Back to FICA Toolkit

Privacy Policy Guide

Guide to creating a POPIA-compliant privacy policy for your organisation

A guide to creating a privacy policy that complies with the Protection of Personal Information Act (POPIA). A POPIA-compliant privacy policy is a key requirement for transparency and must clearly inform data subjects about how their personal information is processed.

1. Required Elements of a POPIA-Compliant Privacy Policy

  • A privacy policy must satisfy the openness condition (Condition 6) set out in Sections 17 and 18 of POPIA
  • It must be written in clear, plain language that data subjects can understand
  • The policy must be easily accessible (e.g., on your website, provided at the point of collection)
  • It should be reviewed and updated regularly to reflect changes in processing activities

2. Responsible Party Details (Section 18)

  • Full name and registration number of the organisation (responsible party)
  • Physical and postal address
  • Contact details of the Information Officer (name, email, telephone number)
  • Information Regulator registration details (if applicable)

3. Purpose of Processing (Section 13)

  • Clearly describe each specific, explicitly defined, and lawful purpose for which personal information is collected
  • State the lawful basis for processing (consent, contractual necessity, legal obligation, legitimate interest, etc. as per Section 11)
  • Explain any consequences if the data subject refuses to provide personal information
  • For identity verification purposes, explain how services such as VerifyNow are used to verify data subject identities as part of KYC/FICA obligations

4. Categories of Data Subjects and Personal Information

  • List the categories of data subjects (e.g., customers, employees, suppliers, website visitors)
  • Describe the categories of personal information collected for each group (e.g., names, ID numbers, contact details, financial information)
  • Identify any special personal information processed (race, ethnicity, religious beliefs, health, biometrics, etc.) as defined in Section 26, and the applicable exception under Section 27
  • State whether personal information of children (under 18) is processed, and if so, the basis for processing under Section 35

5. Recipients of Personal Information

  • Identify the categories of recipients to whom personal information may be disclosed
  • Describe any operators (third-party processors) used and their role in processing personal information (Section 20-21)
  • Identify any regulatory or law enforcement bodies to whom information may be disclosed as required by law

6. Trans-border Transfers (Section 72)

  • State whether personal information is transferred outside South Africa
  • Identify the countries to which transfers are made
  • Describe the legal basis for the transfer (adequate level of protection, binding corporate rules, consent, contractual necessity, or another Section 72 exception)
  • Describe the safeguards in place to protect personal information during and after the transfer

7. Data Subject Rights and How to Exercise Them

  • Right to access personal information (Section 23)
  • Right to request correction or deletion of personal information (Section 24)
  • Right to object to processing (Section 11(3))
  • Right not to be subject to a decision based solely on automated processing (Section 71)
  • Provide clear instructions on how to submit a request (contact details, forms, expected response time)

8. Security Measures

  • Describe the technical and organisational security measures in place to protect personal information (Section 19)
  • Include measures such as encryption, access controls, regular security assessments, and employee training
  • Explain how the organisation responds to data breaches (reference your breach response plan)

9. Retention Periods

  • State the retention periods for each category of personal information, or the criteria used to determine retention periods (Section 14)
  • Note any statutory retention requirements that apply (e.g., FICA requires records to be retained for at least 5 years after the business relationship ends)
  • Explain how personal information is destroyed, deleted, or de-identified when the retention period expires

10. Complaints Process

  • Provide the internal complaints process, including who to contact and expected timelines
  • Inform data subjects of their right to lodge a complaint with the Information Regulator (Section 74)
  • Provide the Information Regulator's contact details: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001; Tel: 010 023 5207; Email: enquiries@inforegulator.org.za