On 17 April 2025, the Information Regulator published amendments to certain regulations under the Protection of Personal Information Act 4 of 2013 (POPIA).
This is a significant update to South Africa’s data protection framework and has immediate implications for public and private organisations managing personal data.
These changes include and are not limited to:
Object to the processing of their personal information
- Objections must be free of charge and through accessible channels.
- Responsible parties must inform data subjects that they have a right to object when collecting personal information.
Correction or deletion of personal information
- A data subject has the right to any time and without cost, the correction, destruction, or deletion of records containing their personal information if the personal information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully and if the responsible party is no longer authorised to retain in terms of Section 14 of the Act.
- Responsible parties have to establish procedures for data subjects to submit requests and notify the data subject in writing of the measures taken within 30 days following the outcome of the request.
Direct marketing through unsolicited electronic communication
- The amended regulations introduce more explicit directives regarding direct marketing and complaint procedures.
- They mandate that responsible parties must secure written consent before processing personal information for direct marketing purposes via unsolicited electronic communications.
- Consent must be gathered free of charge through easily accessible means, such as email, phone calls, SMS, WhatsApp, fax, or automated calling systems.
- Importantly, the mere provision of an opt-out mechanism does not qualify as valid consent.
Complaints procedure
- The amendments also provide clarity by defining “complainant”, “complaint”, “day”, “office hours” and “relevant body/bodies”.
- Sets out the type of information that must be contained within the complaint.
- Assistance will be provided by the Regulator to any person who would like to file a complaint.
- The regulator must acknowledge the complaint within 14 days.
- The identity of a complainant will be protected if a complaint includes information which is protected under the Protected Disclosures Act 26 of 2000.
What needs to be done:
FSPs should evaluate their privacy notices, their consent mechanisms, data breach response plans and ensure that staff is trained on the amended regulations.
Masthead is committed to supporting your POPI Act compliance journey, contact us today for guidance or email us on info@masthead.co.za.
For more information on our POPI Compliance offering, click below: