The Popi Act and Debt Collection - The Implications, Duties and Responsibilities

02 August 2021 ,  Allan Lesesa 323

In recent days leading to and after the 1 JULY 2021, there has been a real frenzy regarding a new law in South Africa– the PROTECTION OF PERSONAL INFORMATION ACT. This law turned upside down, as it were, the manner of which personal information is obtained, dealt with, used and stored. This article seeks to discuss in part the implications of this law, duties and responsibilities of relevant stake holders as far as it is or may be related to the process of debt collection.



The PROTECTION OF PERSONAL INFORMATION ACT 4 of 2013 is a newly promulgated law which seeks to regulate how information classified as “personal” should be processed when it is obtained from individuals (data subjects), how it should be stored, used and destroyed.

Under our Constitutional dispensation, information classified as personal is protected and must be treated with utmost confidentiality. In terms of the POPIA, this means information provided by individuals can only be used for the explicit purpose that it was obtained and consented for only. This goes to great extents, even in the case of data transfer, the person who obtained the personal information (responsible party) must ensure that it does so with consent of the data subject if such consent was not obtained initially.


(I pause to note that what is described as personal information hereunder is not conclusive in terms of the act, it is selectively mentioned to the great extent that it relates to debt collection processes.)

Personal information means information relating to identifiable live/active persons such as their gender, sex, marital status, age, mental health, financial status and records, employment history, identity number, addresses (email and or physical) and etcetera.

Exchange and process of personal information virtually takes place every second. As already indicated, such information is protected and may only lawfully be used with the necessary consent of the data subject. This means that credit/service providers who often hand over unpaying clients/customers to debt collection attorneys or agencies must comply with the duties and responsibilities imposed by POPIA.

Failure to comply with the law when a business or individual processes, uses and stores protected personal information may result with dire consequences. This may include but is not limited to, great reputational loss, lack of trust and inability to attract or retain clients, penalties and sanctions of up to 10 million rand and or including civil and criminal actions.

All this may sound threatening to those who do not take necessary measures to comply with the law. On the other hand, it should be perceived as a very welcomed and reasonable law for those who are compliant.


  1. Compliance includes basic endeavors to always treat personal information with heightened sensitivity, care and protection.
  2. Adopting and putting in place internal policies of compliance to be in at the disposal of all who deal with and give personal information.
  3. As is traditionally the case in debt collection processes, debtors often start as good faith clients until the decide they no longer want to pay for services or credit provided. It may prove wise for service and credit providers to start off on a good and secure note: when they get a customer, they should have policies or consent forms where they get written consent from their customers/clients who may later turn into their debtors. Such consent to use personal information for debt collection processes will make it easy for service/credit providers to lawfully give personal information of the debtors (data subjects) to their debt collecting agencies or attorneys.

Are you, as a service/credit provider POPIA compliant for purposes of debt collection?

It is encouraged that you ensure that the agency and attorneys you as a business use are compliant and so are you.

If at this stage compliance with POPIA is a hurdle for you, we encourage that you reach out to legal experts such as us (NVR attorneys) to assist you with compliance at the most economic expenses. You owe it to your business...

Reference List:

  • Protection of Personal Information act 4 of 2013.