POPI    |    Part 6

Getting to know POPI: Lawful processing

POPI is based on eight conditions for lawful processing of personal information. Under each condition, POPI contains key requirements relating to the processing of personal information.

These conditions are as follows: 


Personal information must be processed lawfully and in a reasonable manner that does not infringe on a data subject’s privacy. 


The purpose for processing of personal information must be adequate, relevant and not excessive. 


Consent, justification and objection

Personal information may only be processed in certain conditions. The easiest way to ensure that we comply with these specific conditions is by obtaining the data subject’s consent to process their personal information. However, we can also process personal information without the data subject’s consent. For example, if we need to process someone’s personal information in order to fulfil a contractual obligation towards them, it is not necessary to obtain consent.

POPI even allows a responsible party to process a data subject’s personal information if the processing is in the legitimate interest of the data subject or necessary for pursuing the responsible party’s legitimate interests. 

Purpose specification

Information may only be collected for a specific, explicitly defined and lawful purpose relating to the responsible party’s function or activity. Information may be retained only for as long as necessary to achieve the purpose for which it was collected or processed (although there are exceptions to this rule). 

Further processing limitation

The further processing of personal information must be in accordance with the purpose for which it was originally collected. 

Information Quality

A responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated. 


A responsible party must document their information processing operations, as required by POPI’s provisions. It must also ensure that data subjects are notified when their personal information is processed. In view of this condition, many organisations are compiling privacy policies, which explain their privacy operation. 

Security safeguards

Responsible parties must ensure that personal information is kept confidential and that the information’s integrity is maintained. Responsible parties must also take appropriate measures to prevent loss of, damage to or destruction of personal information and to guard against unlawful acts. If there has been a data breach, the responsible party will also have to comply with POPI’s requirements in this regard. 

Data Subject Participation

A responsible party must ensure that a data subject is able to confirm whether the responsible party holds any personal information about the data subject (at no extra cost). A data subject must also be allowed to correct their personal information and request that the responsible party destroy or delete it. 

Thanks for reading

We hope you enjoyed the sixth edition of Getting To Know POPI. If you have any questions or comments please feel free to click here to send us an email.

If you have missed out on any of the previous editions here they are:

Share this email 

Would you like to update your profile?
Update your preferences or Unsubscribe

Copyright © 2021 Lightstone (Pty) Ltd, All rights reserved.