Skill

south-africa-popia

Guides POPIA compliance for South African apps: lawful processing conditions, data subject rights, cross-border transfers, regulator enforcement, responsible party duties.

security

npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-complete

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Supporting Assets

assets/template.mdreferences/standards.mdreferences/workflows.mdscripts/process.py

SKILL.md

Similar Skills

github-deep-research

63.9k

Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.

2 files

bytedance-deer-flow-1

surprise-me

63.9k

Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.

bytedance-deer-flow-1

image-generation

63.9k

Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.

2 files

bytedance-deer-flow-1

Stats

Parent Repo Stars37

Parent Repo Forks4

Last CommitMar 16, 2026

Actions

View Source View Plugin View on GitHub View README

South Africa POPIA Compliance

Overview

The Protection of Personal Information Act (POPIA), Act No. 4 of 2013, is South Africa's comprehensive data protection law. It came into full effect on 1 July 2021 following a one-year grace period after commencement on 1 July 2020. POPIA is modelled broadly on EU data protection principles but is adapted to the South African constitutional framework, specifically Section 14 of the Constitution (right to privacy). The Information Regulator is the independent supervisory authority responsible for enforcement. POPIA applies to any responsible party (controller) domiciled in South Africa or that uses automated or non-automated means within South Africa to process personal information, unless those means are used only to forward information through the Republic.

Key Definitions

POPIA Term	GDPR Equivalent	Definition
Personal information	Personal data	Information relating to an identifiable living natural person or identifiable existing juristic person (POPIA uniquely covers juristic persons)
Special personal information	Special category data	Religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sex life, biometric information, criminal behaviour (Section 26)
Responsible party	Controller	A public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing (Section 1)
Operator	Processor	A person who processes personal information for a responsible party in terms of a contract or mandate (Section 1)
Data subject	Data subject	The person to whom personal information relates (includes juristic persons)
Information Officer	DPO	Head of organisation or designated person responsible for encouraging compliance (Section 55)

Eight Conditions for Lawful Processing (Sections 8-25)

Condition 1: Accountability (Section 8)

The responsible party must ensure that all conditions for lawful processing are complied with at the time of determining the purpose and means of processing and during the processing itself.

Condition 2: Processing Limitation (Sections 9-12)

Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject
Processing must be adequate, relevant, and not excessive (Section 10)
Consent must be voluntary, specific, and informed; may be withdrawn (Section 11)
Personal information may be collected directly from the data subject, with exceptions (Section 12)

Condition 3: Purpose Specification (Sections 13-14)

Personal information must be collected for a specific, explicitly defined, and lawful purpose related to a function or activity of the responsible party
Records must not be retained longer than necessary unless retention is required by law, reasonably necessary for a lawful purpose, or retention is required under a contract

Condition 4: Further Processing Limitation (Section 15)

Further processing must be compatible with the original purpose. Compatibility is assessed considering the relationship between purposes, nature of information, consequences for the data subject, manner of collection, and any contractual rights.

Condition 5: Information Quality (Section 16)

The responsible party must take reasonably practicable steps to ensure personal information is complete, accurate, not misleading, and updated where necessary.

Condition 6: Openness (Sections 17-18)

The responsible party must notify the Information Regulator before commencing processing (Section 17, not yet fully enforced)
Data subjects must be notified when their personal information is collected (Section 18)

Condition 7: Security Safeguards (Sections 19-22)

Appropriate technical and organisational measures must be in place to prevent loss, damage, unauthorised access (Section 19)
Operators must be bound by contract to establish and maintain security measures (Section 21)
Breach notification to the Information Regulator and data subjects is mandatory "as soon as reasonably possible" when there are reasonable grounds to believe a compromise has occurred (Section 22)

Condition 8: Data Subject Participation (Sections 23-25)

Data subjects have the right to request confirmation of processing, access to records, correction, and deletion
Requests must be fulfilled within a reasonable time period
Fees charged must not be excessive

Cross-Border Transfers (Section 72)

Transfer of personal information outside South Africa is permitted only where:

The recipient is subject to a law, binding corporate rules, or binding agreement providing an adequate level of protection substantially similar to POPIA
The data subject consents after being informed of the risks
Transfer is necessary for performance of a contract between the data subject and responsible party
Transfer is necessary for implementation of pre-contractual measures taken in response to the data subject's request
Transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent
The information is contained in or derived from a public record

Enforcement and Penalties

The Information Regulator may:

Issue enforcement notices (Section 95)
Impose administrative fines up to ZAR 10 million (Section 109)
Refer matters for criminal prosecution, with imprisonment up to 10 years for certain offences (Section 107)
Conduct assessments (Section 89)
Issue codes of conduct (Section 60)

Key Enforcement Actions

Department of Justice and Constitutional Development (2022): The Information Regulator issued an enforcement notice for failure to implement adequate security measures following a large-scale data breach affecting the Master of the High Court system.
TransUnion South Africa (2022): Following a breach affecting 54 million records, the Information Regulator investigated and issued compliance directives regarding breach notification obligations and security safeguards.
Department of Home Affairs (2023): Enforcement notice for non-compliance with data subject access requests and security safeguard conditions.

Integration Points

breach-72h-notification: POPIA Section 22 breach notification (note: POPIA uses "as soon as reasonably possible" not a fixed 72-hour clock)
cross-border transfers: Section 72 transfer restrictions apply alongside GDPR Chapter V where dual applicability exists
vendor-privacy-due-diligence: Operator agreements under Section 21 must include security obligation requirements
data-inventory-mapping: Section 17 notification to the Information Regulator requires comprehensive processing inventory