Khanyitas

POPIA for Body Corporates and Homeowners' Associations: What Trustees and Managing Agents Need to Know

23 May 2026 · Trustees and managing agents

POPIA for Body Corporates and Homeowners' Associations: What Trustees and Managing Agents Need to Know

Body corporates and homeowners' associations (HOAs) collect, store, and share a surprising amount of personal information every day — owner contact details, levy payment histories, visitor logs, security footage, and more. The Protection of Personal Information Act (POPIA) applies to all of this, and trustees and managing agents are directly in the frame.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

Does POPIA Actually Apply to a Body Corporate or HOA?

Yes. POPIA applies to any "responsible party" that processes personal information in South Africa — regardless of whether the organisation is a for-profit business. A body corporate registered under the Sectional Titles Schemes Management Act and an HOA constituted as a non-profit company (NPC) or homeowners' association under the Companies Act are both legal persons. When they collect or use personal information about owners, residents, tenants, employees, or visitors, they are processing personal information under POPIA, and the Act's conditions for lawful processing apply.

---

The Information Officer Obligation

Under POPIA section 55, every responsible party must designate an Information Officer (IO). For a company or NPC, the IO is the CEO or equivalent by default — in practice, the body of trustees or HOA board can delegate the role in writing to a managing agent or a senior trustee. The IO is responsible for encouraging compliance, dealing with requests from data subjects, and working with the Information Regulator.

If your scheme or association uses an external managing agent, it is important to be clear in your management agreement about who holds the IO role and who is a mere "operator" (a party that processes data on behalf of the responsible party). The managing agent is almost always an operator, which means the body corporate or HOA remains accountable under POPIA even when day-to-day data handling is outsourced.

---

What Personal Information Do You Actually Hold?

Common categories of personal information held by body corporates and HOAs include:

Each category may carry different obligations, so a simple data inventory is a useful first step.

---

Key POPIA Conditions That Apply to Your Scheme

Collecting only what you need (purpose limitation)

POPIA section 13 requires that personal information be collected for a specific, explicitly defined, and lawful purpose. Collecting owner ID numbers purely for an internal directory, for example, may not be justified if a name and email address would serve the same purpose. Ask whether each data point is genuinely necessary.

Telling people you are collecting their information

POPIA section 18 requires the responsible party to notify a data subject when their personal information is collected — including the purpose, how long the data will be kept, and whether it will be shared with third parties. A clear privacy notice on your levy collection forms, new-owner welcome packs, and the scheme's website covers much of this obligation.

Keeping data only as long as necessary

POPIA section 14 sets out the retention and restriction principle. Personal information should not be kept longer than is necessary to achieve the purpose for which it was collected, unless a separate law requires a longer retention period (for example, certain financial records under FICA). A simple retention schedule — "levy correspondence: five years from resolution; CCTV footage: 31 days unless an incident is flagged" — demonstrates good-faith compliance.

Security safeguards

POPIA section 19 requires reasonable technical and organisational measures to protect personal information against loss, damage, or unlawful access. For a body corporate or HOA, this typically means: password-protected levy management software, limited access to owner records on a need-to-know basis, and a clear policy for managing external service providers who may see resident data.

Breach notification

If personal information is compromised — a laptop is stolen, an email is sent to the wrong distribution list, a managing agent's system is hacked — POPIA section 22 requires the responsible party to notify both the Information Regulator and affected data subjects as soon as reasonably possible. Having a short, documented incident-response procedure means you will not be scrambling when something goes wrong.

Owners' rights of access and correction

Owners and residents have the right under POPIA section 23 to request access to their personal information held by the scheme, and the right under section 24 to request correction of inaccurate data. A managing agent should know how to receive, log, and respond to such requests — POPIA sets a response timeframe (described in the Act without a specific day-count anchor here; check the Information Regulator's published guidance at inforegulator.org.za for current requirements).

---

Special Personal Information: Biometrics and Health Data

Many complexes now use fingerprint or facial-recognition access control. Biometric information is "special personal information" under POPIA section 26, which prohibits its processing unless a specific authorisation under section 27 applies. Before installing or continuing to use biometric access systems, the scheme should obtain explicit, informed consent from each person enrolled — or confirm that another lawful authorisation applies. This is an area where specialist legal advice is strongly recommended.

---

Sharing Owner Information with Third Parties

Managing agents sometimes share owner or tenant lists with contractors, attorneys handling debt collection, or insurers. Each of these transfers carries obligations:

A short data-sharing clause in contractor and attorney appointment letters is a practical way to document compliance.

---

Direct Communications to Owners

Scheme newsletters, AGM notices, and levy reminders sent by email or SMS fall within the scope of POPIA section 69, which governs direct marketing by electronic communication. Because these communications are broadly administrative rather than commercial marketing, they typically rely on the existing relationship and legal obligation to keep owners informed — but if your scheme sends commercial or promotional content (advertising a service provider, for example), section 69's opt-in requirement becomes relevant.

---

Practical Starting Points for Trustees and Managing Agents

  1. Designate your Information Officer in writing and record it in your trustees' / board minutes.
  2. Do a simple data inventory — list what personal information you hold, where it is stored, and who has access.
  3. Review your management agreement to clarify which party is the responsible party and which is the operator.
  4. Update your owner and tenant onboarding documents to include a POPIA-compliant privacy notice.
  5. Write a one-page incident response checklist so the IO knows exactly what to do if a breach occurs.
  6. Seek specialist advice on any biometric systems already in use.

The Information Regulator's website (inforegulator.org.za) publishes guidance, complaint forms, and the PAIA manual template — all freely available.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — particularly regarding biometric data, managing-agent contracts, or data breach incidents — consult a qualified attorney.