Data subject rights

Section 14 of the Constitution of the Republic of South Africa, 1996, provides that “everyone has the right to privacy”. The right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information. The State has a duty to respect, protect, promote and fulfil the rights in the Bill of Rights. Hence the development and enactment of the Protection of Personal Information Act (POPIA) with the primary purpose of protecting the rights of data subjects.  Compliance with POPIA means fulfilling the rights of data subjects.

POPIA provides the following rights for data subjects:

  1. The right to processing in accordance with the conditions, including:
    1. accountability for non-compliance
    2. lawfulness of the processing
    3. reasonable manner that does not infringe the privacy of the data subject
    4. given the purpose for which personal information is processed, it is adequate, relevant and not excessive
    5. valid legal basis
    6. collected directly from the data subject, except as otherwise provided for
    7. collected for a specific, explicitly defined and lawful purpose
    8. data subject is aware of the purpose of the collection of the information
    9. records of personal information are not be retained any longer than is necessary for achieving the purpose for which the information was collected
    10. further processing of personal information must be in accordance or compatible with the purpose for which it was collected
    11. taking reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated
    12. maintain the documentation of all processing operations under its responsibility
    13. secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures
    14. provide sufficient information to allow the data subject to take protective measures against the potential consequences of a compromise
    15. notified of the action taken as a result of a data subject request
  2. The right to be notified that personal information has been collected (i.e. transparency)
  3. The right to be notified of unauthorised access to personal information
  4. The right to establish whether a responsible party holds personal information
  5. The right of access to a record or request a description of the personal information about the data subject held by the responsible party
  6. The right to request information about the identity of all third parties, or categories of third parties, who have, or have had, access to the personal information of the data subject 
  7. The right to receive the requested information in a reasonable manner and format, and in a form that is generally understandable.
  8. The right to correction
  9. The right to destruction or deletion (erasure)
  10. The right to object to processing
  11. The right to object to direct marketing
  12. The right to restrict processing
  13. The right to data transfer (portability)
  14. The right to assurance
  15. Rights in relation to automated decision making and profiling
  16. The right to submit a complaint to the regulator
  17. The right to institute civil proceedings.