds of personal data are protected?<\/h2>\n\n\n<p><span style=\"font-weight: 400\">Section 1 of POPIA refers to \u201cpersonal information\u201d as <\/span><em><span style=\"font-weight: 400\">\u201crelating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person\u201d<\/span><\/em><span style=\"font-weight: 400\">. It further clarifies with inclusions (but not limited to):\u00a0<\/span><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(a)<\/strong> information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin,<\/span><\/em><em><span style=\"font-weight: 400\">\u00a0colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(b)<\/strong> information relating to the education or the medical, financial, criminal or employment history of the person;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(c)<\/strong> any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(d)<\/strong> the biometric information of the person;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(e)<\/strong> the personal opinions, views or preferences of the person;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(f)<\/strong> correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(g)<\/strong> the views or opinions of another individual about the person; and<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(h)<\/strong> the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400\">The GDPR defines \u201cpersonal data\u201d in Art. 4 as:<\/span><\/p>\n<blockquote><p><em><span style=\"font-weight: 400\">\u201cany information relating to an identified or identifiable natural personal (\u2018data subject\u2019); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;\u201d<\/span><\/em><\/p><\/blockquote>\n<h2><span style=\"font-weight: 400\">\u201cSensitive\u201d or \u201cspecial\u201d categories of personal data<\/span><\/h2>\n<p><span style=\"font-weight: 400\">POPIA defines sensitive personal information, which is given greater consideration than other categories of personal information, in <\/span><a href=\"https:\/\/popia.co.za\/section-26-prohibition-on-processing-of-special-personal-information\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 26<\/span><\/a><span style=\"font-weight: 400\">. Subject to the conditions of <\/span><a href=\"https:\/\/popia.co.za\/section-27-general-authorisation-concerning-special-personal-information\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 27<\/span><\/a><span style=\"font-weight: 400\">, which include complying with international law, or with explicit consent of the data subject, \u201cspecial personal information\u201d cannot be processed when it relates to:<\/span><\/p>\n<ol>\n<li><em><span style=\"font-weight: 400\">the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or<\/span><\/em><\/li>\n<li><em><span style=\"font-weight: 400\">the criminal behaviour of a data subject to the extent that such information relates to\u2014<\/span><\/em>\n<ul>\n<li><em><span style=\"font-weight: 400\">the alleged commission by a data subject of any offence; or<\/span><\/em><\/li>\n<li><em><span style=\"font-weight: 400\">any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.<\/span><\/em><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400\">Under <\/span><a href=\"https:\/\/gdpr.eu\/article-9-processing-special-categories-of-personal-data-prohibited\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 9<\/span><\/a><span style=\"font-weight: 400\">, the GDPR outlines requirements for, or prohibition against, the processing of \u201cspecial categories of personal data\u201d, including:<\/span><\/p>\n<blockquote><p><em><span style=\"font-weight: 400\">\u201c&#8230;revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person\u2019s sex life or sexual orientation\u201d.<\/span><\/em><\/p><\/blockquote>\n<p><span style=\"font-weight: 400\">However, like POPIA, the GDPR follows it up with situations in which those prohibitions do not apply, including, among others, receiving explicit consent from, or protecting the vital interests of, the data subject.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Data subjects who are children<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Under Section 1 of POPIA, a child is defined as under 18 years of age, and <\/span><em><span style=\"font-weight: 400\">\u201cwho is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself\u201d<\/span><\/em><span style=\"font-weight: 400\">. POPIA does not require verification of identity for this \u201ccompetent person\u201d. <\/span><a href=\"https:\/\/popia.co.za\/section-35-general-authorisation-concerning-personal-information-of-children\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 35<\/span><\/a><span style=\"font-weight: 400\"> further outlines requirements regarding children, and circumstances under which their personal data can be processed, including with the consent of \u201ca competent person\u201d, if it serves a public interest, when necessary to comply with \u201can obligation of international public law\u201d, and other conditions.<\/span><\/p>\n<p><span style=\"font-weight: 400\">18 is a higher age threshold than under the GDPR, where the definition is 13-16. Under <\/span><a href=\"https:\/\/gdpr.eu\/article-8-childs-consent\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 8<\/span><\/a><span style=\"font-weight: 400\">, consent must be provided for children under age 16 by \u201cthe holder of parental responsibility over the child\u201d. Individual EU member states can lower the age for this to 13, however.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">De-identification and anonymization of data<\/span><\/h2>\n<p><a href=\"https:\/\/popia.co.za\/section-6-exclusions\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 6<\/span><\/a><span style=\"font-weight: 400\"> of POPIA excludes personal data that has been permanently de-identified from broader data processing requirements and restrictions. (POPIA does not reference \u201cpseudonymization\u201d.) In Section 1 it defines de-identification, as it relates to personal information of a data subject, to mean deletion of any information that:<\/span><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(a)<\/strong> identifies the data subject;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(b)<\/strong> can be used or manipulated by a reasonably foreseeable method to identify the data subject; or<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(c)<\/strong> can be linked by a reasonably foreseeable method to other information that identifies the data subject,<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400\">The GDPR\u2019s <\/span><a href=\"https:\/\/gdpr.eu\/recital-26-not-applicable-to-anonymous-data\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Recital 26<\/span><\/a><span style=\"font-weight: 400\"> is similar, covering \u201canonymous data\u201d, and referring to <\/span><em><span style=\"font-weight: 400\">\u201cpersonal data rendered anonymous in such a manner that the data subject is not or no longer identifiable<\/span><\/em><span style=\"font-weight: 400\"><em>\u201d<\/em>.<\/span><\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-requirements-restrictions-exemptions-and-prohibitions-for-data-processing\">Requirements, restrictions, exemptions and prohibitions for data processing<\/h2>\n\n\n<p><span style=\"font-weight: 400\">Under POPIA Section 1, data processing is defined as:<\/span><\/p>\n<p><em><span style=\"font-weight: 400\">\u201cany operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including\u2014<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(a)<\/strong> the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(b)<\/strong> dissemination by means of transmission, distribution or making available in any other form; or<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(c)<\/strong> merging, linking, as well as restriction, degradation, erasure or destruction of information;\u201d<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400\">This is very similar to the definition of processing under the GDPR in Art. 4(2), though is actually a bit more detailed.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Exclusions to the requirements and restrictions for processing of personal data under POPIA are in <\/span><a href=\"https:\/\/popia.co.za\/section-6-exclusions\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 6<\/span><\/a><span style=\"font-weight: 400\">, and include a wide variety of reasons, from the mundane: <\/span><span style=\"font-weight: 400\"><em>\u201cpersonal or household activity\u201d<\/em> <\/span><span style=\"font-weight: 400\">(i.e. not commercial), to the very serious, like issues pertaining to national security.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The GDPR reads similarly in <\/span><a href=\"https:\/\/gdpr.eu\/article-2-processing-personal-data-by-automated-means-or-by-filling-system\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 2<\/span><\/a><span style=\"font-weight: 400\">, including \u201cpurely personal or household\u201d activity, as well as legal considerations like preventing criminal activity or activities falling outside of the scope of European Union law.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Under POPIA <\/span><a href=\"https:\/\/popia.co.za\/section-7-exclusion-for-journalistic-literary-or-artistic-purposes\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 7<\/span><\/a><span style=\"font-weight: 400\">, there are also specific requirements and exemptions for processing data for \u201cjournalistic, literary, or artistic purposes\u201d. In the GDPR under <\/span><a href=\"https:\/\/gdpr.eu\/article-85-right-to-freedom-of-expression-and-information\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 85<\/span><\/a><span style=\"font-weight: 400\">, which covers freedom of expression and information, academic purposes are also included along with those others.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Both POPIA and the GDPR specify requirements for a contract or legal act between the \u201cresponsible party\u201d (\u201cdata controller\u201d) and the \u201coperator\u201d (i.e. entity that is processing the data) to determine requirements, restrictions, security measures, etc. Additionally, measures must be taken to ensure that third parties accessing or processing data can sufficiently guarantee technical and security measures for data compliance.<\/span><\/p>\n<h2><span style=\"font-weight: 400\">Data transfer<\/span><\/h2>\n<p><span style=\"font-weight: 400\">Both laws include restrictions on the transfer of data, though the GDPR provides greater detail and requirements than POPIA does. <\/span><a href=\"https:\/\/popia.co.za\/section-72-transfers-of-personal-information-outside-republic\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 72<\/span><\/a><span style=\"font-weight: 400\"> of POPIA covers data transfers, but does not include a provision like the GDPR does in <\/span><a href=\"https:\/\/gdpr.eu\/article-45-adequacy-decision-personal-data-transfer\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 45<\/span><\/a><span style=\"font-weight: 400\"> for \u201cadequacy decisions\u201d, i.e. international agreements wherein the EU Commission has previously determined that a country or organization has an adequate level of protection for data. These adequacy decisions can significantly streamline or limit the need for additional contractual requirements and obligations where data transfers need to occur.<\/span><\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-data-security-and-data-breaches\">Data security and data breaches<\/h2>\n\n\n<p><span style=\"font-weight: 400\">Both POPIA and the GDPR have substantial requirements for data security (POPIA <\/span><a href=\"https:\/\/popia.co.za\/protection-of-personal-information-act-popia\/chapter-3-2\/chapter-3\/condition-7-security-safeguards\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Condition 7, Sections 19-21<\/span><\/a><span style=\"font-weight: 400\">, GDPR <\/span><a href=\"https:\/\/gdpr.eu\/article-32-security-of-processing\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 32<\/span><\/a><span style=\"font-weight: 400\">), as well as specific stipulations in the event of a data breach, including notification of regulatory authorities and data subjects. Under POPIA, exemptions to immediate notification include if data subjects cannot be identified, or delay of notification is permitted if it would impede a criminal investigation (POPIA <\/span><a href=\"https:\/\/popia.co.za\/section-22-notification-of-security-compromises\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 22<\/span><\/a><span style=\"font-weight: 400\">, GDPR Arts. <\/span><a href=\"https:\/\/gdpr.eu\/article-33-notification-of-a-personal-data-breach\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">33<\/span><\/a><span style=\"font-weight: 400\">&#8211;<\/span><a href=\"https:\/\/gdpr.eu\/article-34-communication-of-a-personal-data-breach\/\"><span style=\"font-weight: 400\">34<\/span><\/a><span style=\"font-weight: 400\">). The GDPR\u2019s language requiring organizations to take <\/span><em><span style=\"font-weight: 400\">\u201cappropriate technical and organisational security measures\u201d<\/span><\/em><span style=\"font-weight: 400\"> is fairly consistent in both laws.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">The requirement to notify supervisory authorities \u201cimmediately\u201d (POPIA) or \u201cwithout undue delay\u201d (GDPR) is also standard, though the GDPR also stipulates that notification take place within no more than 72 hours of discovery of a breach, if it is likely to result in \u201chigh risk to the rights and freedoms of natural persons\u201d.<\/span><\/p>\n<p><span style=\"font-weight: 400\">The major difference in these sections in the respective laws is that POPIA has fewer exceptions to notification requirements. POPIA does also enable the regulator to make responsible parties post public data breach notifications, and provides very specific information about how to notify data subjects by at least one means, e.g. postal mailing, last known email address, published on the responsible party\u2019s website, etc.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">The GDPR specifies what information about the breach must be provided \u2013 nature of it, approximate number of affected data subjects, and likely consequences. POPIA has similar requirements, outlining that the responsible party: <\/span><em><span style=\"font-weight: 400\">\u201cmust provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including\u2014<\/span><\/em><\/p>\n<ol>\n<li><em><span style=\"font-weight: 400\">a description of the possible consequences of the security compromise;<\/span><\/em><\/li>\n<li><em><span style=\"font-weight: 400\">a description of the measures that the responsible party intends to take or has taken to address the security compromise;<\/span><\/em><\/li>\n<li><em><span style=\"font-weight: 400\">a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and<\/span><\/em><\/li>\n<li><em><span style=\"font-weight: 400\">if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.\u201d<\/span><\/em><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-penalties\">Penalties<\/h2>\n\n\n<p><span style=\"font-weight: 400\">The potential monetary penalties for a violation of the GDPR (<\/span><a href=\"https:\/\/gdpr.eu\/tag\/chapter-8\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Chapter 8<\/span><\/a><span style=\"font-weight: 400\">) are much higher than those set out by POPIA (<\/span><a href=\"https:\/\/popia.co.za\/protection-of-personal-information-act-popia\/chapter-11\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Chapter 11<\/span><\/a><span style=\"font-weight: 400\">). However, POPIA also has provisions (<\/span><a href=\"https:\/\/popia.co.za\/section-107-penalties\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 107<\/span><\/a><span style=\"font-weight: 400\">) for sanctions of \u201cnatural or juristic persons\u201d and prison sentences of up to 10 years for certain violations for responsible individuals, which the GDPR does not. The GDPR also does not establish liabilities for Data Protection Officers.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Under POPIA <\/span><a href=\"https:\/\/popia.co.za\/section-109-administrative-fines\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 109<\/span><\/a><span style=\"font-weight: 400\">, the maximum fine is ZAR <\/span><span style=\"font-weight: 400\">10 million (~ \u20ac490,000). Under <\/span><a href=\"https:\/\/gdpr.eu\/article-83-conditions-for-imposing-administrative-fines\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 83(4)<\/span><\/a><span style=\"font-weight: 400\"> of the GDPR, depending on considerations about the breach, the fines fall into one of two categories. They can be up to \u20ac10 million or up to 2 percent of global annual turnover (revenue) for the preceding year, whichever is higher. Or, for \u201cespecially severe\u201d violations, up to \u20ac20 million or up to 4 percent of global annual turnover (revenue) for the preceding year, whichever is higher.<\/span><\/p>\n<p><span style=\"font-weight: 400\">Under POPIA, the regulator must consider the following regarding potential fines (<\/span><a href=\"https:\/\/popia.co.za\/section-109-administrative-fines\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Section 109<\/span><\/a><span style=\"font-weight: 400\">):<\/span><i><\/i><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(a)<\/strong> the nature of the personal information involved;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(b)<\/strong> the duration and extent of the contravention;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(c)<\/strong> the number of data subjects affected or potentially affected by the contravention;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(d)<\/strong> whether or not the contravention raises an issue of public importance;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(e)<\/strong> the likelihood of substantial damage or distress, including injury to feelings or anxiety suffered by data subjects;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(f)<\/strong> whether the responsible party or a third party could have prevented the contravention from occurring;<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(g)<\/strong> any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information; and<\/span><\/em><\/p>\n<p><em><span style=\"font-weight: 400\"><strong>(h)<\/strong> whether the responsible party has previously committed an offence in terms of this Act.<\/span><\/em><\/p>\n<p><span style=\"font-weight: 400\">The wording in <\/span><a href=\"https:\/\/gdpr.eu\/article-83-conditions-for-imposing-administrative-fines\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Art. 83<\/span><\/a><span style=\"font-weight: 400\"> of the GDPR is slightly different, but conveys the same requirements and considerations. POPIA enables the Information Regulator to levy fines country-wide. Under the GDPR \u201csupervisory authorities\u201d have the power to penalize violators. While the GDPR applies to all countries in the European Union, each member country has its own supervisory authority, which is responsible for issuing fines. This is why strictness of legal interpretations and severity of penalties can vary across different European countries.<\/span><\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n<p><span style=\"font-weight: 400\">National or regional privacy laws, including POPIA and the GDPR, are far too sprawling in scope to fully encapsulate and compare in this overview. But the similarities between the two well-established laws, as well as Brazil\u2019s LGPD, are far more in number than the differences. Companies wanting to achieve privacy compliance globally will be well-positioned by pursuing either GDPR or POPIA compliance, with limited additional work to achieve further regional compliance. It should be noted that there are some greater differences with the state-level laws in the United States.<\/span><\/p>\n\n<div id=\"uc-cta_69ebaa1fa9b2d\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                            <div class=\"uc-cta__label like-label-m\">DEMO<\/div>\n                                        <div class=\"uc-cta__heading no-default-margin\">Talk to one of our experts<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>As always, we recommend consulting legal counsel that is well-versed in privacy law for compliance-related projects or plans for changes to existing data security measures. To learn more about how a Consent Management Platform works with your GDPR or POPIA compliance framework and with your goals, talk to one of our experts today.   <\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"c16aa9d5-7c5b-49e9-b0ee-468ecedab575\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics-poc.psapp.devbook-a-consultation\/\" target=\"\"><span>Talk to an expert<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/03\/Icon-support.png\" class=\"attachment-large size-large\" alt=\"Icon support\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69ebaa1fa9b2d\"));\n    <\/script>\n\n\n<p>{<br \/>\n&#8220;@context&#8221;: &#8220;https:\/\/schema.org&#8221;,<br \/>\n&#8220;@type&#8221;: &#8220;FAQPage&#8221;,<br \/>\n&#8220;mainEntity&#8221;: [{<br \/>\n&#8220;@type&#8221;: &#8220;Question&#8221;,<br \/>\n&#8220;name&#8221;: &#8220;Who is responsible for protecting and processing personal data?&#8221;,<br \/>\n&#8220;acceptedAnswer&#8221;: {<br \/>\n&#8220;@type&#8221;: &#8220;Answer&#8221;,<br \/>\n&#8220;text&#8221;: &#8220;Under POPIA, public or private bodies or other persons that determine the purpose and means for processing personal information are responsible, which is comparable to the &#8220;data controller&#8221; under the GDPR, i.e. &#8220;the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data&#8221;.&#8221;<br \/>\n}<br \/>\n},{<br \/>\n&#8220;@type&#8221;: &#8220;Question&#8221;,<br \/>\n&#8220;name&#8221;: &#8220;Where are POPIA and the GDPR applicable?&#8221;,<br \/>\n&#8220;acceptedAnswer&#8221;: {<br \/>\n&#8220;@type&#8221;: &#8220;Answer&#8221;,<br \/>\n&#8220;text&#8221;: &#8220;Outlined under Section 3, POPIA applies to any &#8220;responsible party&#8221; that is: domiciled in the Republic; or not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal information through the Republic. The Republic being South Africa specifically.&#8221;<br \/>\n}<br \/>\n},{<br \/>\n&#8220;@type&#8221;: &#8220;Question&#8221;,<br \/>\n&#8220;name&#8221;: &#8220;Who oversees POPIA and GDPR compliance?&#8221;,<br \/>\n&#8220;acceptedAnswer&#8221;: {<br \/>\n&#8220;@type&#8221;: &#8220;Answer&#8221;,<br \/>\n&#8220;text&#8221;: &#8220;Under POPIA, a responsible party to maintain documentation of processing operations must be appointed. This information officer role would be similar to a Data Protection Officer (DPO) in Europe under the GDPR, though likely with less expansive responsibilities. The representative does not necessarily have to be based in South Africa. An Information Regulator must also be established, comparable to country-level data protection authorities (DPA) in the EU under the GDPR.&#8221;<br \/>\n}<br \/>\n},{<br \/>\n&#8220;@type&#8221;: &#8220;Question&#8221;,<br \/>\n&#8220;name&#8221;: &#8220;What data subjects are covered by POPIA and the GDPR?&#8221;,<br \/>\n&#8220;acceptedAnswer&#8221;: {<br \/>\n&#8220;@type&#8221;: &#8220;Answer&#8221;,<br \/>\n&#8220;text&#8221;: &#8220;Data subjects under POPIA are those whose personal information is collected and processed, defined as natural or juristic persons. A juristic person can include corporations that enjoy and are subject to legal rights and duties. POPIA does not explicitly define nationalities or places of residence for data subjects it protects. Under the GDPR, a data subject only applies to natural persons, not companies, and specifically those residing in the European Union.&#8221;<br \/>\n}<br \/>\n},{<br \/>\n&#8220;@type&#8221;: &#8220;Question&#8221;,<br \/>\n&#8220;name&#8221;: &#8220;What kinds of personal data are protected?&#8221;,<br \/>\n&#8220;acceptedAnswer&#8221;: {<br \/>\n&#8220;@type&#8221;: &#8220;Answer&#8221;,<br \/>\n&#8220;text&#8221;: &#8220;Under POPIA, definitions of personal data cover: race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth; information relating to the education or the medical, financial, criminal or employment history; any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment; biometric information of the person; personal opinions, views or preference; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; views or opinions of another individual about the person; name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.<\/p>\n<p>Under the GDPR, personal data is defined as: &#8220;any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person&#8221;&#8221;<br \/>\n}<br \/>\n}]<br \/>\n}<\/p>","protected":false},"excerpt":{"rendered":"<p>What is POPIA compliance, and how does it compare to GDPR compliance? You can learn this and more in our POPIA Vs GDPR article.<\/p>\n","protected":false},"featured_media":7189,"template":"","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"tags":[],"magazine_issue":[],"magazine_tag":[],"resource_tag":[14,13],"class_list":["post-335","knowledge","type-knowledge","status-publish","has-post-thumbnail","hentry","resource_tag-privacy","resource_tag-regulations"],"acf":[],"yoast_head":"<title>South Africa\u2019s POPIA compliance vs EU GDPR compliance<\/title>\n<meta name=\"description\" content=\"What is POPIA compliance, and how does it compare to GDPR compliance? You can learn this and more in our POPIA Vs GDPR article.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"South Africa\u2019s POPIA compliance vs EU GDPR compliance\" \/>\n<meta property=\"og:description\" content=\"What is POPIA compliance, and how does it compare to GDPR compliance? You can learn this and more in our POPIA Vs GDPR article.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/\" \/>\n<meta property=\"og:site_name\" content=\"Usercentrics - US\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/usercentrics\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-26T10:09:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/usercentrics-poc.psapp.devwp-content\/uploads\/2021\/08\/Popia_legislation.jpg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"South Africa\u2019s POPIA compliance vs EU GDPR compliance\" \/>\n<meta name=\"twitter:description\" content=\"What is POPIA compliance, and how does it compare to GDPR compliance? You can learn this and more in our POPIA Vs GDPR article.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/usercentrics-poc.psapp.devwp-content\/uploads\/2021\/08\/Popia_legislation.jpg\" \/>\n<meta name=\"twitter:site\" content=\"@usercentrics\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"22 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/\",\"url\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/\",\"name\":\"South Africa\u2019s POPIA compliance vs EU GDPR compliance\",\"isPartOf\":{\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/POPIA-vs-GDPR-an-overview-1.jpg\",\"datePublished\":\"2021-08-30T10:11:27+00:00\",\"dateModified\":\"2025-06-26T10:09:07+00:00\",\"description\":\"What is POPIA compliance, and how does it compare to GDPR compliance? You can learn this and more in our POPIA Vs GDPR article.\",\"breadcrumb\":{\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/\"}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/#primaryimage\",\"url\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/POPIA-vs-GDPR-an-overview-1.jpg\",\"contentUrl\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/POPIA-vs-GDPR-an-overview-1.jpg\",\"width\":1000,\"height\":1000,\"caption\":\"POPIA GDPR icons on laptop\",\"copyrightNotice\":\"\u00a9 Copyright 2026 Usercentrics GmbH\",\"creator\":{\"@type\":\"Organization\",\"name\":\"Usercentrics GmbH\"},\"creditText\":\"Image: Usercentrics GmbH\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Resources\",\"item\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/resources\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"POPIA vs GDPR: an overview\",\"item\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/#website\",\"url\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/\",\"name\":\"Usercentrics - US\",\"description\":\"Consent Management Platform (CMP) Usercentrics\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/usercentrics-poc.psapp.dev\/us\/?s={search_term_string}\"}}],\"inLanguage\":\"en-US\"}]}<\/script>","yoast_head_json":{"title":"South Africa\u2019s POPIA compliance vs EU GDPR compliance","description":"What is POPIA compliance, and how does it compare to GDPR compliance? You can learn this and more in our POPIA Vs GDPR article.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"South Africa\u2019s POPIA compliance vs EU GDPR compliance","og_description":"What is POPIA compliance, and how does it compare to GDPR compliance? You can learn this and more in our POPIA Vs GDPR article.","og_url":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/","og_site_name":"Usercentrics - US","article_publisher":"https:\/\/www.facebook.com\/usercentrics","article_modified_time":"2025-06-26T10:09:07+00:00","og_image":[{"url":"https:\/\/usercentrics-poc.psapp.devwp-content\/uploads\/2021\/08\/Popia_legislation.jpg","type":"","width":"","height":""}],"twitter_card":"summary_large_image","twitter_title":"South Africa\u2019s POPIA compliance vs EU GDPR compliance","twitter_description":"What is POPIA compliance, and how does it compare to GDPR compliance? You can learn this and more in our POPIA Vs GDPR article.","twitter_image":"https:\/\/usercentrics-poc.psapp.devwp-content\/uploads\/2021\/08\/Popia_legislation.jpg","twitter_site":"@usercentrics","twitter_misc":{"Est. reading time":"22 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/","url":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/","name":"South Africa\u2019s POPIA compliance vs EU GDPR compliance","isPartOf":{"@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/#primaryimage"},"image":{"@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/#primaryimage"},"thumbnailUrl":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/POPIA-vs-GDPR-an-overview-1.jpg","datePublished":"2021-08-30T10:11:27+00:00","dateModified":"2025-06-26T10:09:07+00:00","description":"What is POPIA compliance, and how does it compare to GDPR compliance? You can learn this and more in our POPIA Vs GDPR article.","breadcrumb":{"@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/"}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/#primaryimage","url":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/POPIA-vs-GDPR-an-overview-1.jpg","contentUrl":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/POPIA-vs-GDPR-an-overview-1.jpg","width":1000,"height":1000,"caption":"POPIA GDPR icons on laptop","copyrightNotice":"\u00a9 Copyright 2026 Usercentrics GmbH","creator":{"@type":"Organization","name":"Usercentrics GmbH"},"creditText":"Image: Usercentrics GmbH"},{"@type":"BreadcrumbList","@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Resources","item":"https:\/\/usercentrics-poc.psapp.dev\/us\/resources\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/"},{"@type":"ListItem","position":3,"name":"POPIA vs GDPR: an overview","item":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/popia-vs-gdpr\/"}]},{"@type":"WebSite","@id":"https:\/\/usercentrics-poc.psapp.dev\/us\/#website","url":"https:\/\/usercentrics-poc.psapp.dev\/us\/","name":"Usercentrics - US","description":"Consent Management Platform (CMP) Usercentrics","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/usercentrics-poc.psapp.dev\/us\/?s={search_term_string}"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/knowledge\/335","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/knowledge"}],"about":[{"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/types\/knowledge"}],"version-history":[{"count":0,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/knowledge\/335\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/media\/7189"}],"wp:attachment":[{"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/media?parent=335"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/tags?post=335"},{"taxonomy":"magazine_issue","embeddable":true,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/magazine_issue?post=335"},{"taxonomy":"magazine_tag","embeddable":true,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/magazine_tag?post=335"},{"taxonomy":"resource_tag","embeddable":true,"href":"https:\/\/usercentrics-poc.psapp.dev\/us\/wp-json\/wp\/v2\/resource_tag?post=335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}