POPIA Correction and Deletion Requests: What SA Businesses Need to Know

POPIA Correction and Deletion Requests: What SA Businesses Need to Know

When a customer, employee, or supplier asks you to fix or remove their personal information, that request carries legal weight under the Protection of Personal Information Act (POPIA). Understanding how these requests work — and what a business is expected to do with them — is an important part of running a compliant operation in South Africa.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What Is a Correction Request?

POPIA section 24 gives data subjects — the people whose personal information you hold — the right to request that you correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. They may also request that you destroy or delete a record you are no longer authorised to retain.

In plain terms: if someone believes the information you hold about them is wrong or should not exist, section 24 gives them a formal route to challenge that.

Who Can Make a Request?

Any data subject whose personal information you process can submit a correction or deletion request. That includes:

• Customers and prospective customers whose details you have stored.
• Employees, current or former, whose HR records you hold.
• Suppliers or contractors whose contact and financial details sit in your systems.
• Website visitors whose personal information you have collected through forms, cookies, or other means.

There is no prescribed format in POPIA for how the request must be submitted, so businesses are advised to accept requests in writing (email is fine) and to document receipt clearly.

What Are Your Obligations Once a Request Arrives?

Section 24 sets out several things a responsible party (that is, your business) is expected to do once a correction or deletion request is received.

1. Correct or delete the information — or explain why you will not. If the information is indeed inaccurate, out of date, or should not be held, POPIA's framework contemplates that you correct or delete it as soon as reasonably practicable. If you believe the information is accurate and that you have a lawful basis to retain it, you are not automatically required to delete it — but you are expected to respond and explain your position.

2. Notify third parties where practicable. If you have shared the data subject's information with third parties, section 24 contemplates that you take reasonable steps to inform those third parties of the correction or deletion. Where third parties are difficult to identify or contact, document the steps you took.

3. Keep a record. POPIA's documentation requirements (see section 17, which covers records of processing activities) support the practice of keeping a log of data subject requests — when they were received, what action was taken, and when.

4. Respond within a reasonable time. POPIA does not specify a fixed number of days for responding to correction or deletion requests (unlike some international frameworks). The Information Regulator's general guidance emphasises that responses should be prompt. Many compliance practitioners recommend treating 30 days as a working benchmark, but your legal counsel can advise what is reasonable in your circumstances.

When Can You Decline a Deletion Request?

Not every deletion request must be honoured. There are situations where a business may have a lawful basis to retain personal information even after a data subject has asked for it to be removed.

Common examples include:

• Legal retention obligations. FICA, the Tax Administration Act, and other legislation require businesses to keep certain records for defined periods. A data subject's deletion request does not override a statutory retention requirement. See fic.gov.za and sars.gov.za for guidance on those obligations.
• Ongoing contractual relationship. If a contract between you and the data subject is still active, the information may be necessary to perform that contract.
• Pending legal proceedings. Records that are the subject of, or relevant to, active or reasonably anticipated litigation may need to be preserved.

POPIA section 14 deals with the retention and restriction of records — including the requirement that personal information not be kept for longer than is necessary for the purpose for which it was collected. Reading sections 14 and 24 together gives a clearer picture of when retention is appropriate and when it is not.

Correction Requests vs. Deletion Requests: A Practical Distinction

| Request type | What the data subject wants | Typical response | |---|---|---| | Correction | Fix inaccurate or incomplete information | Update the record; notify third parties | | Deletion / destruction | Remove personal information entirely | Delete where no lawful retention basis exists; explain if declining |

Both types of request are governed by section 24, but the operational steps differ. A correction request is often simpler to handle — you update a field and confirm it is done. A deletion request may require you to locate copies of the data across multiple systems (CRM, email, backups, third-party processors) before you can certify that it has been removed.

Practical Steps for Building a Request-Handling Process

1. Designate a point of contact. Your Information Officer (whose duties are set out in section 55 of POPIA) is the natural owner of data subject requests. Make sure staff know where to route incoming requests.
2. Create an intake log. Record the date, the nature of the request, the data subject's identity (verified), and the action taken.
3. Map your data. You cannot delete data you cannot find. A basic record of processing activities (section 17) helps you locate where a particular person's data lives.
4. Draft template responses. Having pre-approved response letters — for acknowledgement, for action taken, and for declined requests — reduces delay and keeps your tone consistent.
5. Train your team. Customer-facing staff should know to escalate a correction or deletion request rather than handling it ad hoc.

Where to Find Primary Guidance

• Information Regulator (South Africa): www.inforegulator.org.za — the Regulator publishes guidance notes, complaint procedures, and contact details for reporting.
• POPIA text: Available on the Government Gazette portal and the Information Regulator's website.
• FICA / FIC: www.fic.gov.za for retention obligations under FICA.
• SARS: www.sars.gov.za for tax-record retention requirements.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including whether a particular deletion request must be honoured or may be declined — consult a qualified attorney.