The Protection of Personal Information Act, 4 of 2013 is to protect personal information and ensure that the right to privacy in terms of the Constitution is upheld. The POPIA further aims to protect an individual’s right to privacy by prohibiting the unlawful collection, disclosure, retention and use of personal information.

Legal Framework


The Act defines personal information as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to information relating to listed grounds such as race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.


It also includes information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or another particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person; and the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.


Section 1 of the Act defines the ‘data subject’ as; the person to whom the personal information relates. Given the definition of ‘personal information, where a post is created on a social media platform, the post’s subject will be deemed the ‘data subject’. Furthermore, the post’s creation will be deemed a ‘responsible party’. In light of the above, the consequences of creating a post and being considered a ’responsible party’ in terms of the Act’s definition means that the ‘responsible party’ must comply with the specified conditions of the lawful processing of personal information.


The consequences include ensuring compliance with POPIA, which includes obtaining consent before posting the subject data.  However, this arguably applies where the responsible party does so in a business capacity. In other words, consent is not a requirement if the post was created in a personal capacity. Section 6(1)(a) of POPIA provides that the Act does not apply to the processing of personal information in the course of a purely personal or household activity.



It is therefore essential that you determine whether the post was created in a business or personal capacity before approaching the responsible party. A common misconception is that POPIA applies to all social media posts but this is not true, as discussed above.

However, this does not mean that anyone may use your personal information or post pictures, videos, posts without your consent. If this is the case, you will have recourse. We have a constitutional right to privacy, Constitution of the Republic of South Africa, 1996, which must be respected and upheld. Data subjects may also have recourse in terms of our common law.



The guidelines and compliance as provides for by POPIA is important to determine whether you may be overstepping a boundary. The procedure for the lawful processing of data has not only aided our Constitution but offered further protection to all potential data subjects by implementing and creating strict measures.

Contact an Attorney at SchoemanLaw for your legal needs!

<Download Here>