POPIA Compliance for Non-Profits and NPCs: What Your Organisation Needs to Know

POPIA Compliance for Non-Profits and NPCs: What Your Organisation Needs to Know

Non-profit organisations (NPOs) and non-profit companies (NPCs) handle personal information constantly — donor records, beneficiary files, volunteer details, and staff data all fall squarely within the scope of the Protection of Personal Information Act (POPIA). Many NPO managers assume that because their organisation is mission-driven rather than profit-driven, POPIA applies differently or less strictly. That assumption is incorrect: POPIA applies to any person or organisation that processes personal information in South Africa, regardless of legal form or purpose.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

Does POPIA Actually Apply to NPOs and NPCs?

Yes. POPIA defines a "responsible party" as any public or private body — or any other person — that determines the purpose of and means for processing personal information. An NPO that collects donor names and email addresses, or an NPC that maintains a database of beneficiaries, is a responsible party and carries the full obligations that come with that role.

Registration with the Department of Social Development (as an NPO) or incorporation with CIPC (as an NPC) does not create any exemption. The Information Regulator's published guidance makes no carve-out for civil society organisations.

---

The Eight Conditions for Lawful Processing

POPIA sets out eight conditions for lawful processing in section 8. Every time your organisation collects, stores, shares, or otherwise uses personal information, it must satisfy all eight conditions. In practice, the most relevant for NPOs are:

1. Accountability Your organisation must designate an Information Officer and register that person with the Information Regulator. Section 55 of POPIA sets out the Information Officer's duties, which include ensuring compliance, handling requests from data subjects, and working with the Regulator if required. Smaller NPOs often assign this role to the executive director or a senior manager.

2. Processing limitation (lawful basis) Under section 11, your organisation must be able to point to a valid lawful basis for every processing activity. For donor data, the typical bases are consent (the donor has agreed) or legitimate interest (maintaining records needed to issue tax certificates). For beneficiary data, the basis is more often a contractual or public-law obligation. Processing without a lawful basis is unlawful under POPIA.

3. Purpose specification Section 13 requires that personal information be collected for a specific, explicitly defined, and lawful purpose. When a donor fills in your donation form, the purpose for which you are collecting their information must be clear — for example, processing the donation and issuing a tax certificate. You cannot then use that same data for an unrelated purpose without re-establishing a lawful basis.

4. Further processing limitation Section 15 provides that any further processing must be compatible with the purpose for which the information was originally collected. If you collected a donor's email address to send a donation receipt, sending that address to a third-party fundraising agency for a separate campaign would likely be incompatible processing.

5. Information quality Personal information must be kept accurate, complete, and up to date. Data subjects have a right under section 24 to request corrections to their records.

6. Openness (notification) Section 18 requires that data subjects be informed when you collect their personal information. Your donation forms, volunteer registration pages, and beneficiary intake processes should all include a clear privacy notice explaining what information you collect, why, and how it will be used.

7. Security safeguards Section 19 requires that responsible parties take reasonable technical and organisational measures to protect personal information from loss, damage, or unlawful access. For NPOs, this means password-protecting donor databases, limiting staff access on a need-to-know basis, and having a documented security policy — even a basic one.

8. Data subject participation Data subjects have the right to access their personal information (section 23), to request corrections (section 24), and — where processing is based on legitimate interest — to object to processing (section 11(3)).

---

Donor Data: Particular Considerations

Donor databases are among the most sensitive assets an NPO holds. A few points specific to donor management:

• Retention: Section 14 governs how long you may retain personal information. Records should be kept only as long as necessary for the purpose for which they were collected, or as required by law (for example, SARS requires that records supporting a tax deduction be retained for a defined period — see sars.gov.za for current record-keeping requirements).
• Direct marketing: If your organisation sends newsletters or fundraising appeals by email or SMS, section 69 of POPIA applies. Electronic direct marketing to individuals requires opt-in consent. Existing donors can be contacted about similar activities, but clear opt-out mechanisms must be provided in every communication.
• Sharing with third parties: If you share donor data with a payment processor, a CRM vendor, or a mailing house, those parties are "operators" under POPIA and you must have written agreements in place governing how they process data on your behalf.

---

Beneficiary and Special Personal Information

Many NPOs work with vulnerable populations and necessarily collect sensitive information — health status, financial circumstances, religious affiliation, or information about children. Section 26 of POPIA prohibits the processing of special personal information as a general rule. Section 27 sets out the limited circumstances in which such processing is authorised — for example, with the explicit consent of the data subject, or where processing is necessary to exercise a right or obligation in employment law, or for other specified public-interest grounds.

NPOs dealing with health data, data about minors, or data about people's beliefs should pay particular attention to sections 26 and 27 and seek qualified legal advice on their specific programmes.

---

Cross-Border Transfers

If your NPO receives funding from an international donor body and shares beneficiary reports or financial records with an entity outside South Africa, section 72 of POPIA may apply. Personal information may generally only be transferred to a foreign country if that country has adequate data protection laws, the data subject has consented, or one of the other statutory conditions is met. Check inforegulator.org.za for the Regulator's current guidance on cross-border transfers.

---

Practical First Steps for NPO Managers

1. Designate and register your Information Officer with the Information Regulator at inforegulator.org.za.
2. Map your data flows — list every category of personal information you hold, where it comes from, why you process it, and who can access it.
3. Review your forms and intake processes to ensure section 18 notifications are in place.
4. Check your marketing lists for section 69 opt-in compliance.
5. Put operator agreements in writing for any third-party service providers who handle personal data on your behalf.
6. Document your processing activities — section 17 requires that responsible parties maintain records of processing, and documented records are your first line of defence in the event of a complaint to the Regulator.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including the specific activities of your NPO or NPC — consult a qualified attorney. For official guidance, visit the Information Regulator at inforegulator.org.za.