Protection of Personal Information Act (POPIA)

The Protection of Personal Information Act (POPIA) is South Africa’s data protection law. The purpose of the Act is to protect people from harm by protecting their personal information.

The Protection of Personal Information Act involves three parties:

  • The data subject: the person to whom the information relates.
  • The responsible party: the person who determines why and how to process.
  • The operator: a person who processes personal information on behalf of the responsible party.

POPIA places various obligations on the responsible party, which is the body ultimately responsible for the lawful processing of the personal information.

Is EvTrack POPIA compliant (certified)?

At EvTrack, we care deeply about the security of your personal information provided to us. You can read more about what EvTrack has done to comply with data protection laws, including POPIA in our Data Storage and Data Security.

It is not possible to be certified as the Information Regulator has not yet set up a system allowing organisations the ability to obtain a POPIA certification.

Although POPIA was signed into law on 26 November 2013 and commenced on 1 July 2020, it is not yet effective as there is a one year grace period that expires on 1 July 2021.

What is POPIA?

The Protection of Personal Information Act (POPIA) is a new South African privacy law which becomes enforceable on 1 July 2021. It aims to strengthen the security and protection of personal data in South Africa. 

POPIA is very similar to the GDPR but uses slightly different terminology.

  • Rather than a controller, POPIA refers to a responsible party.
  • Rather than a processor, POPIA refers to an operator.
  • Rather than personal data, POPIA refers to personal information. 

What is Personal Data?

“Personal data” as defined by data protection law is broad and includes:

  • Direct personal information e.g. names and contact details, as well as
  • Indirect identifiers such as email addresses and IP addresses.

Note: GDPR applies to the personal data of natural persons and not legal persons, like companies. This differs from POPIA, which applies to the personal information of both natural and legal persons.

What does EvTrack do with my Personal Information?

  • When you use our services, we will store your data on our database to enable us to provide those services and to improve those services by making them more relevant.

  • We do not share user data with third parties except as described in our Privacy Policy

What is EvTrack’s role as defined by data protection law?

We are an Data Processor (or operator) of Personal Data (storage, recording, organisation or retrieval). We are the entity which processes personal data on behalf of the controller (responsible party). 

Controller: Our customers are the "Data Controller"/"Responsible Party" and we process information on their behalf. They decide which information is collected from you, how it is processed and how long it is retained. This personal data includes details such as names and contact information. 

Processor: We act as the "Data Processor"/"Operator" and our customers are "Data Controller"/"Responsible Party". We are the processor of data that is submited and uploaded to your account, as we store this data on your behalf. 

Your acount may capture the personal information of your clients and contratactors. You control this data and how it gets collected and used, and EvTrack processes this data by storing it on our servers.

What has EvTrack done to comply with data protection laws?

  • We have conducted an audit of business processes that deal with personal data of individuals and other subjects, including how we collect, process and store this data securely.

  • We have updated our * Privacy Policy and Data storage and data security policies.

  • We have audited our “Right to be Forgotten” process to ensure that customers leaving EvTrack (Pty) Ltd can have their personal information deleted.

  • We have implemented a Privacy by Design and by Default Policy (PbD Policy).

  • We have updated our incident response policies and procedures.