DSAR Requirements Under POPIA (South Africa)
POPIA access request requirements: data subject rights, 30-day response deadline, Information Regulator enforcement, and penalties for non-compliance.
Last updated: 2026-04-26
Individual Rights That Trigger Access Requests
Under POPIA, data subjects can submit requests to a responsible party (the South African equivalent of a data controller) to:
- Access their personal information and receive confirmation of whether the responsible party holds it, along with a record or description of that information (Section 23)
- Correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully (Section 24)
- Object to the processing of their personal information on reasonable grounds relating to their particular situation, unless legislation requires the processing (Section 11(3))
- Object to direct marketing — data subjects can opt out of processing for purposes of direct marketing by means of unsolicited electronic communications (Section 69)
- Request destruction of personal information that the responsible party is no longer authorized to retain (Section 24)
- Be notified that their personal information is being collected, or that it has been accessed or acquired by an unauthorized person (Sections 18 and 22)
Unlike most privacy laws worldwide, POPIA covers the personal information of juristic persons (companies, trusts, and other legal entities) in addition to natural persons. This means an organization can submit an access request about its own information held by another organization.
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Consult a qualified attorney or data protection professional for guidance specific to your organization.
Response Deadline
30 calendar days from receipt of the request. The responsible party must respond within this timeframe, either by providing the requested information or by explaining why the request is being refused.
If additional time is needed, the responsible party cannot unilaterally extend the deadline. Extensions must be sought through the Information Regulator — there is no automatic right to extend as there is under the GDPR.
When refusing a request, the responsible party must provide written notice that includes the reason for refusal and information about the data subject's right to lodge a complaint with the Information Regulator.
Identity Verification
Required. Section 23(2) of POPIA provides that a data subject must provide adequate proof of identity before a responsible party is obligated to provide access to personal information. The Act does not prescribe a specific verification method, but the responsible party must take reasonable steps to verify the identity of the requestor. In practice, this typically involves providing a copy of a South African identity document (ID card or passport) or comparable identification.
Responsible parties should not collect more personal information than necessary for the purpose of verification. The verification process must be proportionate to the sensitivity of the information requested.
Cost
POPIA allows responsible parties to charge a prescribed fee for processing access requests. The fee structure is set by regulations and is intended to cover the cost of searching for and preparing the record. However, the fee must not be so high as to discourage data subjects from exercising their rights.
A deposit may be required if the cost of searching for and preparing the record is expected to exceed a prescribed amount. If access is granted, the deposit is deducted from the total fee.
8 Conditions for Lawful Processing
POPIA is built on eight conditions for lawful processing that responsible parties must satisfy whenever they process personal information:
- Accountability — the responsible party must ensure that the conditions for lawful processing are complied with at the time of determining the purpose and means of processing, and during the processing itself
- Processing limitation — personal information must be processed lawfully, in a reasonable manner, and only with the knowledge or consent of the data subject (unless an exception applies)
- Purpose specification — personal information must be collected for a specific, explicitly defined, and lawful purpose, and must not be retained longer than necessary
- Further processing limitation — any further processing must be compatible with the original purpose of collection
- Information quality — the responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading, and updated where necessary
- Openness — the responsible party must maintain documentation of all processing operations and must notify the data subject when collecting personal information
- Security safeguards — the responsible party must secure the integrity and confidentiality of personal information through appropriate technical and organizational measures
- Data subject participation — a data subject may request a responsible party to confirm, provide, correct, or delete their personal information
Penalties
POPIA carries both administrative and criminal penalties:
Administrative fines:
- Up to ZAR 10 million (approximately USD 550,000) for serious violations
- The Information Regulator can issue enforcement notices, compliance notices, and infringement notices
Criminal penalties:
- Imprisonment of up to 10 years for the most serious offenses, including knowingly or recklessly obtaining or disclosing personal information in contravention of POPIA, or obstructing the Information Regulator in the exercise of its powers
- Offenses under Sections 100-106 of the Act carry criminal liability
Private right of action:
- Data subjects can institute civil proceedings for damages suffered as a result of a violation of POPIA (Section 99)
- Both actual damages and aggravated damages may be awarded
No cure period — there is no grace period to remedy a violation before enforcement action can be taken.
Enforced by the Information Regulator, South Africa's independent supervisory authority responsible for POPIA and the Promotion of Access to Information Act (PAIA).
When You Can Refuse Access
POPIA recognizes several grounds on which a responsible party may refuse a data subject's access request. These are aligned with the grounds for refusal under PAIA and include:
- Information that is protected by legal professional privilege (attorney-client privilege)
- Information that would reveal a confidential source of information
- Disclosure that would be likely to prejudice the prosecution of an alleged offender or the enforcement of a law
- Information that relates to an ongoing investigation by the responsible party or a law enforcement agency
- Disclosure that would constitute a serious threat to the life or health of the data subject or another individual
- Information that would infringe the privacy of a third party unless that person has consented
- Information that relates to the financial, commercial, or technical information of a third party and disclosure would cause harm to that third party's commercial interests
- Information that a public body has refused to disclose on grounds of national security, defense, or international relations
When refusing access, the responsible party must notify the data subject in writing within 30 days, state the reason for refusal, and inform the data subject of their right to lodge a complaint with the Information Regulator or to apply to a court for relief.
Who This Applies To
POPIA applies to any responsible party (organization or person) that processes personal information within South Africa, or that uses automated or non-automated means within South Africa to process personal information. There is no revenue threshold, no employee count minimum, and no company size exemption.
The law applies to:
- South African businesses of all sizes
- Foreign organizations that process personal information within South Africa or that use processing infrastructure located in South Africa
- Both the private and public sectors
- Processing of both natural persons' and juristic persons' personal information
POPIA does not apply to processing that is purely personal or household in nature, processing by a public body for national security purposes, or processing that is adequately regulated by other legislation (such as journalism exemptions for media outlets).
Related Guides
- South African Privacy Laws Overview — POPIA overview and enforcement landscape
- How to Respond to a DSAR — step-by-step response process
- DSAR Response Deadlines — deadline comparison across jurisdictions
- DSAR Identity Verification — verification methods
- DSAR Exemptions — when you can refuse
- Employee DSARs — handling employee requests