Privacy PolicyDocumentationCompliance

What Your Privacy Policy Must Include Under POPIA

POPIAdesk Team··5 min read

A privacy policy is your organisation's public declaration of how you handle personal information. Under POPIA's openness condition (Condition 6), you must inform data subjects about your data processing practices.

Essential Elements

Your privacy policy must clearly state:

  • Who you are — Full legal name, registration number, and contact details of the responsible party.
  • What you collect — Categories of personal information collected (names, contact details, financial information, etc.).
  • Why you collect it — The specific purposes for processing personal information.
  • Legal basis — The lawful basis for processing (consent, contract, legal obligation, legitimate interest).
  • Who you share with — Categories of third parties who receive personal information and why.
  • Cross-border transfers — Whether information is transferred outside South Africa and the safeguards in place.
  • Retention periods — How long you keep personal information and the criteria for retention.
  • Security measures — The technical and organisational measures in place to protect information.
  • Data subject rights — How individuals can exercise their rights under POPIA.
  • Information Officer details — Name and contact details of your Information Officer.
  • Complaints process — How to lodge a complaint with the Information Regulator.

Common Mistakes

  • Copying a generic template from the internet without customising it
  • Forgetting to list all categories of personal information collected
  • Not updating the policy when business practices change
  • Using legal jargon that data subjects cannot understand

Generating Your Privacy Policy

POPIAdesk's privacy policy generator walks you through each required element and produces a professionally formatted, POPIA-compliant document tailored to your specific business context.

Ready to get POPIA compliant?

POPIAdesk helps South African businesses generate compliance documents, track their compliance score, and manage data subject requests.