South Africa’s POPIA vs. EU’s GDPR: What You Need to Know

It's been a while; there has been a debate between GDPR and POPIA. Both compliances have made quite a mark since their inception. 

The South African Protection of Personal Act, also known as POPIA, means to provide South African citizens control over their data. It also makes all organizations processing personal information in South Africa legally responsible to protect the data. POPIA was formulated in 2013, but it took effect on 1st July 2020 when the President conveyed that the law would be enforced from 1st July 2021. 

GDPR, acting in the same tandem, was enforced on 25th May 2018. GDPR, since its inception, has received wide acceptance and created a significant overhaul on how the personal data of EU citizens is perceived and managed. Every company that deals with the EU citizens' personal information or is EU-based must follow GDPR compliance. 

POPIA and GDPR - Timeline

Though POPIA and GDPR are pretty comparable and have multiple common underlying foundational principles, they also have some striking differences. In this article, we will dive deep into both and try to shed light on the details. 

What is POPIA?

POPIA is the latest in a series of new privacy laws aimed at strengthening the privacy rights of individuals in today's data-driven landscape in South Africa. The law was drafted in November 2013, a few months before the EU voted to adopt the GDPR. However, progress stalled for several years until the South African government finally gave the green light in 2020. Despite its slightly earlier origin, POPIA remains very similar to the GDPR and shares the same guiding principles. 

The Protection of Personal Information Act (POPIA) includes three parties (natural or legal persons):

  • The Data Subject: The person who owns the data
  • The Responsible Party: A person who determines why and how the data is processed. For example, for-profit corporations, not-for-profit corporations, governments, government agencies, and individuals. Controllers are called in other jurisdictions.
  • The Operator: A person who processes personal data on behalf of the controller. For example, an IT provider. Processors in other jurisdictions invoked. Data protection law imposes various obligations on the controller, who is ultimately responsible for the lawful processing of personal data. Responsible parties should only use operators who can meet the lawful processing of personal data prescribed by the Personal Data Protection Act.

GDPR vs. POPIA – How They Fare Against Each Other

GDPR vs. POPIA – How They Fare Against Each Other

Scope of Application

Both GDPR and POPIA apply to organizations that collect personal information from EU and South African residents, respectively. POPIA also, in addition, applies to the existing legal entities. Public and private bodies should implement both the GDPR and POPIA.



The GDPR applies to controllers or processors based in the European Union (EU), even if the processing occurs outside the EU.

It also applies to organizations that are not established in the EU but monitor the behavior of individuals where their behavior occurs in the EU or where they provide goods or services to data subjects in the EU.

POPIA applies to organizations based in South Africa. It also applies to organizations not found in South Africa but process personal data in South Africa, unless such processing only sends the information across the country.


Data Subject Rights

Both GDPR and POPIA provide legal rights to consumers concerning their personal and sensitive information. However, from a legislative perspective, there are a few minor differences. These differences can translate into major operational differences in implementation on a case-by-case basis.


Right to be Forgotten



Data subjects have the right to request the deletion of their personal data, which must be answered immediately.

The right to erasure applies when the personal data is no longer necessary, when a data subject withdraws consent, or the data has been processed unlawfully. It also doesn't apply when the data must be erased to comply with a legal obligation.

The right to be forgotten does not apply where the treatment is necessary

1)To exercise the right to freedom of expression or information

2)To comply with a legal obligation

For reasons of public interest

3)To establish, exercise, or defend legal claims

4)For statistical/ historical/ scientific purposes


Interested parties have the right to request the destruction or erasure of their personal data, to which organizations must respond as soon as possible.


The right to erasure applies when the personal data is inaccurate, irrelevant or excessive, outdated, incomplete, misleading, or obtained illegally.


POPIA does not provide specific scenarios in which the right to be forgotten cannot be exercised.


Right to be Informed



Certain information related to the processing of personal data must be made available to data subjects, regardless of whether the personal data is collected directly from data subjects or not. 

Data controllers must inform data subjects of their rights.  

Organizations must take reasonably practicable steps to provide data subjects with certain information related to their personal information before collection or as soon as possible after collection of the information. 

Data controllers must inform data subjects of their rights.


Right to Object



Data subjects has the right to object to the processing of their personal data if the processing is based on legitimate interests or the public interest. 

The person responsible should no longer process the data subject's personal data unless he can demonstrate compelling legitimate grounds for the processing. These reasons must be compelling enough to override the data subject's interests, rights, and freedoms. 

Data subjects also have the right to object to the processing of their data for direct marketing purposes.

Data subjects have the right to object at any time to the processing of personal data if the processing is based on the legitimate interest of the data subject. 

The opposition must be based on reasonable grounds relating to the particular situation of the interested party and can be rejected if the legislation provides such treatment. 

Data subjects also have the right to object to the processing of their data for direct marketing purposes.

Right to Access



The right to access includes the right to obtain confirmation from the data controller as to whether or not personal data is being processed and access to personal data.


The response period is one month, extendable to 2 additional months depending on the complexity and number of inquiries.


A data controller may, in certain circumstances, refuses to respond to a request. For example, a request for a copy of personal information may be denied if providing it would adversely affect the rights and freedoms of others. The right to information can be exercised free of charge. However, a controller may charge a reasonable fee for manifestly unfounded or excessive requests, mainly due to their repetitive nature. 

Data subjects have the right to confirm, free of charge, whether the organization holds personal data concerning them. 

Inquiries must be answered, "within a reasonable time ."There is no specific time frame under  POPIA. 

A data controller may refuse to respond to a data access request where access to records is denied under the applicable sections of the Promotion of Access to Information Act. 

The right to confirmation that a data controller is in possession of information should be granted free of charge. A mandatory fee may be charged to respond to a request for access to a record or description of personal information.

Penalties for Non-Compliance

At R10M, the maximum financial penalty for a POPIA breach is significantly less than a potential GDPR penalty, which can be as high as €20M or 4% of annual global revenue.

However, under South African law, individuals can be criminally liable and sentenced to prison terms of up to 10 years in more severe cases. In addition, POPIA sanctions apply not only to non-compliance but also to a variety of other offenses, including

  • obstruction
  • unlawful obstruction or influencing law enforcement officials'
  • failure to attend a court hearing, or
  • lying under oath

In contrast, the GDPR focuses on sanctions more direct for non-compliance. However, when setting a fine, European enforcement authorities may take into account the level of cooperation that an organization has shown in its investigations. Under POPIA, the regulator must consider the following in relation to possible fines (Section 109):

(a) the nature of the personal data concerned;

(b) the duration and extent of the infringement;

(c) the number of persons affected or potentially affected by the breach;

(d) whether or not the breach raises an issue of public concern;

(e) the likelihood of significant harm or suffering, including damage to feelings or fears, suffered by data subjects;

(f) whether the responsible party or a third party could have prevented the breach;

(g) any failure to conduct a risk assessment or failure to follow good policies, procedures, and practices to protect personal information; and

h) if the person responsible has previously committed a crime within.

The saying in Art. 83  GDPR is slightly different but conveys the exact requirements and considerations. POPIA allows the information regulator to impose fines across the country. Under the GDPR, "supervisory authorities" have the power to sanction offenders. 

While the GDPR applies to all countries in the European Union, each member country has its own supervisory authority responsible for imposing fines. Because of this, the strictness of legal interpretation and the severity of sanctions may vary between different European countries.


Whether it's GDPR or POPIA, both focus on security issues and protect the consumers from adverse impacts. The legality might differ here and there, but the underlying ecosystem remains the same. 

In case this article has hogged your attention and you're looking to enhance your mobile app security in compliance with the global compliance and regulatory standards, Appknox can help you out. 

Appknox mobile application security is the world's most powerful plug-n-play security platform for building a safe and secure mobile ecosystem using a blend of the system plus human approach. 


Published on Jun 8, 2022
Raghunandan J
Written by Raghunandan J
Raghunandan J is a senior product manager at Appknox, a mobile security suite that helps enterprises automate mobile security. With over a decade of expertise in driving the product vision and strategy for a cloud-based mobile security platform, Raghu is a certified ScrumMaster and Business Analyst.
He is the driving force behind our mission to revolutionize AppSec and has a rich experience in agile methodologies and stakeholder management.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now