Sending Personal Information Offshore: POPIA Section 72 Explained

Sending Personal Information Offshore: POPIA Section 72 Explained

Many South African businesses use offshore cloud services — whether for payroll, CRM, email, storage, or accounting. If any of that infrastructure sits outside South Africa and processes personal information about South African data subjects, POPIA's cross-border transfer rules come into play. Here is what the legislation says and what it means in practice for your business.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What Is a Cross-Border Transfer?

A cross-border transfer occurs when personal information collected in South Africa is sent to, stored in, or accessed from a country or territory outside South Africa. Common examples include:

• Uploading customer or employee records to a cloud platform hosted in the EU, the US, or elsewhere.
• Using a SaaS tool (HR, marketing, or finance) whose servers are located abroad.
• Sharing data with a parent company, group entity, or supplier in another jurisdiction.
• Allowing offshore contractors remote access to systems that hold personal information.

If any of these scenarios apply to your business, POPIA section 72 is directly relevant.

---

What Does POPIA Section 72 Require?

Section 72 of the Protection of Personal Information Act sets out the conditions under which a responsible party (that is, the entity that determines the purpose and means of processing) may transfer personal information about a data subject to a third party in a foreign country.

In plain terms, POPIA section 72 permits a cross-border transfer only when at least one of the following conditions is satisfied:

1. Adequate protection in the recipient country. The foreign country, territory, or international organisation to which the data is being sent has laws in place that provide an adequate level of protection — broadly comparable to what POPIA requires in South Africa. The Information Regulator (inforegulator.org.za) is the authority responsible for making and publishing such adequacy determinations.

1. Binding agreement. The responsible party (your business) and the recipient have entered into a binding contract that uplifts the level of protection for that transfer to a standard that is substantially similar to POPIA's requirements. Data processing agreements (DPAs) or standard contractual clauses modelled on international practice are commonly used for this purpose.

1. Consent of the data subject. The data subject has consented to the specific transfer. Note that consent under POPIA must be voluntary, specific, and informed — a general acceptance of terms and conditions may not be sufficient.

1. Necessary for a contract. The transfer is necessary for the performance of a contract between the responsible party and the data subject, or for the implementation of pre-contractual measures taken at the data subject's request.

1. Benefit to the data subject. The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent, but if it were, the data subject would likely give it.

If none of these conditions apply, the transfer is not permitted under POPIA as currently interpreted.

---

Does South Africa Have a Data Localisation Requirement?

A common question from businesses moving to cloud infrastructure is whether POPIA requires data to be stored *within* South Africa — a concept known as data localisation.

POPIA does not contain a blanket data localisation mandate. Unlike some jurisdictions, South Africa's framework does not prohibit offshore storage by default. What POPIA section 72 does is set conditions that must be met *before* personal information leaves the country. Provided at least one of the section 72 conditions is satisfied, cross-border transfers are permissible.

That said, the practical effect of the adequate-protection and binding-agreement requirements means that due diligence on your offshore service providers is not optional — it is a built-in compliance obligation.

---

Practical Steps for Businesses Using Offshore Cloud Services

While the specifics of your compliance approach depend on your circumstances (and your attorney's advice), the published Information Regulator guidance points to several areas that responsible parties commonly address:

1. Map where your data goes. Before you can assess section 72 compliance, you need to know which personal information flows outside South Africa, to which countries or vendors, and for what purpose. A data-flow mapping exercise — often recorded as part of the processing records contemplated by POPIA — is a practical starting point.

2. Review your vendor agreements. Check whether your cloud or SaaS vendor contracts include data processing agreements. Look for language that commits the vendor to appropriate technical and organisational security measures and restricts sub-processing to jurisdictions with adequate protection. If a vendor cannot provide this, that is a risk worth escalating.

3. Assess the recipient jurisdiction. The Information Regulator has not yet published a formal adequacy list equivalent to the EU Commission's, but adequacy assessments are within its mandate. In the interim, many South African businesses look to whether a jurisdiction has comprehensive data-protection legislation as a proxy. Keep an eye on the Information Regulator's website for updated guidance.

4. Document your basis for each transfer. Section 72 is conditions-based. For each significant offshore data flow, record which condition you are relying on and the evidence supporting it. If your basis is a binding agreement, keep a copy. If it is consent, keep a record of when and how that consent was obtained.

5. Appoint and brief your Information Officer. POPIA places duties on the Information Officer to ensure compliance. Cross-border transfers should be explicitly included in your Information Officer's oversight responsibilities.

---

A Note on the Broader POPIA Framework

Section 72 does not operate in isolation. A cross-border transfer that is technically permitted under section 72 still needs to comply with all the other POPIA conditions for lawful processing — including processing for a specific, defined purpose, implementing reasonable security safeguards, and notifying data subjects when their information is collected. Compliance with section 72 alone does not mean the broader transfer is lawful.

---

Where to Find Primary Sources

• Protection of Personal Information Act 4 of 2013 — available on the South African Government Gazette via justice.gov.za and the Information Regulator's website.
• Information Regulator (South Africa) — inforegulator.org.za — the primary regulatory body; publishes guidance notes, codes of conduct, and enforcement notices.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation — including which section 72 condition applies to your particular data flows and vendor relationships — consult a qualified attorney.