Background:

On 17 April 2025, the Information Regulator issued an update to the regulations relating to the Protection of Personal Information Act No. 4 of 2013 (“POPIA”) (“Updated Regulations”), amending the 2018 regulations in several significant ways. These changes, now in effect as from 17 April 2025, are intended to reinforce the rights of data subjects and expand on the obligations of responsible parties. For businesses processing and storing personal information in South Africa, the Updated Regulations are imperative to ensure compliance with POPIA.

Key amendments to the Updated Regulations:

One of the key changes in the Updated Regulations is the introduction of new definitions that bring much-needed clarity to POPIA’s application. Key terms such as “complainant”, “complaint”, “day”, “office hours” and “relevant body” have now been formally defined. These definitions resolve prior interpretive ambiguities and standardise the framework within which rights and responsibilities are exercised in terms of POPIA.

The amendments to the Updated Regulations have also strengthened the right of data subjects to object to the processing of their personal information. In accordance with section 11(3) of POPIA, responsible parties are now required to offer accessible and cost-free channels through which objections can be made. These channels must include hand delivery, fax, post, email, SMS, WhatsApp or any other method reasonably convenient to the data subject. Moreover, responsible parties are now obliged to inform data subjects of this right at the point of collecting personal information. For businesses, this means updating privacy notices and onboarding processes to reflect this proactive disclosure.

Similarly, the right of data subjects to request the correction, deletion or destruction of their personal information has been expanded. The Updated Regulations reaffirm that responsible parties must respond to such requests free of charge and must do so in writing within 30 days of receiving a request from a data subject. Where a business no longer has lawful grounds to retain personal information, it must provide a clear, user-friendly mechanism for data subjects to request its removal. These changes place greater emphasis on the principle of data minimisation and on maintaining only what is necessary and lawful.

Another significant development concerns direct marketing. Responsible parties are now expressly required to obtain written, affirmative consent from data subjects before engaging in any direct marketing via unsolicited electronic communication. Acceptable methods for obtaining such consent include email, SMS, WhatsApp, phone calls, fax or automated calling systems. The mere provision of an opt-out mechanism is no longer regarded as valid consent. Businesses relying on digital marketing must therefore ensure they have the appropriate processes in place to request and record consent using the correct forms, such as Form 4 provided for in the 2018 regulations.

Greater Governance:

From a governance and oversight perspective, the amendments introduce greater structure and accountability to the complaint-handling process. The Information Regulator is now required to acknowledge complaints within 14 days of receipt and must assist complainants in filing. Furthermore, third parties and public interest organisations are now entitled to lodge complaints on behalf of data subjects. Whistleblower protections have also been explicitly reinforced, with the Updated Regulations recognising the Protected Disclosures Act No. 26 of 2000. These changes aim to make the enforcement of POPIA more accessible and inclusive, especially for vulnerable or underrepresented individuals.

Concluding remarks:

The amendments to the Updated Regulations signal a maturing data protection landscape in South Africa. For businesses, they are a call to action to review consent protocols, privacy notices, direct marketing practices and data subject engagement channels. Businesses must ensure that internal processes are aligned with the Updated Regulations and that staff are trained accordingly.

VDMA’s team of experts is at your disposal for any data protection law assistance that you or your business may require.

Published 30 April 2025