The Protection of Personal Information Act, No. 4 of 2013 (POPI Act) is now in operation, as from 1 July 2020. What does this mean for community schemes such as sectional title developments, homeowners associations and retirement villages?

1. By when do you have to comply with the POPI Act’s requirements?


You have one year to implement POPI Act’s requirements in regard to the processing of personal information. This does not mean you can ignore its provisions, but section 114 of the POPI Act provides that “All processing of personal information must within one year after the commencement of this section be made to conform to this Act.” – effectively allowing a “phase in” period of one year before schemes are obliged to comply.

2. What exactly is the purpose of the POPI Act and what will compliance entail?


The fundamental purposes of the POPI Act are disclosed in the first two phrases of its preamble: 
“To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information…” 
In plain language, the POPI Act exists to ensure that people’s personal information is not misused.

3. What is “personal information” for the purposes of the POPI Act?


The definition is very wide, covering all information relating to an identifiable human or artificial person. There are three classes of personal information: General, Special and Children’s personal information, with increasing restrictions on each class. Examples of general personal information are identity numbers, telephone numbers and addresses. Special personal information includes details of persons’ religious or philosophical beliefs, their race or ethnic origin, trade union membership, political affiliations, health or sex life, previous criminal behaviour, and biometric information. Any information relating to a person under the age of 18 is considered particularly sensitive.
My guess is that most community schemes will regularly keep only general personal information relating to their residents, employees, suppliers and others they deal with.

4. Lawfulness and “minimality”

Section 9 of the POPI Act requires that personal information must be processed lawfully without infringing the privacy of the “data subject” – the person whose personal information is being dealt with.
Section 11 sets out the requirements for lawful processing and it includes: (b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party; and (c) processing complies with an obligation imposed by law on the responsible party.
This means that community schemes are entitled to process such personal information as they need to in order to comply with the laws that govern their operations and the requirements of their governance documents. However, a community scheme must not process any personal information that it does not need to, in order to comply with its statutory and contractual obligations.

5. Legal and illegal data processing in community schemes

Schemes are entitled to use their CRM and accounting systems to carry out the processes required to comply with their legitimate purposes, for example to generate levy statements and send them to appropriate owners and to make up reports of levy defaulters or residents who have broken rules, so as to be able to initiate appropriate actions based on this information processing, these being typical examples of data processing that includes personal information. However, it will be illegal for a community scheme to generate a list of defaulting owners so as to inform a person who wishes to make offers to purchase their units, or to process their data so as to create email or address marketing lists for products or services.

6. Who is responsible for ensuring compliance with the provisions of the POPI Act?


Each community scheme will have to appoint a “responsible party”, a person to implement the requirements of the POPI Act. This person, who may be a scheme executive, an employee or an agent, will take legal responsibility to ensure that the scheme processes personal information in a responsible manner as required under the legislation.

7. Data subjects’ rights

The POPI Act requires that a community scheme keep personal information securely and that the people whose information is being stored are given an opportunity to correct it when it is wrong.

8. Will the POPI Act prevent an owner accessing other owners’ contact details?

No, there is nothing in the POPI Act that stops an owner inspecting and copying scheme records, in accordance with the relevant legislation and the scheme’s governance documents.

In my view, the ordinary operations of a community scheme will not be affected by compliance with the POPI Act, but scheme executives will need to be aware of its provisions and appoint a responsible person to ensure that the personal information they store and process is not abused and that it is kept secure from others who could misuse it


Graham Paddock is a specialist community schemes attorney, notary and conveyancer. He has been advising clients and teaching students for over 40 years, and was an adjunct professor at UCT for 10 years.

Article reference: Paddocks Press: Volume 15, Issue 7.

This article is published under the Creative Commons Attribution license.

Back to Paddocks Press – July 2020 edition.

8 Comments.

  • Ludi de Klerk
    29/07/2020 10:39

    POPI is based on the European GDPR legislation, where it has been in force for more than a year. The main advantage to most people is that it prevents the selling of your private information to third parties. Those who cross the law are prosecuted and some very heavy fines have been handed to the violators. The implementation in Europe was subject to a one year “settling in” period. So, hopefully, when next you are repeatedly pestered by sales persons of organisations that you have never heard of you can report them to the regulator where they could potentially receive a ten million rand fine!

  • Alexandra Middelhoven
    29/07/2020 16:21

    As a body corporate member am I entitled to access the contact details of the trustees and managing agent?
    Who would be responsible for providing such information?

    • Paddocks
      31/07/2020 13:23

      Hi Alexandra,

      Thank you for your comment.

      This is something our attorneys would be able to assist with. Please email us on consulting@paddocks.co.za with regards to your matter, and we can provide you with a no-obligation quote, so that we can assist you.

      Kind regards,
      Paddocks

  • Good day, what should a scheme implement to be compliant when installing CCTV; i.e. to govern the surveillance and relevant records?

    • Paddocks
      19/10/2020 15:31

      Hi Mari,

      Thank you for your comment.

      This is something our attorneys would need to assist with. Please email us on consulting@paddocks.co.za with regards to your matter, and we can provide you with a no-obligation quote, so that we can assist you.

      Kind regards,
      Paddocks

  • Hi, does the BC need to hire an attorney, to draw up a Popi compliance package.

  • The BC does need a policy as to how it will deal with personal information, but – while it maybe a good idea – it does not need a ‘compliance package’ and it is not obliged to hire an attorney to draft anything.

  • Sonia Welch
    25/05/2021 18:28

    I am a trustee of a sectional title unit in a complex of 8. I would like to find a legal firm to take over the duty of the Information officer as well as the Deputy information officer once we provide you with the necessary permission.
    could you please provide us with a quotation for this. please advise what information is required for you to be able to quote.