Five sections of POPIA give data subjects rights you must respect: sections 23 (access), 24 (correction and deletion), 11(2)(b) (withdrawal of consent), 11(3) (objection), and 74 (complaint to the Regulator). The first two are where most enquiries land.
1. The right of access (section 23)
A data subject can ask you to confirm whether you hold personal information about them and, if so, to provide a copy. The statutory response time is reasonable time, interpreted by the Information Regulator as 30 days from receipt of a verified request.
Before you disclose anything, verify the requester's identity. A matched email and a piece of secondary information (last invoice number, last order date) is enough for most low-risk cases. For high-risk categories (financial, health), ask for ID.
When you respond, give them:
- A description of the personal information you hold
- The source of the information if not collected from them directly
- The purpose of processing
- The recipients (operators and third parties)
- How long you keep the information
If you refuse part of a request, tell them which part and why. POPIA section 23 allows certain refusals - for example, if disclosure would reveal another data subject's personal information.
2. The right to correction or deletion (section 24)
A data subject can ask you to correct information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. They can also ask you to delete information you are no longer entitled to retain.
This right has a hard limit: you cannot delete what you must keep by law. The Tax Administration Act, the Companies Act, and the FIC Act all impose retention requirements. If you are required to keep something, explain why and how long.
3. The right to withdraw consent (section 11(2)(b))
If you process personal information on the basis of consent, the data subject can withdraw consent at any time. Withdrawal does not affect processing already carried out lawfully on consent; it stops processing going forward.
Marketing is the most common case. Every direct-marketing message must include an opt-out, and the opt-out must be honoured promptly.
4. The right to object (section 11(3))
If you process on the basis of legitimate interest or for direct marketing, the data subject can object. You must stop processing on that basis once the objection is received, unless you can show compelling legitimate grounds that override the data subject's interests.
5. The right to complain (section 74)
If a data subject is unhappy with how you handled their personal information, they can complain directly to the Information Regulator. Engage proactively - the Regulator generally favours responsible parties who can show they took complaints seriously and responded substantively.
How Khanyitas helps
Every DSAR you receive goes through a workflow that tracks the 30-day clock, captures the requester's verification, and assembles the response evidence pack. The full audit trail is available to show the Information Regulator if there's ever a complaint.