Industries
Overview
All IndustriesPrivacy Policy Generator
Generate a POPIA privacy policy draft for your organisation
A guide to creating a privacy policy that complies with the Protection of Personal Information Act (POPIA). A POPIA-compliant privacy policy is a key requirement for transparency and must clearly inform data subjects about how their personal information is processed.
Privacy Policy Generator
Create a plain-language POPIA privacy notice draft from your own business details and processing activities.
Draft only. POPIA Section 18 requires reasonable steps to tell data subjects what is collected, who collects it, why it is collected, whether supply is mandatory or voluntary, consequences of refusal, legal authority where applicable, cross-border transfer details where applicable, and other information needed for fair processing.
Generated draft
PRIVACY NOTICE Last updated: 2026-07-09 1. Responsible party [organisation name] is the responsible party for the personal information described in this notice. Registration number: [registration number] Address: [physical or registered address] Website: [website] Information Officer: [Information Officer] Privacy contact: [privacy contact email] 2. Who this notice applies to This notice applies to the following categories of data subjects: Customers, website visitors, suppliers and business contacts 3. Personal information we collect We may collect or process the following personal information: Names, contact details, identity or registration numbers, transaction records and verification results where required Special personal information or children's information: We do not intentionally collect special personal information unless required for a specific lawful purpose. 4. Sources of personal information Personal information may be collected from: Directly from the data subject, authorised representatives, public registers and verification service providers where required 5. Why we process personal information We process personal information for the following specific, lawful purposes: Customer onboarding, identity verification, fraud prevention, service delivery, support, billing, record keeping and legal compliance 6. Voluntary or mandatory information Some information is mandatory where required for service delivery, FICA checks, fraud prevention or legal compliance. If required information is not provided: If required information is not provided, we may be unable to provide services, complete onboarding or meet legal obligations. 7. Recipients and operators We may share personal information with: Employees, contracted operators, verification providers, professional advisers, regulators and law enforcement where required by law 8. Cross-border transfers We do not routinely transfer personal information outside South Africa unless needed for a service provider, support tool or legal requirement with appropriate safeguards. 9. Retention We retain personal information only for as long as needed for the stated purpose, legal retention period, dispute handling or legitimate business records. 10. Security safeguards We use reasonable technical and organisational safeguards, including: Access controls, staff confidentiality duties, secure systems, monitoring, backups and incident response procedures 11. Data subject rights Data subjects may request access to personal information, correction or deletion of inaccurate or unlawfully obtained information, object to processing where POPIA allows, and lodge a complaint about processing. How to exercise rights: Email the Information Officer to request access, correction, deletion, objection or other POPIA rights assistance. 12. Complaints Complaints may be sent to the Information Officer first. Data subjects may also contact the Information Regulator. Information Regulator contact details: Website: https://inforegulator.org.za Email: enquiries@inforegulator.org.za Telephone: 010 023 5200 Review note: This draft must be checked against your actual processing activities, contracts, sector rules and legal obligations before publication.
1. Required Elements of a POPIA-Compliant Privacy Policy
- A privacy policy must satisfy the openness condition (Condition 6) set out in Sections 17 and 18 of POPIA
- It must be written in clear, plain language that data subjects can understand
- The policy must be easily accessible (e.g., on your website, provided at the point of collection)
- It should be reviewed and updated regularly to reflect changes in processing activities
2. Responsible Party Details (Section 18)
- Full name and registration number of the organisation (responsible party)
- Physical and postal address
- Contact details of the Information Officer (name, email, telephone number)
- Information Regulator registration details (if applicable)
3. Purpose of Processing (Section 13)
- Clearly describe each specific, explicitly defined, and lawful purpose for which personal information is collected
- State the lawful basis for processing (consent, contractual necessity, legal obligation, legitimate interest, etc. as per Section 11)
- Explain any consequences if the data subject refuses to provide personal information
- For identity verification purposes, explain how services such as VerifyNow are used to verify data subject identities as part of KYC/FICA obligations
4. Categories of Data Subjects and Personal Information
- List the categories of data subjects (e.g., customers, employees, suppliers, website visitors)
- Describe the categories of personal information collected for each group (e.g., names, ID numbers, contact details, financial information)
- Identify any special personal information processed (race, ethnicity, religious beliefs, health, biometrics, etc.) as defined in Section 26, and the applicable exception under Section 27
- State whether personal information of children (under 18) is processed, and if so, the basis for processing under Section 35
5. Recipients of Personal Information
- Identify the categories of recipients to whom personal information may be disclosed
- Describe any operators (third-party processors) used and their role in processing personal information (Section 20-21)
- Identify any regulatory or law enforcement bodies to whom information may be disclosed as required by law
6. Trans-border Transfers (Section 72)
- State whether personal information is transferred outside South Africa
- Identify the countries to which transfers are made
- Describe the legal basis for the transfer (adequate level of protection, binding corporate rules, consent, contractual necessity, or another Section 72 exception)
- Describe the safeguards in place to protect personal information during and after the transfer
7. Data Subject Rights and How to Exercise Them
- Right to access personal information (Section 23)
- Right to request correction or deletion of personal information (Section 24)
- Right to object to processing (Section 11(3))
- Right not to be subject to a decision based solely on automated processing (Section 71)
- Provide clear instructions on how to submit a request (contact details, forms, expected response time)
8. Security Measures
- Describe the technical and organisational security measures in place to protect personal information (Section 19)
- Include measures such as encryption, access controls, regular security assessments, and employee training
- Explain how the organisation responds to data breaches (reference your breach response plan)
9. Retention Periods
- State the retention periods for each category of personal information, or the criteria used to determine retention periods (Section 14)
- Note any statutory retention requirements that apply (e.g., FICA requires records to be retained for at least 5 years after the business relationship ends)
- Explain how personal information is destroyed, deleted, or de-identified when the retention period expires
10. Complaints Process
- Provide the internal complaints process, including who to contact and expected timelines
- Inform data subjects of their right to lodge a complaint with the Information Regulator (Section 74)
- Provide the Information Regulator's contact details: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001; Tel: 010 023 5207; Email: enquiries@inforegulator.org.za