A privacy policy is your organisation's public declaration of how you handle personal information. Under POPIA's openness condition (Condition 6), you must inform data subjects about your data processing practices.
Essential Elements
Your privacy policy must clearly state:
- Who you are — Full legal name, registration number, and contact details of the responsible party.
- What you collect — Categories of personal information collected (names, contact details, financial information, etc.).
- Why you collect it — The specific purposes for processing personal information.
- Legal basis — The lawful basis for processing (consent, contract, legal obligation, legitimate interest).
- Who you share with — Categories of third parties who receive personal information and why.
- Cross-border transfers — Whether information is transferred outside South Africa and the safeguards in place.
- Retention periods — How long you keep personal information and the criteria for retention.
- Security measures — The technical and organisational measures in place to protect information.
- Data subject rights — How individuals can exercise their rights under POPIA.
- Information Officer details — Name and contact details of your Information Officer.
- Complaints process — How to lodge a complaint with the Information Regulator.
Common Mistakes
- Copying a generic template from the internet without customising it
- Forgetting to list all categories of personal information collected
- Not updating the policy when business practices change
- Using legal jargon that data subjects cannot understand
Generating Your Privacy Policy
POPIAdesk's privacy policy generator walks you through each required element and produces a professionally formatted, POPIA-compliant document tailored to your specific business context.