South Africa’s privacy law takes effect

The bulk of South Africa’s Protection of Personal Information Act (2013) became law on 1 July after a seven-year build up.

The long lead in was so that proposed innovations in the EU’s General Data Protection Regulation (GDPR) could be considered and to give the South Africa Information Regulator (SAIR) time to develop operational capabilities, according to lawyers in the country.

The act’s core aim is to promote protection of personal information processed by public and private bodies.

The 93 sections which took effect on 1 July cover stipulating the SAIR’s duties; how information is processed; codes of conduct; individuals’ rights related to direct marketing, directories and automated decision making; regulating flow of personal information abroad; and enforcement, penalties and fees.

Provisions for making amendments is scheduled to come into law on 30 June next year.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.