Protection of Personal Information Act 4 of 2013
Act 4 of 2013
- primary url https://www.gov.za/sites/default/files/gcis_document/201409/3706726-11act4of2013protectionofpersonalinforcorrect.pdf
- wayback url https://web.archive.org/web/*/https://www.gov.za/sites/default/files/gcis_document/201409/3706726-11act4of2013protectionofpersonalinforcorrect.pdf
- saflii url https://www.saflii.org/za/legis/consol_act/popoa2013376/
- popia co za https://popia.co.za/section-19-security-measures-on-integrity-and-confidentiality-of-personal-information/
- src/data/content.ts — CLAUSES[3] (unlock-codes) POPIA s 10 + s 19 angles See on homepage →
- src/data/content.ts — CLAUSES[4] (bundle-return) POPIA overlay angle See on homepage →
- src/data/content.ts — LAW_SECTIONS[2] (POPIA group) See on homepage →
- src/data/content.ts — TEMPLATES.T04 body See on homepage →
Status of this file: structured per-section summary of the cited Conditions. Verbatim primary text fillable from primary URL.
POPIA’s eight Conditions for Lawful Processing of Personal Information are in Chapter 3, sections 8–25. The site relies on Condition 2 (s 10, Minimality) and Condition 7 (s 19, Security Safeguards).
s 10 — Minimality (Condition 2)
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
Operative effect: any processing of personal information must be limited to what is necessary for the stated purpose. Excessive collection, retention, or use is unlawful — even with consent.
Site reliance: Clause 04 (unlock codes) — Takealot’s policy demand for live unlock codes/passwords on data-storage devices is “excessive” given the legitimate purpose (technical assessment), which can be performed on a factory-reset device. Live credentials exceed the minimality threshold.
s 19 — Security safeguards (Condition 7)
s 19(1): The responsible party must secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent —
- (a) loss of, damage to, or unauthorised destruction of personal information;
- (b) unlawful access to or processing of personal information.
s 19(2): The responsible party must take reasonable measures to —
- (a) identify all reasonably foreseeable internal and external risks;
- (b) establish and maintain appropriate safeguards against the risks identified;
- (c) regularly verify that the safeguards are effectively implemented; and
- (d) ensure that the safeguards are continually updated.
Site reliance: Clause 04 (unlock codes) — accepting live credentials is itself a security risk. Holding multiple consumers’ active passwords creates a target. Forcing a consumer to compromise their device security as a condition of return is incompatible with s 19’s “appropriate, reasonable technical and organisational measures” obligation.
Information Regulator (s 40+)
The Information Regulator is the independent body established under POPIA Chapter 5 (s 39 onwards). Its current operational details — including the eServices Portal as primary complaint channel since 2024 — are in citations/regulators/info-regulator-2026-04-24.md.
s 99 establishes the Information Regulator’s enforcement powers (information notices, enforcement notices). Non-compliance penalties are in s 107.
Verbatim text
Operative paraphrases above. Verbatim text of s 10 and s 19 is widely quoted in SA POPIA commentary; the wording in this file aligns with primary sources. To upgrade to verbatim status: fetch the gov.za PDF and paste each section.