gapp awards gallery banner

POPIA thoughts and perspectives…10 months in

By Karl Blom, Peter Grealy, Nozipho Mngomezulu, Wendy Tembedza (Partners) & Cindy Leibowitz (Knowledge Lawyer) at Webber Wentzel

It has been 10 months since the commencement of the Protection of Personal Information Act, 2013 (POPIA). We take stock of recent data protection developments and set out some key learnings to guide you in your POPIA compliance journey.

The matric results debacle – the parameters of compliance when publishing personal information

At the start of 2022, the Department of Basic Education (DBE) decided not to publish the 2021 matric results on public platforms, as it has traditionally done at the start of each year. The Information Regulator issued a statement following this decision, in which it said that the DBE “has a duty to ensure that matriculants receive their results“, but that this must be done in a manner which complies with POPIA. The Information Regulator emphasised the following (non-exhaustive) requirements in her statement:

  • There should be an agreement between the DBE and the platform publishing the results, including a specific requirement for the platform to safeguard the matriculants’ personal information;
  • The DBE must inform matriculants of (i) the intention to publishing their personal information; and (ii) their right to object;
  • If a matriculant (or an adult on their behalf) objects to their personal information being processed, the DBE and dissemination platform must delete it.

One matriculant challenged the DBE’s decision in the High Court, seeking an order compelling the DBE to publish her results on public platforms. This learner stated that the results could be published without reflecting the learners’ names and surnames. The court granted the order as the matter was unopposed but did not provide any reasons for its decision.

The matter emphasises that the right to privacy must be balanced with the right to access information. This relationship can be complicated, and many factors need to be considered in assessing each particular set of circumstances to strike the right balance.  Future judgments should provide further guidance on this dynamic.

Learnings from the TransUnion data breach

In March 2022, credit bureau TransUnion announced that it had suffered a data breach. The Information Regulator has expressed its views regarding the handling of this data breach, indicating that the notification by TransUnion was “inadequate, unsatisfactory and falls short of what is required” by POPIA. The Information Regulator’s concerns centred around the lack of detail provided to the Information Regulator, indicating that less is not always more when demonstrating to the Information Regulator that a data breach has been managed appropriately.

There are three important takeaways from the Information Regulator’s statement on this data breach:


Every business processes personal information about its employees, customers, suppliers, contractors and other stakeholders. A particularly vexing question is how to comply with POPIA when selling a business to a third party. This question must be considered at each stage of the transaction, including post-transaction, when systems are being integrated.

Companies often grapple with determining whether employee consent is needed to transfer employee personal information to an acquirer. If the acquirer is located outside South Africa, the seller must consider how to lawfully transfer personal information to the offshore acquiring party, given POPIA’s specific requirements. The Information Regulator has not yet provided a guidance note on this particular issue. In the interim, overseas guidance may prove useful, including the Data Sharing Code of Practice published by the Information Commissioner’s Office (ICO) in the UK.

Ensuring POPIA compliance during an M&A transaction may require some upfront planning, and we recommend involving a privacy lawyer at an early stage of the transaction to avoid falling foul of any regulatory requirements.

Image credit: Racool Studio /

Previous Article
Next Article