Updated privacy and personal information rules companies in South Africa need to know about


Parts of the long-awaited Protection of Personal Information (POPI) Act came into force on 1 July 2020, and companies will have a period of one year to become compliant, or risk substantial fines or even imprisonment.

While the updated rules around personal information and marketing are well documented, the POPI also introduces obligations on employers and grants rights to employees in respect to personal information and the legislation will have an impact on all aspects of the employment life cycle, says law firm Cliffe Dekker Hofmeyr.

Below the group outlined how the POPI changes the current hiring and employment process, as well as how it can impact termination.

Advertising, recruitment and selection

Cliffe Dekker Hofmeyr said that the following would all be considered personal information when advertising, recruiting and selecting employment candidates:

The personal information (PI) of applicants’ must be obtained directly from them, unless derived from a public platform, the firm said.

“Where an employer makes use of a recruitment agency, the applicant must consent to his/her PI being obtained from the recruitment agency. The personal information of unsuccessful applicant(s) must be destroyed once a decision has been taken not to employ the applicant(s).”

Employee onboarding, induction and training

Cliffe Dekker Hofmeyr said that the following would all be considered personal information in the employee onboarding, induction and training process:

“The nature of the information required pertaining to a next of kin constitutes personal information in terms of POPI, as it is information related to an identifiable, living, natural person,” Cliffe Dekker Hofmeyr said.

“Accordingly, an employer must notify the next of kin that their personal information is being processed and only process personal information pertaining to a next of kin with their consent. The onus of proof rests with the employer to prove that consent was received from a next of kin.”

Day to day employee management and engagement with unions

Examples of PI in day to day management include:

Cliffe Dekker Hofmeyr provided the following suggestions for the day-to-day management of personal information:


Cliffe Dekker Hofmeyr said that the following information should be retained on termination for the applicable periods as per legislation:

“Save for the information that must be retained in terms of applicable legislation, an employer must dispose of information where an employment relationship is terminated,” it said.

“Personal information retained for further processing in terms of section 15(e) of POPI must be processed solely for that purpose and should not be published in an identifiable form.”