When a Customer Objects to Processing: What POPIA Section 11(3) Means for Your Business

When a Customer Objects to Processing: What POPIA Section 11(3) Means for Your Business

Receiving a formal objection to how your business processes someone's personal information can feel daunting. What exactly are you required to do? How quickly must you act? And what happens if you disagree with the objection? This article walks through what POPIA section 11(3) says about the right to object, and what a well-run objection-handling process generally looks like.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What Is the Right to Object?

POPIA section 11 sets out the lawful bases on which a responsible party (that is, your business) may process personal information. Section 11(3) gives data subjects — your customers, employees, suppliers, or any other natural or juristic person whose data you hold — the right to object, at any time, to the processing of their personal information.

The right is not absolute. According to the Act, an objection may be raised where processing is based on legitimate interest or a public-law duty (two of the lawful bases listed in section 11(1)). When a valid objection is lodged, your business is generally required to stop processing that person's information for the purpose they have objected to — unless you can demonstrate compelling, legitimate grounds for continuing that override the data subject's interests.

In plain terms: an objection is a red flag that demands a response, not something that can be filed away and ignored.

---

How an Objection Differs from an Opt-Out

It is worth separating two concepts that are often conflated.

• An opt-out in the direct-marketing context is specifically governed by POPIA section 69. If a customer asks to stop receiving electronic marketing messages, that is an opt-out, and your business must honour it without delay.
• An objection under section 11(3) is broader. It applies to any processing activity based on legitimate interest or public-law duty — not just marketing. A customer could, for example, object to your business sharing their purchase history with a data analytics partner, or to profiling activity used for credit-risk assessment.

Both rights matter, but they sit in different parts of the Act and require slightly different responses.

---

What Your Business Should Do When an Objection Arrives

While POPIA does not prescribe a single mandatory procedure for every organisation, the Information Regulator's published guidance and the structure of the Act point toward a clear, reasonable approach. Here is how most compliance frameworks describe the process:

1. Acknowledge promptly The data subject should receive confirmation that their objection has been received. Silence is not a compliant response. A reasonable acknowledgement window — often cited as within a few business days — demonstrates good faith.

2. Log the objection POPIA section 17 requires responsible parties to maintain documentation of their processing activities. Recording objections — who submitted one, when, and what processing it relates to — forms part of that accountability record.

3. Assess the grounds Not every objection automatically overrides all processing. Your Information Officer (whose duties are set out in POPIA section 55) should assess whether: - The processing in question is actually based on legitimate interest or public-law duty. - There are compelling legitimate grounds for your business that outweigh the data subject's interests, rights, and freedoms. - The processing is necessary for the establishment, exercise, or defence of a legal claim.

If processing is based on consent or a contract, section 11(3) objections work differently — the relevant mechanism for consent-based processing is withdrawal of consent rather than a section 11(3) objection.

4. Communicate the outcome Once assessed, inform the data subject of your decision in writing. If you are stopping the processing, tell them. If you believe you have compelling grounds to continue, explain them clearly. Transparency here is not just good practice — it reduces the likelihood of a complaint to the Information Regulator.

5. Act on your decision If you have agreed to stop the processing, stop it. Update your systems, notify any processors (third parties processing data on your behalf) who need to know, and keep a record of the action taken.

---

What If the Data Subject Disagrees with Your Decision?

If your business decides its legitimate interests override the objection and the data subject is unsatisfied, they may escalate the matter to the Information Regulator. The Regulator has the power to investigate complaints and to issue enforcement notices.

You can find the Information Regulator's complaints process and contact details at inforegulator.org.za.

This is a good reason to document your reasoning carefully. A well-reasoned, written assessment of why your legitimate interests outweigh the objection is far stronger evidence than a verbal decision no one recorded.

---

Common Mistakes to Avoid

• Treating all objections as opt-outs. An objection may cover far more than marketing. Apply the right framework for the right situation.
• Ignoring objections because they seem unreasonable. Even objections you ultimately decide to override require a formal assessment and response.
• Failing to update downstream processors. If a third party is processing data on your behalf and an objection is upheld, that third party must also stop.
• No documentation trail. Without records, you cannot demonstrate compliance to the Information Regulator if a complaint is filed.

---

The Role of Your Information Officer

POPIA section 55 places responsibility on the Information Officer to ensure the organisation complies with the Act, including handling data-subject requests. If your business does not yet have a clearly designated Information Officer — or if that person has not been trained on objection-handling workflows — this is a structural gap worth addressing.

---

Keeping Track at Scale

For small businesses with a handful of requests per year, a shared inbox and a simple spreadsheet log may suffice. As your customer base grows, managing objections, access requests (POPIA section 23), and correction requests (POPIA section 24) manually becomes error-prone. Purpose-built compliance tooling can help route, track, and document these interactions automatically — reducing the risk of a missed deadline or an undocumented decision.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation — including how section 11(3) applies to your specific processing activities — consult a qualified attorney.