Section 14 of the Constitution of the Republic of South Africa, 1996, provides that “everyone has the right to privacy”. The right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information. The State has a duty to respect, protect, promote and fulfil the rights in the Bill of Rights. Hence the development and enactment of the Protection of Personal Information Act (POPIA) with the primary purpose of protecting the rights of data subjects.  Compliance with POPIA means fulfilling the rights of data subjects.

POPIA provides the following rights for data subjects:

1. The right to processing in accordance with the conditions, including:
   1. accountability for non-compliance
   2. lawfulness of the processing
   3. reasonable manner that does not infringe the privacy of the data subject
   4. given the purpose for which personal information is processed, it is adequate, relevant and not excessive
   5. valid legal basis
   6. collected directly from the data subject, except as otherwise provided for
   7. collected for a specific, explicitly defined and lawful purpose
   8. data subject is aware of the purpose of the collection of the information
   9. records of personal information are not be retained any longer than is necessary for achieving the purpose for which the information was collected
   10. further processing of personal information must be in accordance or compatible with the purpose for which it was collected
   11. taking reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated
   12. maintain the documentation of all processing operations under its responsibility
   13. secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures
   14. provide sufficient information to allow the data subject to take protective measures against the potential consequences of a compromise
   15. notified of the action taken as a result of a data subject request
2. The right to be notified that personal information has been collected (i.e. transparency)
3. The right to be notified of unauthorised access to personal information
4. The right to establish whether a responsible party holds personal information
5. The right of access to a record or request a description of the personal information about the data subject held by the responsible party
6. The right to request information about the identity of all third parties, or categories of third parties, who have, or have had, access to the personal information of the data subject 
7. The right to receive the requested information in a reasonable manner and format, and in a form that is generally understandable.
8. The right to correction
9. The right to destruction or deletion (erasure)
10. The right to object to processing
11. The right to object to direct marketing
12. The right to restrict processing
13. The right to data transfer (portability)
14. The right to assurance
15. Rights in relation to automated decision making and profiling
16. The right to submit a complaint to the regulator
17. The right to institute civil proceedings.