Doxuno
Browse All Free Templates
Doxuno
Business & ComplianceZA

POPIA Privacy Notice (Section 18) Template — South Africa

Every South African business that processes personal information needs a POPIA Privacy Notice — the "Section 18 Notification" that tells data subjects what you collect, why, with whom you share it, how long you keep it, and what their rights are. With the Information Regulator now actively enforcing POPIA (multi-million rand infringement notices against the Department of Justice, TransUnion and Experian) and the POPIA Amendment Regulations GN 6126 of 17 April 2025 strengthening multi-channel access rights, a compliant privacy notice is essential — not a nice-to-have. Our free template generates a comprehensive POPIA-aligned Privacy Notice with optional expert clauses for special PI, children, direct marketing, cookies and automated decision-making.

Create Your POPIA Privacy Notice (Section 18)
Free to useInstant PDFNo account required

PDF (free) + editable Word (.docx) with Expert

PRIVACY NOTICE — PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013
ACME Holdings (Pty) Ltd · Republic Of South Africa · Effective 1 June 2026
Information Officer: Sipho Mthembu
POPIA s.18 Notification
ACME Holdings (Pty) Ltd (Registration No. 2018/456789/07), of 22 Fredman Drive, Sandton 2196 (the "Responsible Party", "we", "us", "our"), is committed to the protection of your personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA), the POPIA Regulations 21 January 2025 and the POPIA Amendment Regulations GN 6126 of 17 April 2025. This Privacy Notice (also called a "Section 18 Notification") explains what personal information we collect, why we collect it, how we use it, who we share it with, how long we keep it, and your rights as a data subject. ACME Holdings is a financial services and e-commerce company operating across South Africa. This Notice takes effect on 1 June 2026.
1.
RESPONSIBLE PARTY AND INFORMATION OFFICER
Responsible Party: ACME Holdings (Pty) Ltd (CIPC Reg. 2018/456789/07), 22 Fredman Drive, Sandton 2196.
Email: info@acme.co.za · Phone: +27 11 234 5678 · Website: https://www.acme.co.za

Information Officer (POPIA s.55-56): Sipho Mthembu, Chief Executive Officer.
Email: io@acme.co.za · Phone: +27 11 234 5670

Our Information Officer is registered with the Information Regulator (South Africa) as required since 1 May 2021. All data-protection enquiries should be directed to the Information Officer.
2.
CATEGORIES OF PERSONAL INFORMATION
We collect and process the following categories of personal information as defined in POPIA s.1:

(a) Identity Information: Full name, SA ID number (or passport for non-residents), date of birth, photograph (for account verification under FICA).

(b) Contact Information: Postal address, residential address, business address, email, mobile phone, landline phone.

(c) Financial Information: Bank account details (account holder, branch, account number), credit / debit card details (tokenised via PCI-DSS compliant processor), income (for credit assessment), payment history.

(d) Employment / Professional Information: Employer name, job title, professional qualifications, CV / résumé (for job applicants).

(e) Device / Log / Cookie Information: IP address, device identifier, browser type, operating system, log files, cookies, location data (where you have opted in via the cookie banner).
3.
SOURCES OF PERSONAL INFORMATION
In accordance with POPIA s.18(1)(b), where we do not collect personal information directly from you, we disclose the source as follows:

Directly from you (when you create an account, place an order, contact customer support, complete a form on our website, communicate with us by email or phone). From third parties: registered credit bureaus (TransUnion, Experian) for credit assessment with your consent; reference checks (with your consent) for employment applications; public sources (CIPC company register, Deeds Office property register) for B2B due diligence.
4.
PURPOSES OF PROCESSING + LAWFUL BASIS
We process your personal information for the following purposes, each with the lawful basis stated under POPIA s.11(1):

(a) Service Delivery / Performance of Contract [POPIA s.11(1)(b)]: To deliver products / services purchased through our platform, fulfil orders, manage your account, process payments, communicate about your account, provide customer support.

(b) Billing, Payment + Credit Assessment [POPIA s.11(1)(b) + (c)]: To invoice you, collect payments, conduct credit assessments via registered credit bureaus (TransUnion, Experian) with your consent, recover debt through registered debt collectors, comply with anti-money-laundering obligations under FICA 38/2001.

(c) Legal + Regulatory Compliance [POPIA s.11(1)(c)]: To comply with the Companies Act 71/2008, Tax Administration Act 28/2011, Financial Intelligence Centre Act 38/2001, Income Tax Act 58/1962, Basic Conditions of Employment Act 75/1997, Consumer Protection Act 68/2008 and other applicable South African law.

(d) Legitimate Interest [POPIA s.11(1)(f)]: Network and system security (intrusion detection, malware protection); fraud prevention (transaction monitoring, identity verification); business analytics on aggregated / pseudonymised data; exercise and defence of legal claims; business continuity and disaster recovery.. We have conducted a balancing assessment between our legitimate interest and your rights, taking into account the nature of the processing and your reasonable expectations.
5.
RECIPIENTS OF PERSONAL INFORMATION
Your personal information may be disclosed to the following categories of recipients:

(a) Internal: Authorised employees of ACME Holdings on a strict need-to-know basis (sales, customer service, finance, IT, legal, compliance, management). Access is role-based and logged.

(b) Operators [POPIA s.20-21]: Cloud hosting providers (Amazon Web Services Cape Town and Johannesburg regions); payment processors (PayFast, Peach Payments, Stripe); email service providers (Mailchimp, SendGrid); accounting software (Xero); customer support platform (Zendesk); identity-verification provider (Smile ID for SA ID verification under FICA). Each operator has signed a written data-processing agreement compliant with POPIA s.20-21.. Each operator has signed a written contract requiring confidentiality and security safeguards as required by POPIA.

(c) Regulators + Authorities: South African Revenue Service (SARS) for tax reporting; Financial Intelligence Centre (FIC) for FICA suspicious-transaction reports; South African Reserve Bank (SARB) for exchange-control reporting (where applicable); South African Police Service (SAPS) on court order or formal request under the Criminal Procedure Act; the Information Regulator on lawful request; courts and tribunals under court order or subpoena. — disclosure only where required by law or court order.
6.
CROSS-BORDER TRANSFERS [POPIA S.72]
Where your personal information is transferred outside South Africa, we comply with POPIA s.72 — transfer is permitted only if the recipient country provides adequate protection, we have entered into a contract with appropriate safeguards, you have consented, or the transfer is necessary for the performance of a contract with you.

Destinations: European Union (Amazon Web Services data centres for backup); United Kingdom (some customer-support analytics); United States (Stripe payment processing for international card payments, Mailchimp email delivery).

Safeguards: Standard Contractual Clauses modelled on the EU SCCs in our written agreements with cross-border operators. We rely on the EU GDPR adequacy regime for transfers to the EU/EEA. For US transfers, we rely on the SCCs plus supplementary measures (encryption in transit and at rest, access controls). Cross-border destinations may change from time to time and are kept under review by our Information Officer.
7.
RETENTION PERIODS [POPIA S.14]
We retain your personal information only for as long as necessary for the purpose for which it was collected, unless a longer retention period is required by law.

General retention: 7 years from the end of the customer relationship (alignment with Companies Act 71/2008 s.24).

Financial records: 5 years from date of relevant tax assessment (Tax Administration Act 28/2011 s.29).

Statutory retention basis: Tax records: 5 years (TAA s.29). Companies Act records: 7 years (CA s.24). Employment records: 3 years (BCEA 75/1997 s.31). FICA records: 5 years (FICA s.42). Marketing data: until consent withdrawn or 24 months of inactivity (whichever is sooner). Litigation hold may extend retention beyond these periods.

On expiry of the retention period, we securely destroy, delete or de-identify the personal information.
8.
YOUR RIGHTS AS A DATA SUBJECT [POPIA CHAPTER 2 + S.5]
As a data subject, you have the following rights under POPIA:

(a) Right of access [s.23]: confirm whether we hold your personal information and obtain a copy.

(b) Right of correction or deletion [s.24]: have inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or unlawfully obtained personal information corrected or deleted.

(c) Right to object [s.11(3)]: object to the processing of your personal information on reasonable grounds.

(d) Right to object to direct marketing [s.11(3) + s.69]: free opt-out from direct marketing at any time.

(e) Right to complain: lodge a complaint with the Information Regulator (see Section 9 below).

Request channels: Email to io@acme.co.za. Postal letter to the Information Officer at our registered address. Telephonic request on +27 11 234 5670 (call logged + written confirmation issued). POPIA Form 2 (Request for Access to / Correction of Personal Information) downloadable from https://www.acme.co.za/popia. Webform at https://www.acme.co.za/privacy-request.

Response time: 30 days from receipt (POPIA Amendment Regulations 2025).
9.
SPECIAL PERSONAL INFORMATION [POPIA S.26-27]
In addition to general personal information, we process certain categories of special personal information (race, religion, philosophical belief, political opinion, health, sex life, biometric information, criminal behaviour, trade union membership) under the exceptions in POPIA s.27.

Categories processed: Health information (employee sick leave certificates, medical-aid claims under our group scheme). Biometric information (fingerprint access control at our Sandton head office). Criminal history (pre-employment screening with the applicant's consent). Race and gender (employment equity reporting under EEA 55/1998).

Lawful basis (POPIA s.27): Health: s.27(1)(a) explicit consent (employee onboarding form) + s.32 medical-purposes carve-out (medical aid administration). Biometric: s.27(1)(a) explicit consent + necessary for office security; alternative non-biometric access (security card) is available. Criminal history: s.27(1)(a) explicit consent (specific employment-screening consent form) + s.33 employment carve-out. Race / gender: s.27(1)(b) required by law — EEA 55/1998 s.27 employment-equity reporting + amended EEA Section 53 Compliance Certificate framework.
10.
CHILDREN'S PERSONAL INFORMATION [POPIA S.34-35]
Where we process the personal information of children under 18 years of age, we comply with POPIA s.34-35 and obtain consent from a competent person (parent or legal guardian) as required.

Where a person under 18 wishes to register on our platform, registration is gated by a confirmation that the user is over 18 OR has obtained consent from a competent person (parent or legal guardian) under POPIA s.35(1)(a). For under-18 customers (e.g., on our youth-savings product), parental consent is obtained in writing via the account-opening form, with the parent's SA ID verified. We do NOT market to children. Parental consent is revocable at any time by writing to our Information Officer.
11.
DIRECT MARKETING [POPIA S.69]
We comply with POPIA s.69 governing electronic direct marketing. Marketing to new (non-customer) data subjects requires express opt-in consent. Existing customers may be marketed to (for similar products) on an opt-out basis. Every marketing communication contains a free opt-out mechanism.

We send marketing communications by email and SMS. NEW customers (non-existing): opt-in consent obtained at sign-up via a SEPARATE tick-box (NOT pre-ticked) on our website / app. EXISTING customers: opted-in by default for marketing of OUR SIMILAR products under POPIA s.69(3)(a), with a free opt-out (unsubscribe link in every email; reply "STOP" for SMS). We do NOT use automated calling systems (auto-dialler / IVR) and we do NOT send marketing to children.
12.
COOKIES + WEB TRACKING
We use cookies and similar tracking technologies on our website. Non-essential cookies are subject to opt-in consent via our cookie banner; essential cookies (required for the site to function) do not require consent.

ESSENTIAL cookies: necessary for the website to function (session, security, load-balancing, cart) — no consent required. PERFORMANCE cookies: site analytics (Google Analytics 4 with IP anonymisation) — opt-in consent via the cookie banner. MARKETING cookies: behavioural targeting (Google Ads, Meta Pixel), social-media plug-ins — opt-in consent via the cookie banner. Cookie preferences may be changed at any time via the "Cookie Preferences" link in the footer. Withdrawal of consent does not affect lawfulness of processing before withdrawal.
13.
AUTOMATED DECISION-MAKING [POPIA S.71]
Where we make decisions based solely on automated processing that produce legal effects concerning you (or similarly significantly affect you), you have the right under POPIA s.71 to request human review and an explanation of the underlying logic.

AUTOMATED CREDIT DECISIONS: Applications for our credit products are auto-decisioned based on a credit score from a registered credit bureau and our internal scoring model. Applicants below the threshold are auto-declined. AUTOMATED FRAUD SCREENING: Transactions are scored in real time; high-risk transactions are auto-declined. HUMAN REVIEW: Data subjects may request human review of an automated decision by emailing io@acme.co.za within 14 days of the decision. The reviewer is independent of the automated system and considers additional information supplied by the applicant. The underlying logic of the scoring model is described in summary form on request; specific scoring weights are commercially confidential.
14.
COMPLAINTS TO THE INFORMATION REGULATOR
If you are not satisfied with our handling of your personal information or our response to a data-subject request, you have the right to lodge a complaint with the Information Regulator (South Africa):

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email: POPIAComplaints@inforegulator.org.za
Website: https://inforegulator.org.za

POPIA complaints are submitted on Form 5 (Complaint to the Regulator) as prescribed in the POPIA Regulations. The Information Regulator has been actively enforcing POPIA since 2023, issuing multi-million rand infringement notices against entities including the Department of Justice, TransUnion and Experian.
15.
UPDATES AND GOVERNING LAW
We may update this Privacy Notice from time to time to reflect changes in our processing practices or in the law. The current version, with the latest effective date, is always available on our website. Material changes will be brought to your attention.

This Privacy Notice is governed by the laws of the Republic of South Africa, in particular the Protection of Personal Information Act 4 of 2013 (POPIA), the POPIA Regulations 21 January 2025, the POPIA Amendment Regulations GN 6126 of 17 April 2025, and (in respect of access to information held by the Responsible Party) the Promotion of Access to Information Act 2 of 2000 (PAIA).
INFORMATION OFFICER
Sipho Mthembu
Chief Executive Officer
Information Officer
Date: ____________________
ON BEHALF OF
ACME Holdings (Pty) Ltd
CIPC Reg. 2018/456789/07
Responsible Party
Date: ____________________

Available as a print-ready PDF or an editable Microsoft Word (.docx) file.

What Is a POPIA Privacy Notice?

A POPIA Privacy Notice (also called a "Section 18 Notification" or sometimes a "Privacy Policy") is the public-facing document that a responsible party publishes to inform data subjects about its personal information processing. It is the single most visible POPIA compliance document — published on the website, included with onboarding documents, referenced in marketing emails, and tested by data subjects who exercise their rights. A weak or non-compliant Privacy Notice is the most common entry point for an Information Regulator complaint and is the document most likely to be challenged when a data subject lodges a request for access, correction or deletion.

POPIA section 18 requires the responsible party to take reasonably practicable steps to ensure that the data subject is aware of: (a) the information being collected and, where the information is not collected from the data subject, the source from which it is collected; (b) the name and address of the responsible party; (c) the purpose for which the information is being collected; (d) whether or not the supply of the information is voluntary or mandatory; (e) the consequences of failure to provide the information; (f) any particular law authorising or requiring the collection of the information; (g) the fact that, where applicable, the responsible party intends to transfer the information to a third country and the level of protection afforded; (h) any further information necessary to enable processing to be reasonable. Together with the broader POPIA framework (lawful basis under s.11, retention under s.14, special PI under s.27, children's PI under s.34-35, direct marketing under s.69, automated decisions under s.71, cross-border under s.72, data subject rights under Chapter 2), this defines the minimum content of a compliant Privacy Notice.

On 17 April 2025 the Information Regulator published the POPIA Amendment Regulations (GN 6126 / GG 52523) which took immediate effect. The amendments strengthen data-subject access channels (requiring telephonic AND multiple electronic channels — not single-channel-only), update direct-marketing consent obligations, enhance complaint and enforcement procedures, and prescribe a 30-day response window for data-subject requests. Most South African Privacy Notices published before 17 April 2025 are now non-compliant in at least one of these areas and need to be updated. Our template is current as of June 2026 and reflects the amended Regulations.

What's Covered in This Template

Eight sections covering every POPIA s.18 minimum-content requirement + expert-tier special PI, children, direct marketing, cookies and automated decisions.

Responsible Party

Organisation name, CIPC registration, address, contact details, notice effective date.

Information Officer (POPIA s.55-56)

Information Officer name, position, contact details — registered with the Information Regulator since 1 May 2021.

Categories of Personal Information

Identity, contact, financial, employment, device / log / cookie information.

Purposes + Lawful Basis (POPIA s.11)

Service delivery (s.11(1)(b)), billing, legal compliance (s.11(1)(c)), legitimate interest (s.11(1)(f)) with balancing assessment.

Sources of PI (POPIA s.18(1)(b))

Direct + third parties (credit bureaus, references, public sources — CIPC, Deeds Office).

Recipients (Operators + Authorities)

Internal staff, third-party operators with s.20-21 contracts, regulators (SARS, FIC, SARB, Information Regulator, courts).

Cross-border Transfers (POPIA s.72)

Destinations + safeguards (Standard Contractual Clauses, adequacy regime, data subject consent).

Retention Periods (POPIA s.14)

General + financial + statutory bases (TAA s.29 5 years, CA s.24 7 years, BCEA s.31 3 years, FICA s.42 5 years).

Data Subject Rights (POPIA Chapter 2)

Access, correction, deletion, objection, complaint — multi-channel requests, 30-day response (POPIA Amendment Regs 2025).

Information Regulator Complaints

Form 5 complaint mechanism, Regulator address, POPIAComplaints email.

Special PI (Expert — POPIA s.26-27)

Race, religion, health, biometric, criminal, trade union — s.27 exception (explicit consent, employment carve-out, EEA reporting).

Children's PI (Expert — POPIA s.34-35)

Under-18 PI requires competent-person (parent/guardian) consent under s.35.

Direct Marketing (Expert — POPIA s.69)

Opt-in for new customers, opt-out for existing customers (similar products), free opt-out mechanism in every communication.

Cookies + Web Tracking (Expert)

Essential / performance / marketing cookie categories, banner consent for non-essential, ECT Act 25/2002 alignment.

Automated Decisions (Expert — POPIA s.71)

Right to human review of solely automated decisions with legal effect (credit scoring, fraud screening).

How to Create a POPIA Privacy Notice

Five steps from drafting to a published Section 18 Notification.

  1. 1

    Map Your Personal Information

    Identify every category of PI you collect (identity, contact, financial, employment, device / log) and every purpose. Where PI is collected indirectly (credit bureaus, public registers), document the source. This mapping IS the foundation of the Privacy Notice — gaps here cause gaps in the Notice.

  2. 2

    Identify Lawful Basis for Each Purpose

    POPIA s.11(1) lists the lawful bases: data subject consent, contract performance, legal obligation, legitimate interest of responsible party, etc. Each purpose needs ONE clearly-identified basis. Default reliance on consent is fragile — consent must be specific, informed, voluntary and revocable.

  3. 3

    Designate + Register Information Officer

    The CEO / Head of organisation is the default Information Officer under POPIA s.56(b)(i). The IO must be registered with the Information Regulator (mandatory since 1 May 2021) — registration is free via the inforegulator.org.za portal. The IO is the named contact for all data-subject requests.

  4. 4

    Set Up Multi-Channel Request Mechanism

    POPIA Amendment Regulations GN 6126 of 17 April 2025 require multi-channel access — telephonic AND multiple electronic channels. Email-only or postal-only mechanisms are no longer compliant. Add: email, postal, telephonic (logged), webform, Form 2 download. Set up 30-day response workflow.

  5. 5

    Publish + Communicate + Train

    Publish on website, link from every PI-collection point (forms, sign-ups, cookie banner). Communicate material changes proactively. Train customer-facing staff to recognise data-subject requests and route them to the IO. Review annually + on regulatory change.

Why Doxuno documents are different

Four things that make our templates more thorough than AI-generated drafts and more current than static template libraries.

Accurate

Country-specific legal content

Drafted with legal expertise for each jurisdiction, far more thorough than AI-generated drafts that copy generic clauses across borders.

Always current

Always current with the law

Templates carrying statute references are continuously updated as the law changes. Your document always reflects the current legal framework.

Free PDF

Print-ready PDF

Free to download. Vector text, embedded fonts, statute citations baked in. Print, sign, file. Ready for any signing flow including electronic signature.

Word · .docx

Editable Word (.docx)

Continue editing in Word after download. Add custom clauses, reuse the template for similar agreements, or share with a colleague for collaborative review.

Requires Expert one-time unlock or any paid Doxuno subscription.

Legal Considerations

POPIA enforcement is active and the Amendment Regulations 2025 tighten compliance.

This template is for informational purposes only and does not constitute legal advice. POPIA compliance is a complex area involving sector-specific rules, operational practice and risk assessment. Consult a qualified South African data-protection attorney for advice specific to your processing activities.

Reviewed for South African law

The Information Regulator Is Now Actively Enforcing POPIA

Until 2023, POPIA enforcement was largely educational. Since 2023, the Information Regulator has issued multi-million rand infringement notices against major entities: the Department of Justice and Constitutional Development (R5m, May 2023, for failure to renew SITA security expert services agreement); TransUnion (following a 2022 breach affecting millions of consumers); Experian. The Regulator has also issued numerous enforcement notices against smaller entities for inadequate Information Officer registration, weak breach-notification practices, and non-compliant cross-border transfers. The cost of non-compliance is no longer theoretical — a well-drafted Privacy Notice that is actually followed in practice is the single best protection.

POPIA Amendment Regulations GN 6126 of 17 April 2025

The POPIA Amendment Regulations published on 17 April 2025 (Government Notice 6126 in Government Gazette 52523) took immediate effect. The key changes for Privacy Notices: (a) Data-subject access channels strengthened — telephonic AND multiple electronic channels required, single-channel mechanisms now non-compliant; (b) 30-day response window prescribed for data-subject requests (from receipt, not from internal triage); (c) Direct-marketing consent tightened — express opt-in for new customers via separate (not pre-ticked) tick-box; (d) Breach-reporting obligations enhanced — Information Regulator notification, plus data subject notification where breach is likely to result in harm; (e) Operator-relationship documentation more rigorously scrutinised under s.20-21. Most pre-April-2025 Privacy Notices are now non-compliant in at least one area.

POPIA vs PAIA — Two Sides of the Same Coin

POPIA (Protection of Personal Information Act 4 of 2013) and PAIA (Promotion of Access to Information Act 2 of 2000) are complementary. POPIA governs how a responsible party PROCESSES personal information. PAIA governs the data subject's right of ACCESS to records held by public or private bodies. A POPIA data-subject access request and a PAIA Form 2 access request often look identical to the data subject but have slightly different procedural requirements. Best practice: a single Privacy Notice that covers both, with a single multi-channel request mechanism, and Form 2 (POPIA Regulations) / PAIA Form A (private body PAIA Manual) both downloadable from the website. Every private body must have a PAIA Manual (s.51 PAIA) — the Privacy Notice is the customer-facing summary.

Special Personal Information + Children's PI — Stricter Lawful Basis

POPIA s.26 prohibits processing of "special personal information" (race, religion, philosophical belief, political opinion, health, sex life, biometric, criminal behaviour, trade union membership) unless an exception in s.27 applies — most commonly explicit consent (s.27(1)(a)), processing required by law (s.27(1)(b)) or processing necessary for exercise/defence of a right or obligation in law. POPIA s.34 prohibits processing of children's (under-18) PI unless an exception in s.35 applies — most commonly consent of a competent person (parent/guardian). For both: relying on default "we comply with POPIA" language is insufficient — the Privacy Notice MUST expressly identify the s.27 / s.35 lawful basis. Doxuno's template includes Expert sections that prompt the responsible party to do this properly.

Frequently Asked Questions

Create Your South African POPIA Privacy Notice Now

Generate a POPIA Section 18 Privacy Notice covering Responsible Party, Information Officer, categories of PI, lawful basis, retention, recipients, cross-border, data subject rights and Regulator complaints — plus optional expert clauses for special PI, children, direct marketing, cookies and automated decisions. Aligned with POPIA Amendment Regulations 2025. Download your PDF in minutes.

Create Your POPIA Privacy Notice (Section 18)Browse All Templates

Free PDF · Editable Word with Expert · No account required