A Comparison of POPIA and GDPR in Key Areas

South Africa’s Protection of Personal Information Act (POPIA) will see its final sections go into effect on 30 June 2021. Furthermore, parties subject to POPIA must be fully compliant with the guidelines by 1 July 2021. A number of them may have a head start if they already adhere to established data protection guidelines such as the European Union’s General Data Protection Regulation (GDPR). However, they may still be unaware about the extent to which they must adapt to POPIA. This article therefore provides a comparison of POPIA and GDPR to provide a helpful guide for parties subject to both regulations.

GDPR and POPIA are fairly similar overall, albeit with some differences in terminology, organisation of the respective articles, and greater specificity on the part of GDPR.

Key Definitions in GDPR and POPIA

Key Terms	Definition
Personal information (POPIA) Personal data (GDPR)	Information relating to an identifiable, living, and natural person. POPIA also includes juristic persons, where applicable.
Processing	Any operation or activity or any set of operations, whether or not by automatic means, concerning personal information. This includes: Collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use Dissemination by means of transmission, distribution or making available in any other form Merging, linking, as well as restriction, degradation, erasure or destruction of information
Consent	Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. POPIA also mentions that it is “subject to interpretation regarding what constitutes a voluntary expression of will”
Data Subject	The person to whom personal information relates.
Responsible Party (POPIA) Data Controller (GDPR)	A public, private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
Data Processor (GDPR)	A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. There is no concept of a data processor in POPIA, so the responsible party appears to be the sole party liable for POPIA violations.
Information Regulator (POPIA) Supervisory Authority (GDPR)	A juristic person with jurisdiction throughout the republic/member state, is subject only to the constitution, must perform its functions in accordance with POPIA/GDPR, and is accountable to the National Assembly. A key difference between the Information Regulator and Supervisory Authority is explained below.
Information Officer	South Africa’s pre-existing data protection regulation established under the Promotion of Access to Information Act (PAIA). The responsible party is obliged to notify the designation of the Information Officer to the Regulator. Responsibilities of the IO include: Encouraging compliance with POPIA and the conditions for lawful processing Dealing with any request made to the organisation. However, it is unclear what “any request” covers. Cooperating with the Information Regulator in respect of any investigation The comparable GDPR term is the Data Protection Officer. However, the IO is responsible for ensuring compliance with POPIA while the DPO must supervise and consult, but remain independent.
Deputy Information Officer	A person(s) to be designated in accordance with Art. 56 to help the Information Officer perform his/her tasks.  There is no mention of a comparable person in This is not set out in the GDPR.
Special Personal Information (POPIA) Special Categories of Personal Data (GDPR)	The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject. The criminal behaviour of a data subject to the extent that such information relates to alleged offenses. Additionally, any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings. POPIA and GDPR have the same content here, but POPIA puts criminal offenses under the category of special personal information, while the GDPR dissociates the two concepts.

A key difference between the Information Regulator (POPIA) and the Supervisory Authority (GDPR)

Responsible parties under POPIA must obtain authorisation from the Regulator in order to:

• process:
  • unique identifiers of data subjects for a purpose other than the one specifically intended at collection and with the aim of linking the identifiers with those processed by other responsible parties
  • information on criminal behaviour or on unlawful/objectionable conduct on behalf of third parties
  • information for the purpose of credit reporting
• transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
• The above provisions may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.

In comparison, the GDPR’s Supervisory Authority only monitors GDPR compliance

What are the Conditions (principles) for processing personal information in GDPR and POPIA?

For both the GDPR and POPIA, accountability is the central principle for processing personal information. Under accountability, both regulations specify that the controller/responsible party demonstrate compliance with the following conditions (principles):

Conditions/Principles	Definition
Processing Limitation	Data must be processed lawfully and reasonably, adhering to the concept of minimality (minimisation in GDPR). In other words, the processing should be adequate, relevant and not excessive. Collection must come directly from the data subject, except under certain specified circumstances. Here, POPIA combines minimality and the requirement to collect data directly from the data subject, while GDPR puts these concepts under two articles.
Purpose specification (POPIA) Storage Limitation (GDPR)	“Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.” The data subject must be made aware of the purpose of the collection of the information barring certain exceptions outlined in section 18(4). “Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected,” expect for a legal requirement, contract etc.
Further Processing	Once data has been processed, further processing may only occur if the purpose of the further processing is compatible with the purpose for which it was collected.
Information Quality (POPIA) Accuracy (GDPR)	The responsible party must ensure the personal information to be complete, accurate, not misleading and updated.
Openness	The responsible party must maintain the documentation of all processing operations The responsible party, must ensure, at the time of collection, that the data subject is aware of: The information collected and its source if not from the DS The name and address of the responsible party The purpose of collecting the information Whether the information collection is mandatory or voluntary The consequences of failure to provide the information Any law requiring the collection of the information Any intention of the responsible party to transfer the information to a third country and the level of protection afforded by that third country Recipients of the information The nature of the information Their rights to object to the information processing and to officially lodge a complaint with the Information Regulator GDPR stipulates that “the controller shall provide” the information above, but POPIA’s terminology, “aware of,” makes it harder to prove. As a result, responsible parties are held to less accountability.
Security Safeguards	The “responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate and reasonable technical and organisational measures” (TOMs): Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control Establish and maintain appropriate safeguards against the risks identified Regularly verify that the safeguards are effectively implemented Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards
Data subject participation	The right to access (after providing proof of identity) Right to ask the responsible party to correct or delete personal information that is “inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully. Data subject participation is further explained in the section below on the Rights of Data Subjects.

How does the scope of application of POPIA compare with that of the GDPR?

POPIA and GDPR apply when the responsible party is:

• Domiciled (established) in the Republic/EU
• Not domiciled in the Republic, but makes use of automated or non-automated means in the Republic with the exception of forwarding personal information.

This scope is comparable to the EU’s pre-GDPR Directive-1995. However, the GDPR also applies when the data processed belongs to EU citizens, regardless of the headquarters of the controller/processor, and when EU member state law applies due to international agreements.

What are the exceptions to the prohibition on processing special personal information under POPIA and GDPR?

Under both POPIA and GDPR, responsible parties/controllers may process special personal information if processing is:

• Carried out with the consent of a data subject
• Necessary for the establishment, exercise or defence of a right or obligation in law
• Necessary in order to comply with an obligation of international public law
• Forhistorical, statistical or research purposes to the extent that
  • the purpose serves a public interest and the processing is necessary for the purpose concerned
  • it appears to be impossible or would involve a disproportionate effort to ask for consent
  • sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent
  • Information has deliberately been made public by the data subject
  • Regulator has granted an authorisation upon application by the responsible party on the basis of public interest and established safeguards
•  

How does POPIA’s justification of processing compare with the GDPR’s legal bases

Under POPIA and GDPR, processing is justified when:

• Consent is obtained by the data subject or a competent person when the data subject is a child
• processing is:
  • necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party
  • complies with an obligation imposed by law on the responsible party
  • necessary for the proper performance of a public law duty by a public body
  • protects a legitimate interest of the data subject. This might be interpreted to cover the data subject’s vital interest, a term the GDPR uses, but this is unclear.
  • necessary for pursuing the legitimate interests of the responsible party to whom the information is supplied. POPIA additionally covers the legitimate interests of third bodies here.

Rights of data subjects

POPIA Rights	GDPR Equivalent & nuances
The right to be notified	Right to be informed
The right to access	Right to access
The right to request correction, deletion or destruction of personal information	Right to modify and right to erasure
The right to object When the processing is justified by legitimate interests of data subject or of the responsible party. When the processing is for direct marketing purposes	The right to object When processing is necessary for the performance of a task carried out in the public interest When processing is necessary to fulfill the controller’s legitimate interests
The right to not have personal information processed for the purpose of direct marketing by means of unsolicited electronic communications;
The right to not be subject, under certain circumstances, to a decision which results in legal circumstances based solely on the basis of the automated processing. This is further discussed below in “Additional Remarks”	Right not to be subject to a decision based solely on automated processing
The right to complain to the Regulator	Right to lodge a complaint with the supervisory authority
The right to effective judicial remedy	Right to file proceedings against a controller or a processor

How does POPIA compare with GDPR in the following circumstances?

Processing for the purpose of direct marketing

In POPIA and GDPR, the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited. Exceptions to this prohibition are when the data subject has consented to the processing or is a customer of the responsible party subject to subjection. In other words, the responsible party has obtained the contact details of the data subject in the context of the sale of a product/service and they are marketing similar products/services.

Additionally, it is essential that the data subject be given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to direct marketing related use of their electronic details. Direct marketing communication must accordingly contain the details and identity of the sender in addition to an address or other contact information to which the recipient may request that such communications cease.

Transfers outside of Republic under POPIA

The responsible party must not transfer personal information to a third party in a foreign country aside from the following exceptions.

Transfer Exceptions	Remarks
The third party recipient is subject to a law, binding corporate rules – in other words, policies within a group of undertakings – or a binding agreement which provides an adequate level of protection.	Although very similar to the GDPR, there is no certainty as to what a binding agreement refers to. For example, it could be equivalent to the GDPR or it could actually look more like the GDPRs’ Standard Contractual Clauses
Consent of the data subject.	In the GDPR, consent of the data subject is also a clear exception allowing for transfers outside of the EU that are not covered by appropriate safeguards.
Necessary in order to perform a contract.	This will undoubtedly be a source of debate. Responsible parties will likely consider their own business choices to be necessary.
The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the consent of the data subject for that transfer. Lastly, if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.	This exception expects responsible parties to display a high standard of moral conduct relying on the objective assessment of what is “reasonably practical.” Moreover, it stipulates the ability of the controller to conduct an objective assessment of that data subject’s likelihood to give consent.

Additional Remarks

• The Regulator may exempt any responsible party from compliance with POPIA for the purpose of satisfying public interest or for the benefit of the data subject.
• Automated decision making is not based on the data subject’s consent but rather on a contract or law/code of conduct. Moreover, POPIA safeguards for automated decision making are narrower than in the GDPR. While POPIA provides only a possibility to make representations, GDPR provides a trio of rights related to automated decision making: obtain human intervention, express the point of view, and appeal the decision.
• Responsible parties under POPIA are able to process personal data in the event that the processing is deemed to be in the data subject’s legitimate interest. However, the phrasing of this concept is ambiguous. Consequently, it will likely become a source of abuse. For instance, a clear line of defence for businesses is to argue that they have actually evaluated the data subject’s interest. Similarly, customary assessments of interests done by marketing departments are reflected in cookie banners like this one.

In the long run, as a cultural shift towards more privacy takes place, friction will increase between individuals who want more privacy and organisations who want more data. Accordingly, regulations like POPIA and the GDPR are essential for working through this friction.

---

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.