{ "feature": "popia-compliance", "version": "1.0.0", "description": "South African POPIA (Act 4 of 2013) reference — eight conditions for lawful processing, data subject rights, breach notification, direct marketing, automated decisions, transborder transfers.", "category": "data", "tags": [ "popia", "compliance", "privacy", "south-africa", "data-protection", "regulatory", "reference", "act-4-of-2013" ], "aliases": [ "protection-of-personal-information-act", "sa-data-protection", "south-africa-privacy-law", "act-4-of-2013", "popi-act" ], "actors": [ { "id": "data_subject", "name": "Data Subject", "type": "human", "description": "The natural or juristic person to whom personal information relates (POPIA s.1)" }, { "id": "responsible_party", "name": "Responsible Party", "type": "external", "description": "Public or private body that determines the purpose and means of processing (POPIA s.1)" }, { "id": "operator", "name": "Operator", "type": "system", "description": "Person processing PI for a responsible party under contract, without direct authority (POPIA s.1)" }, { "id": "information_officer", "name": "Information Officer", "type": "human", "description": "Designated individual responsible for POPIA compliance within a body; head of private body by default (s.55-56)" }, { "id": "information_regulator", "name": "Information Regulator", "type": "external", "description": "Independent juristic person established under s.39; receives breach notifications, complaints, prior-authorisation requests" }, { "id": "competent_person", "name": "Competent Person", "type": "human", "description": "Person legally competent to consent on behalf of a child (s.1)" } ], "rules": { "rule_01": "\"Personal information\" is any information relating to an identifiable, living natural person — and where applicable,\nan identifiable existing juristic person — including race, gender, sex, pregnancy, marital status, national/ethnic/social\norigin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience,\nbelief, culture, language, birth, education, medical/financial/criminal/employment history, identifying numbers\n(ID, passport, employee number), email, physical address, telephone, location, online identifier, biometric data,\npersonal opinions/preferences, private correspondence, third-party views about the person, and the person's name\nwhen its disclosure would reveal other PI. (s.1 \"personal information\")\n", "rule_02": "\"Special personal information\" (s.26) is a more sensitive subset that may NOT be processed without specific\nauthorisation: religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion,\nhealth or sex life, biometric information, and criminal behaviour.\n", "rule_03": "A \"child\" is a natural person under 18 who is not legally competent without assistance. Processing PI of a child is\nPROHIBITED under s.34 unless one of the s.35 exceptions applies — primarily prior consent of a competent person.\n", "rule_04": "\"Consent\" means voluntary, specific, and informed expression of will (s.1). Pre-ticked boxes, bundled consent, or\nconsent buried in T&Cs do not satisfy the definition.\n", "rule_05": "\"Processing\" is broad — collection, receipt, recording, organisation, collation, storage, updating, modification,\nretrieval, alteration, consultation, use, dissemination, distribution, merging, linking, restriction, degradation,\nerasure, or destruction. Anything you do with PI is processing. (s.1)\n", "rule_06": "The responsible party MUST ensure all eight conditions are complied with at the time the purpose and means of\nprocessing are determined AND throughout the processing itself. Compliance is not a one-time check — it is a\ncontinuous obligation. (s.8)\n", "rule_07": "Processing must be lawful AND conducted in a reasonable manner that does not infringe the data subject's privacy.\n(s.9 — Lawfulness)\n", "rule_08": "Minimality (s.10): PI may only be processed if — given the purpose — it is adequate, relevant, and NOT excessive.\nDefault to collecting the minimum necessary; every additional field must be justified by the stated purpose.\n", "rule_09": "Lawful basis (s.11): processing requires AT LEAST ONE of — (a) consent of data subject or competent person,\n(b) necessary for contract performance, (c) legal obligation on responsible party, (d) protects a legitimate\ninterest of the data subject, (e) public-law duty by a public body, or (f) legitimate interests of responsible\nparty or third party.\n", "rule_10": "Burden of proof for consent rests on the responsible party (s.11(2)(a)). The data subject may withdraw consent\nat any time; the responsible party must record consent provenance and timestamp.\n", "rule_11": "Right to object (s.11(3)): data subjects may object on reasonable grounds to processing under bases (d)-(f), and\nmay object at any time to direct marketing. On valid objection the responsible party MUST stop processing (s.11(4)).\n", "rule_12": "Direct collection (s.12): PI must be collected directly from the data subject unless one of the s.12(2) exceptions\napplies (public record, public-by-data-subject, consent to indirect collection, law enforcement necessity, etc.).\n", "rule_13": "Specific purpose (s.13): PI must be collected for a specific, explicitly defined, and lawful purpose related to\na function or activity of the responsible party. \"Future analytics\" or \"improving services\" is NOT specific enough.\n", "rule_14": "Retention (s.14): records must NOT be kept longer than necessary for the purpose, unless retention is required by\nlaw, by contract, by data subject consent, or for the responsible party's lawful functions. Records used to make\na decision about a data subject must be retained long enough for that subject to have reasonable opportunity to\nrequest access (s.14(3)).\n", "rule_15": "Destruction (s.14(4)-(5)): when retention is no longer authorised, the responsible party MUST destroy, delete, or\nde-identify the record AS SOON AS REASONABLY PRACTICABLE, in a manner that prevents reconstruction in intelligible\nform. Soft-delete alone is NOT compliant; cryptographic erasure or true deletion is required.\n", "rule_16": "Restriction (s.14(6)): processing must be RESTRICTED (not deleted) when accuracy is contested, when the responsible\nparty no longer needs the data but must keep it for proof, when processing is unlawful and the data subject opposes\ndeletion, or when the data subject requests transmission to another system (data portability hint).\n", "rule_17": "Further processing must be COMPATIBLE with the original purpose of collection. Compatibility assessment considers:\nrelationship between purposes, nature of the data, consequences for the data subject, manner of collection, and\ncontractual obligations. Re-using PI for a new purpose generally requires a new lawful basis. (s.15)\n", "rule_18": "The responsible party must take reasonable steps to ensure PI is COMPLETE, ACCURATE, NOT MISLEADING, and UPDATED\nwhere necessary, having regard to the purpose. (s.16)\n", "rule_19": "Documentation (s.17): the responsible party MUST maintain documentation of all processing operations, as required\nby s.14 or 51 of the Promotion of Access to Information Act (PAIA manual).\n", "rule_20": "Notification at collection (s.18): the data subject must be made aware of — (a) information being collected and\nits source if not from the subject, (b) name and address of responsible party, (c) purpose, (d) whether supply is\nvoluntary or mandatory, (e) consequences of failure to supply, (f) any law authorising/requiring collection,\n(g) intended transborder transfers and the protection level abroad, (h) categories of recipients, the right of\naccess and correction, the right to object, and the right to lodge a complaint with the Regulator.\n", "rule_21": "Notification timing (s.18(2)): notice must be given BEFORE collection if collected directly from the data subject;\notherwise as soon as reasonably practicable.\n", "rule_22": "Integrity & confidentiality (s.19): the responsible party MUST secure PI by taking appropriate, reasonable\ntechnical AND organisational measures to prevent loss, damage, unauthorised destruction, and unlawful access or\nprocessing. Both technical (encryption, access controls) AND organisational (policies, training) measures are required.\n", "rule_23": "Risk-based safeguards (s.19(2)): the responsible party must (a) identify reasonably foreseeable internal and\nexternal risks, (b) establish and maintain appropriate safeguards, (c) regularly verify safeguards are effectively\nimplemented, and (d) continually update safeguards in response to new risks. This implies an ongoing risk\nassessment process, not a one-off audit.\n", "rule_24": "Industry standards (s.19(3)): the responsible party must have regard to GENERALLY ACCEPTED INFORMATION SECURITY\nPRACTICES (e.g., ISO 27001, NIST CSF, OWASP ASVS) and any sector-specific rules.\n", "rule_25": "Operator obligations (s.20-21): operators must process PI only with the responsible party's authorisation, treat\nit as confidential, and the relationship MUST be governed by a written contract requiring the operator to maintain\nthe s.19 security measures. Operator must immediately notify the responsible party of suspected unauthorised access.\n", "rule_26": "Breach notification to Regulator (s.22(1)-(2)): where there are reasonable grounds to believe PI has been accessed\nor acquired by an unauthorised person, the responsible party MUST notify the Regulator AND the affected data subjects\nAS SOON AS REASONABLY POSSIBLE after discovery, taking law-enforcement needs into account.\n", "rule_27": "Breach notification to data subject (s.22(4)-(5)): notice must be in writing and delivered by mail to last known\nphysical/postal address, email, prominent website notice, news media, OR as directed by the Regulator. The notice\nMUST include — (a) possible consequences, (b) measures the responsible party intends or has taken, (c) recommended\nmitigating actions for the data subject, and (d) the identity of the unauthorised person if known.\n", "rule_28": "Right of access (s.23): on adequate proof of identity and free of charge, a data subject may request confirmation\nof whether the responsible party holds their PI and a copy/description of that PI plus the identity of all third\nparties who have had access. Responses must be within a reasonable time, in a reasonable manner and format that\nis generally understandable.\n", "rule_29": "Right of correction/deletion (s.24): a data subject may request correction or deletion of PI that is inaccurate,\nirrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully — OR destruction/deletion of\nPI no longer authorised to be retained under s.14. The responsible party must comply as soon as reasonably\npracticable and inform downstream recipients of the change (s.24(3)).\n", "rule_30": "Special PI is PROHIBITED from processing (s.26) unless a s.27 general authorisation applies — consent of data\nsubject, necessary for legal claim, international public-law obligation, historical/statistical/research with\nsafeguards, deliberately made public by data subject, OR a specific Part-B authorisation (s.28-33) for that category\n(religion, race, trade union, political, health/sex life, criminal/biometric).\n", "rule_31": "Biometric information (fingerprints, facial recognition, voice prints, retinal scans, DNA, blood typing) is special\nPI. Use it only when one of the s.27/s.33 grounds is satisfied AND with prior authorisation from the Regulator if\nprocessing falls under s.57(1)(b) (criminal/objectionable conduct) or s.57(1)(d) (transborder transfer).\n", "rule_32": "Children's PI is PROHIBITED from processing (s.34) unless — (a) consent of a competent person, (b) necessary for\nlegal claim, (c) international public-law obligation, (d) historical/statistical/research with safeguards, OR\n(e) deliberately made public by the child with competent-person consent. (s.35)\n", "rule_33": "Direct marketing by electronic communication (SMS, email, automated calls, fax) is PROHIBITED unless — (a) the\ndata subject has given consent, OR (b) the data subject is an existing customer AND was given an opportunity to\nobject at collection AND on every subsequent communication AND the marketing is for SIMILAR products/services.\nConsent may be requested only ONCE per data subject and only if not previously refused. (s.69)\n", "rule_34": "Every direct-marketing communication MUST contain (a) sender identity and (b) opt-out contact details. (s.69(4))\n", "rule_35": "Solely-automated decisions producing legal consequences or substantially affecting the data subject (work\nperformance, credit-worthiness, reliability, location, health, personal preferences, conduct profiling) are\nPROHIBITED unless — (a) taken in connection with contract conclusion/execution and either the subject's request\nhas been met or appropriate measures protect their interests, OR (b) governed by law or code of conduct with\nsafeguards. Appropriate measures MUST include (i) opportunity to make representations and (ii) sufficient\ninformation about the underlying logic. (s.71)\n", "rule_36": "Transfer of PI outside South Africa is PROHIBITED unless — (a) the recipient is subject to a law, binding corporate\nrules, or binding agreement providing substantially similar protection AND including onward-transfer restrictions,\n(b) the data subject consents, (c) transfer is necessary for contract performance with or in the interests of the\ndata subject, OR (d) transfer benefits the data subject and obtaining consent is not reasonably practicable but\nconsent would likely be given. (s.72)\n", "rule_37": "Transferring special PI or children's PI to a country WITHOUT adequate protection requires PRIOR AUTHORISATION\nfrom the Information Regulator under s.57(1)(d).\n", "rule_38": "Every public and private body MUST have an Information Officer registered with the Regulator BEFORE the officer\ntakes up duties (s.55(2)). For a private body the head of the body is the Information Officer by default. The\nInformation Officer encourages compliance, deals with PAIA requests, works with the Regulator on investigations,\nand otherwise ensures the body's compliance. (s.55-56)\n", "rule_39": "Prior authorisation from the Regulator is REQUIRED before processing if the responsible party intends to —\n(a) process unique identifiers for a purpose other than collection AND link them with information processed by\nother responsible parties, (b) process information on criminal behaviour or unlawful/objectionable conduct on\nbehalf of third parties, (c) process information for credit reporting, OR (d) transfer special PI or children's\nPI to a third party in a country without adequate protection. (s.57)\n", "rule_40": "A responsible party may NOT carry out the s.57 processing until the Regulator has completed its investigation or\nnotified that no detailed investigation will be conducted (s.58(2)). Failure to notify is an offence (s.59) liable\nto the s.107 penalties.\n", "rule_41": "Maximum penalties (s.107): for serious offences (e.g., breach of confidentiality s.101, unlawful acts re account\nnumbers s.105/106, obstruction of Regulator) — fines up to R10 million OR imprisonment up to 10 years OR both.\nLess serious offences carry fines or up to 12 months imprisonment. The Regulator may also impose administrative\nfines under s.109.\n", "rule_42": "NEVER send personal information of South African data subjects to external AI services without an explicit lawful\nbasis AND a transborder-transfer assessment under s.72. Default behaviour for any AI-augmented feature touching\nPII MUST be to redact, tokenise, or refuse before any external API call.\n", "rule_43": "Logging and observability MUST NOT capture personal information in plain text. Where logs reference data subjects,\nuse opaque pseudonyms (UUIDs) and store the mapping table separately under access control.\n", "rule_44": "Data subject rights endpoints (access, correction, deletion, objection, complaint) MUST be discoverable from the\npublic privacy notice and SHOULD be machine-actionable (an authenticated self-service portal beats an email queue).\n" }, "outcomes": { "collection_compliant": { "priority": 10, "given": [ "actor is responsible party", { "field": "lawful_basis", "source": "input", "operator": "in", "value": [ "consent", "contract", "legal_obligation", "data_subject_legitimate_interest", "public_law_duty", "responsible_party_legitimate_interest" ] }, "data subject has been notified of all s.18 particulars before collection", { "field": "collected_fields", "source": "input", "operator": "matches", "value": "minimum_necessary_for_stated_purpose" } ], "then": [ { "action": "create_record", "target": "processing_activity_log", "type": "processing_activity", "description": "Record of processing entry created (s.17 documentation obligation)" }, { "action": "emit_event", "event": "popia.collection.recorded", "payload": [ "data_subject_id", "lawful_basis", "purpose", "fields_collected", "notice_version", "timestamp" ] } ], "result": "PI lawfully collected; processing record updated; data subject has been informed of rights" }, "consent_withdrawn": { "priority": 9, "given": [ "data subject withdraws consent under s.11(2)(b)", "lawful basis was consent (not contract/legal obligation/legitimate interest)" ], "then": [ { "action": "transition_state", "field": "processing_status", "from": "active", "to": "stopped" }, { "action": "emit_event", "event": "popia.consent.withdrawn", "payload": [ "data_subject_id", "withdrawn_at", "affected_processing_activities" ] }, { "action": "notify", "target": "information_officer", "channel": "email", "description": "Information Officer notified to verify all downstream processing has stopped" } ], "result": "Processing for the affected purpose has stopped; historical lawfulness preserved" }, "data_subject_access_request": { "priority": 9, "given": [ "data subject submits an access request under s.23", { "field": "identity_proof", "source": "input", "operator": "exists" } ], "then": [ { "action": "call_service", "target": "pii_aggregator", "description": "Aggregate all PI held about the data subject across all systems" }, { "action": "create_record", "target": "subject_access_response", "type": "access_response", "description": "Response includes copy/description of PI plus identities of all third-party recipients" }, { "action": "emit_event", "event": "popia.access.fulfilled", "payload": [ "data_subject_id", "request_id", "response_format", "fulfilled_at" ] } ], "result": "Data subject receives response within reasonable time, free of charge, in a generally understandable form" }, "correction_or_deletion_request": { "priority": 9, "given": [ "data subject submits correction or deletion request under s.24", { "field": "grounds", "source": "input", "operator": "in", "value": [ "inaccurate", "irrelevant", "excessive", "out_of_date", "incomplete", "misleading", "unlawful", "retention_expired" ] } ], "then": [ { "action": "set_field", "target": "pii_record", "value": "corrected_or_deleted" }, { "action": "notify", "target": "downstream_recipients", "channel": "email", "description": "Each third party that received the PI must be informed of the change (s.24(3))" }, { "action": "emit_event", "event": "popia.correction.applied", "payload": [ "data_subject_id", "record_id", "action_taken", "downstream_notified_count", "timestamp" ] } ], "transaction": true, "result": "PI corrected or deleted as soon as reasonably practicable; downstream recipients notified" }, "retention_period_expired": { "priority": 8, "given": [ { "field": "retention_until", "source": "db", "operator": "lt", "value": "now" }, "no s.14(1)(a)-(d) extension applies (law/contract/consent/lawful purpose)" ], "then": [ { "action": "delete_record", "target": "pii_record", "type": "personal_information", "description": "Destruction in a manner that prevents reconstruction in intelligible form (s.14(5))" }, { "action": "emit_event", "event": "popia.retention.purged", "payload": [ "record_id", "data_subject_id", "retention_basis", "destroyed_at" ] } ], "transaction": true, "result": "PI destroyed/de-identified as soon as reasonably practicable after retention expiry" }, "security_compromise_detected": { "priority": 1, "error": "POPIA_SECURITY_COMPROMISE", "given": [ "reasonable grounds to believe PI has been accessed or acquired by unauthorised person (s.22(1))" ], "then": [ { "action": "notify", "target": "information_regulator", "channel": "email", "description": "Notification to Regulator as soon as reasonably possible after discovery (s.22(2))" }, { "action": "notify", "target": "affected_data_subjects", "channel": "email", "description": "Written notice via mail/email/website/news including consequences, measures taken, mitigation steps, and identity of unauthorised person if known (s.22(4)-(5))" }, { "action": "emit_event", "event": "popia.breach.notified", "payload": [ "incident_id", "subjects_affected_count", "regulator_notified_at", "subjects_notified_at", "data_categories_affected" ] } ], "transaction": true, "result": "Regulator and data subjects notified within statutory timeframe; incident response logged" }, "direct_marketing_to_non_customer": { "priority": 5, "error": "POPIA_DIRECT_MARKETING_NO_CONSENT", "given": [ { "field": "channel", "source": "input", "operator": "in", "value": [ "email", "sms", "automated_call", "fax" ] }, { "field": "data_subject.consent_to_marketing", "source": "db", "operator": "neq", "value": true }, { "field": "data_subject.is_existing_customer", "source": "db", "operator": "neq", "value": true } ], "then": [ { "action": "emit_event", "event": "popia.direct_marketing.blocked", "payload": [ "data_subject_id", "channel", "blocked_at" ] } ], "result": "Send blocked; s.69 prohibits electronic direct marketing without consent or existing-customer exception" }, "automated_decision_blocked": { "priority": 5, "error": "POPIA_AUTOMATED_DECISION_PROHIBITED", "given": [ "decision is based SOLELY on automated processing (no human review)", "decision produces legal consequences or substantially affects the data subject", "none of s.71(2) exceptions apply (contract necessity with safeguards, or law/code of conduct)" ], "then": [ { "action": "emit_event", "event": "popia.automated_decision.blocked", "payload": [ "decision_id", "data_subject_id", "blocked_at" ] } ], "result": "Decision must be reviewed by a human OR the data subject must be given representation rights and logic explanation" }, "transborder_transfer_blocked": { "priority": 5, "error": "POPIA_TRANSBORDER_TRANSFER_PROHIBITED", "given": [ "PI is being transferred to a recipient outside the Republic", "recipient country/organisation does NOT have substantially similar protection", "no s.72(1)(b)-(d) exception applies (consent / contract necessity / data subject benefit)" ], "then": [ { "action": "emit_event", "event": "popia.transfer.blocked", "payload": [ "data_subject_id", "destination_country", "blocked_at" ] } ], "result": "Transfer aborted; s.72 requires adequate protection or specific lawful basis" } }, "errors": [ { "code": "POPIA_LAWFUL_BASIS_MISSING", "message": "This processing activity has no documented lawful basis under s.11. Processing cannot proceed.", "status": 403 }, { "code": "POPIA_NOTICE_NOT_GIVEN", "message": "The data subject has not been notified of the s.18 particulars; processing cannot proceed.", "status": 403 }, { "code": "POPIA_SECURITY_COMPROMISE", "message": "A security compromise affecting personal information has been detected; statutory notifications required.", "status": 500 }, { "code": "POPIA_RETENTION_EXCEEDED", "message": "This record has exceeded its retention period and must be destroyed under s.14.", "status": 410 }, { "code": "POPIA_DIRECT_MARKETING_NO_CONSENT", "message": "Electronic direct marketing requires explicit consent or the existing-customer exception under s.69.", "status": 403 }, { "code": "POPIA_AUTOMATED_DECISION_PROHIBITED", "message": "Solely-automated decisions affecting data subjects are prohibited under s.71 without safeguards.", "status": 403 }, { "code": "POPIA_TRANSBORDER_TRANSFER_PROHIBITED", "message": "This transfer fails the s.72 adequacy test; transfer cannot proceed.", "status": 403 }, { "code": "POPIA_SPECIAL_PI_PROHIBITED", "message": "Processing of special personal information is prohibited under s.26 without specific authorisation.", "status": 403 }, { "code": "POPIA_CHILD_PI_PROHIBITED", "message": "Processing of a child's personal information requires consent of a competent person under s.35.", "status": 403 }, { "code": "POPIA_PRIOR_AUTHORISATION_REQUIRED", "message": "This processing requires prior authorisation from the Information Regulator under s.57.", "status": 403 } ], "events": [ { "name": "popia.collection.recorded", "description": "PI lawfully collected and processing activity logged (s.17)", "payload": [ "data_subject_id", "lawful_basis", "purpose", "fields_collected", "notice_version", "timestamp" ] }, { "name": "popia.consent.withdrawn", "description": "Data subject withdrew consent under s.11(2)(b)", "payload": [ "data_subject_id", "withdrawn_at", "affected_processing_activities" ] }, { "name": "popia.access.fulfilled", "description": "Data subject access request (s.23) fulfilled", "payload": [ "data_subject_id", "request_id", "response_format", "fulfilled_at" ] }, { "name": "popia.correction.applied", "description": "Correction or deletion request (s.24) applied", "payload": [ "data_subject_id", "record_id", "action_taken", "downstream_notified_count", "timestamp" ] }, { "name": "popia.retention.purged", "description": "Record destroyed after retention expiry (s.14)", "payload": [ "record_id", "data_subject_id", "retention_basis", "destroyed_at" ] }, { "name": "popia.breach.notified", "description": "Security compromise notification sent to Regulator and data subjects (s.22)", "payload": [ "incident_id", "subjects_affected_count", "regulator_notified_at", "subjects_notified_at", "data_categories_affected" ] }, { "name": "popia.direct_marketing.blocked", "description": "Direct-marketing send blocked for lack of consent (s.69)", "payload": [ "data_subject_id", "channel", "blocked_at" ] }, { "name": "popia.automated_decision.blocked", "description": "Solely-automated decision blocked under s.71", "payload": [ "decision_id", "data_subject_id", "blocked_at" ] }, { "name": "popia.transfer.blocked", "description": "Transborder transfer blocked under s.72", "payload": [ "data_subject_id", "destination_country", "blocked_at" ] }, { "name": "popia.objection.received", "description": "Data subject objected to processing under s.11(3)", "payload": [ "data_subject_id", "objection_grounds", "received_at" ] } ], "sla": { "breach_notification_to_regulator": { "max_duration": "as_soon_as_reasonably_possible", "citation": "s.22(2)", "description": "POPIA does not specify a fixed clock (unlike GDPR's 72 hours), but \"as soon as reasonably possible\" after\ndiscovery is the statutory bar. Industry practice and Regulator guidance treat 72 hours as a defensible target.\n" }, "data_subject_access_response": { "max_duration": "reasonable_time", "citation": "s.23(1)(b)(i)", "description": "PAIA-aligned 30 calendar days is the conventional bar; longer requires written justification." }, "prior_authorisation_investigation": { "max_duration": "13_weeks", "citation": "s.58(4)", "description": "Regulator's detailed investigation period before processing may proceed." } }, "related": [ { "feature": "gdpr-data-export", "type": "recommended", "reason": "GDPR portability mechanism satisfies POPIA s.23 access and s.14(6)(d) data-portability hint" }, { "feature": "data-retention-policies", "type": "required", "reason": "POPIA s.14 retention/destruction obligation requires automated purge of expired records" }, { "feature": "encrypted-attachment-storage", "type": "recommended", "reason": "POPIA s.19 security safeguards expect encryption at rest for sensitive PI" }, { "feature": "legal-hold", "type": "recommended", "reason": "Retention extension for legal proceedings is a s.14(1)(a) law-based exception" }, { "feature": "audit-logging", "type": "required", "reason": "Documentation obligation (s.17) and breach forensics (s.22) require an immutable processing log" }, { "feature": "security-baseline", "type": "recommended", "reason": "POPIA s.19(3) requires generally accepted information security practices (capability planned in todo.md)" } ], "agi": { "goals": [ { "id": "popia_compliant_processing", "description": "All processing of personal information of South African data subjects satisfies the eight conditions and respects data subject rights, with auditable evidence at every step.", "success_metrics": [ { "metric": "processing_activities_with_documented_lawful_basis", "target": "100%", "measurement": "Count of processing activities in the s.17 register with a non-null lawful basis" }, { "metric": "data_subject_request_response_within_30_days", "target": "100%", "measurement": "Count of access/correction/deletion requests resolved within 30 calendar days" }, { "metric": "breach_notification_within_72_hours", "target": "100%", "measurement": "Count of confirmed compromises where Regulator and subjects were notified within 72 hours of discovery" }, { "metric": "retention_expiry_purge_lag", "target": "<= 24h", "measurement": "Time between retention expiry and irreversible destruction" } ], "constraints": [ { "type": "regulatory", "description": "No processing without a documented s.11 lawful basis; no exceptions", "negotiable": false }, { "type": "regulatory", "description": "No transborder transfer without s.72 adequacy or specific lawful basis", "negotiable": false }, { "type": "regulatory", "description": "No solely-automated decisions affecting data subjects without s.71 safeguards", "negotiable": false } ] } ], "autonomy": { "level": "human_in_loop", "human_checkpoints": [ "before notifying the Information Regulator of a security compromise", "before refusing a data subject access or correction request", "before processing special personal information or children's PI", "before initiating a transborder transfer to a country without adequacy" ], "escalation_triggers": [ "special_pi_processing_attempted_without_authorisation", "childrens_pi_processing_attempted_without_competent_person_consent", "breach_affecting_more_than_100_data_subjects", "regulator_inquiry_received" ] }, "safety": { "action_permissions": [ { "action": "collection_compliant", "permission": "autonomous" }, { "action": "consent_withdrawn", "permission": "autonomous" }, { "action": "data_subject_access_request", "permission": "autonomous" }, { "action": "correction_or_deletion_request", "permission": "supervised" }, { "action": "retention_period_expired", "permission": "autonomous" }, { "action": "security_compromise_detected", "permission": "human_required" }, { "action": "direct_marketing_to_non_customer", "permission": "autonomous" }, { "action": "automated_decision_blocked", "permission": "autonomous" }, { "action": "transborder_transfer_blocked", "permission": "autonomous" } ] }, "tradeoffs": [ { "prefer": "data_subject_rights", "over": "operational_convenience", "reason": "POPIA is a constitutional-privacy statute; data subject rights are non-negotiable" }, { "prefer": "minimisation", "over": "feature_richness", "reason": "s.10 minimality requires the smallest data set that satisfies the stated purpose" }, { "prefer": "deletion", "over": "indefinite_retention", "reason": "s.14 imposes a default duty to destroy after the purpose is fulfilled" } ], "coordination": { "protocol": "orchestrated", "consumes": [ { "capability": "audit_logging", "from": "audit-logging", "fallback": "fail" }, { "capability": "encryption_at_rest", "from": "encrypted-attachment-storage", "fallback": "fail" }, { "capability": "retention_purge", "from": "data-retention-policies", "fallback": "fail" } ] } }, "extensions": { "source": { "statute": "Protection of Personal Information Act, No. 4 of 2013", "jurisdiction": "Republic of South Africa", "gazette": "Government Gazette No. 37067, Vol 581, No 912", "assented": "2013-11-19", "commenced": "2020-07-01", "enforcement_effective": "2021-07-01", "regulator": "Information Regulator (South Africa) — https://inforegulator.org.za" }, "use_in_fdl": [ "Any blueprint that handles SA personal information MUST list popia-compliance in `related` with type `required`.", "The validator's secret-pattern scan already blocks SA ID numbers, banking details, and credentials in blueprint values.", "When extracting blueprints from codebases that touch SA PII, retain the structural patterns but strip vendor and PII samples per CLAUDE.md \"Data Protection & POPIA Compliance\" rules." ], "cross_reference": { "gdpr_equivalents": [ { "popia_condition": "accountability", "gdpr_article": "Article 5(2)" }, { "popia_condition": "processing_limitation", "gdpr_article": "Article 6 + Article 5(1)(a)" }, { "popia_condition": "purpose_specification", "gdpr_article": "Article 5(1)(b)" }, { "popia_condition": "minimality", "gdpr_article": "Article 5(1)(c)" }, { "popia_condition": "information_quality", "gdpr_article": "Article 5(1)(d)" }, { "popia_condition": "openness", "gdpr_article": "Articles 13-14" }, { "popia_condition": "security_safeguards", "gdpr_article": "Article 32" }, { "popia_condition": "data_subject_participation", "gdpr_article": "Articles 15-22" }, { "popia_section": "s.22 breach notification", "gdpr_article": "Articles 33-34" }, { "popia_section": "s.71 automated decisions", "gdpr_article": "Article 22" }, { "popia_section": "s.72 transborder", "gdpr_article": "Chapter V" } ] } } }