POPIA Data Retention: How Long Can You Keep Personal Information?

POPIA Data Retention: How Long Can You Keep Personal Information?

For many South African businesses, personal information accumulates quietly — in CRM systems, email threads, HR files, and customer databases. Knowing when to delete or anonymise that information is not just good housekeeping; it is a requirement under the Protection of Personal Information Act (POPIA). This article looks at what POPIA says about data retention, how to think about setting a retention schedule, and where other legislation intersects with your record-keeping obligations.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including how retention rules apply to your industry or your particular categories of data — consult a qualified attorney.

---

What POPIA Section 14 Says About Retention

POPIA section 14 is the core retention provision. In plain terms, it provides that a responsible party (the business or person deciding why and how personal information is processed) may not keep personal information for longer than is necessary to achieve the purpose for which it was collected.

Once that purpose has been fulfilled, the responsible party is generally required to destroy or delete the record, or to de-identify it so that it can no longer be linked to an individual. "De-identification" means removing or anonymising the details that make a record personal — after which POPIA's restrictions on that record no longer apply.

Section 14 does, however, recognise that other laws may require you to keep records for a specific minimum period. In those cases, the longer statutory obligation takes precedence. This is where data retention becomes a balancing act rather than a simple delete-after-use rule.

---

The Intersection With Other Laws

Several pieces of South African legislation impose minimum retention periods that will affect how long you may need to keep personal information, even if POPIA alone would permit earlier deletion:

• Tax Administration Act and SARS requirements: SARS guidance (available at sars.gov.za) generally requires businesses to retain financial records — which often contain personal information — for five years from the date of submission of the relevant return, or longer in some circumstances.
• Companies Act: CIPC (cipc.co.za) publishes guidance on the Companies Act's record-keeping requirements, which set minimum periods for various company records. Where those records contain personal information, you will need to retain them for at least the prescribed minimum.
• FICA (Financial Intelligence Centre Act): The Financial Intelligence Centre (fic.gov.za) requires accountable and reporting institutions to retain certain due-diligence and transaction records — which are rich in personal information — for a minimum of five years. Check fic.gov.za for the specific requirements applicable to your business type.
• Labour and employment records: Various employment statutes impose their own retention obligations on payroll and employee records.

The practical implication: your retention schedule cannot be drafted by looking at POPIA alone. You need to map each category of personal information you hold against every relevant law before deciding the minimum and maximum period for keeping it.

---

The "Necessary for the Purpose" Test

Where no other law imposes a minimum period, section 14's "necessary for the purpose" test applies. Asking these questions can help frame a retention period for each data category:

1. What was the original purpose? POPIA section 13 requires that personal information be collected for a specific, defined, and lawful purpose. Your retention period should be tied directly to that purpose — not to a vague sense that the data might be useful one day.
2. Has the purpose been fulfilled? When a transaction is complete, a contract has expired, or an employment relationship has ended, the original purpose is likely spent.
3. Is there a legitimate ongoing need? Legitimate grounds might include a reasonable period to handle complaints, warranty claims, or potential litigation — but this period should be defined and documented, not open-ended.
4. Have you documented your reasoning? POPIA section 17 requires responsible parties to document their processing activities. A written retention schedule, with the rationale for each period, forms part of that documentation.

---

Building a Practical Retention Schedule

A retention schedule is simply a written policy that lists each category of personal information your business holds, the purpose for which it was collected, the applicable minimum retention period (from other legislation, where relevant), the maximum retention period under POPIA's "necessary" test, and the deletion or de-identification method to be used at the end of that period.

For most SMEs, the categories might include: customer contact and transaction records, employee and contractor records, supplier records, marketing opt-in lists, and CCTV or access-control footage.

Once you have a schedule, the harder part is operationalising it — making sure your systems actually delete or anonymise records when the period expires, rather than retaining them indefinitely by default. Automated deletion workflows or periodic manual audits are the two most common approaches.

---

A Note on Direct Marketing Records

If you collect personal information to send direct marketing communications, POPIA section 69 requires that electronic direct marketing is opt-in. When a data subject withdraws consent or opts out, section 11(3) gives them the right to object to processing for direct marketing purposes. Once consent is withdrawn, there is no longer a lawful basis to use that information for marketing — which means your retention schedule should reflect a prompt deletion or suppression of that person's contact details from marketing lists (while potentially retaining a record of the opt-out itself to demonstrate compliance).

---

What Happens if You Retain Data Too Long?

The Information Regulator (inforegulator.org.za) has the authority to investigate complaints and issue enforcement notices. Retaining personal information beyond the necessary period — without a lawful basis for doing so — can constitute a breach of POPIA and expose a business to regulatory action. Data subjects also have the right under section 23 to request access to the personal information a business holds about them, and under section 24 to request correction or deletion where appropriate.

Keeping clear, documented retention schedules makes it significantly easier to respond to such requests and to demonstrate compliance if the Regulator comes knocking.

---

Key Takeaways

• POPIA section 14 prohibits keeping personal information longer than necessary for the purpose for which it was collected.
• Other legislation — including SARS requirements, FICA, and the Companies Act — may impose minimum retention periods that override POPIA's "delete when done" principle.
• A written retention schedule, linked to documented processing purposes (section 17), is the foundation of a defensible retention policy.
• When the retention period ends, records should be destroyed, deleted, or de-identified.
• The Information Regulator provides guidance at inforegulator.org.za.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including how retention obligations interact with your industry's regulatory requirements — consult a qualified attorney.