ENHANCING DATA SUBJECT RIGHTS: KEY TAKEAWAYS FROM THE 2025 POPIA REGULATION AMENDMENTS

On 17 April 2025, the Information Regulator published critical amendments to the Regulations under the Protection of Personal Information Act, 4 of 2013 (POPIA). These changes, which came into immediate effect, aim to bolster the rights of data subjects and refine the compliance obligations for responsible parties.

This edition of our legal update provides a concise overview of the key amendments and the practical implications for businesses and legal practitioners.

Key Regulatory Enhancements

1. Refined Definitions for Legal Certainty

Several definitions have been introduced or updated to improve clarity and consistency:

• Complainant / Complaint – Clarified who may lodge a complaint and on what basis.

• Day – Defined as a calendar day, with adjustments if deadlines fall on public holidays or Sundays.

• Office Hours – Standardised for consistency in submissions.

• Relevant Body – Introduced to support development of industry-specific codes of conduct.

• Writing – Aligned with the Electronic Communications and Transactions Act, encompassing digital communication.

2. Expanded Access Channels for Data Subjects

Data subjects now have enhanced and more flexible ways to exercise their rights:

• Objections to Processing may be submitted at no cost via hand delivery, fax, post, email, SMS, WhatsApp, or other accessible means. Telephonic objections are also permitted, provided they are recorded and made available upon request.

• Requests for Correction or Deletion of personal information may be submitted via the same channels. Responsible parties must respond within 30 days.

3. Stricter Consent Standards for Direct Marketing

To protect individuals from unsolicited communications, the Regulations now require:

• Explicit Consent – Responsible parties must obtain clear, affirmative consent before processing personal information for direct marketing. Pre-ticked boxes or opt-out models are no longer adequate.

• Accessible Consent Channels – Consent must be obtained through channels accessible to the data subject (e.g email, telephone, SMS, WhatsApp). Telephonic consents must be recorded and retained for accountability.

4. Inclusive and Strengthened Complaints Process

The amended complaints procedure now enables:

• Broader Standing – Any person with a sufficient personal interest, or acting in the public interest, may lodge a complaint.

• Flexible Submission Methods – Complaints can be submitted via email, fax, courier, post, or hand delivery. The Regulator must acknowledge receipt within 14 days and offer assistance in other official languages where required.

5. Instalment Payments for Administrative Fines

Recognising financial challenges, the amendments now allow for:

• Payment Arrangements – Responsible parties may apply to pay fines in instalments, subject to approval based on financial circumstances and other factors.

Practical Compliance Considerations

Legal practitioners and clients are encouraged to act promptly to ensure continued compliance:

• Update privacy policies and data processing agreements to reflect the new definitions and consent requirements.

• Train staff on updated procedures for handling objections, correction requests, and complaints.

• Review and enhance internal compliance frameworks, ensuring that Information Officers are equipped to implement continuous improvements as mandated.

Conclusion

These amendments represent a significant step in the evolution of data protection in South Africa. By empowering data subjects and holding responsible parties to stricter standards, the 2025 POPIA Regulation amendments reinforce the foundational principles of transparency, accountability, and informed consent.

The amendments also enhance personal agency and provide more practical means to protect one’s personal information. Individuals now have simplified and flexible channels to object to how their data is used or to request corrections and deletions. The revised consent requirements ensure that personal information cannot be used for direct marketing without explicit, informed permission. Additionally, the improved complaints process offers a more accessible path to raise concerns and seek redress, reinforcing individuals’ trust in how their data is handled.