Information Regulator extends commencement date for POPIA prior authorisation

​​​​​​The Information Regulator has extended the commencement date of the POPIA provision that requires organisations to obtain prior authorisation if they process certain categories of personal information.  The commencement date of that provision is now 1 February 2022.

This means that an organisation that is required to obtain prior authorisation from the Information Regulator does not need to suspend its processing of personal information during such time that the Information Regulator is processing its application for prior authorisation.  Such organisations will not incur any penalties under POPIA for processing personal information after 1 July 2021.  However, it is imperative that if your organisation does need prior authorisation, you must:

submit your application for prior authorisation to the Information Regulator before 1 February 2022


comply with the remainder of POPIA – failure to do so will attract penalties

Organisations who perform the following activities are required to obtain prior authorisation from the Information Regulator:​​

  • Processing unique identifiers (for example, bank account details, identity numbers or telephone numbers) of data subjects for a purpose other than the purpose for which the identifier was specifically intended at collection, with the aim of linking the information with information processed by other responsible parties.
  • Processing criminal behaviour or illegal, objectionable conduct on behalf of third parties.  An example of this includes service providers who are contracted to perform criminal record checks for employers prior to offering employment to a prospective candidate.
  • Processing information for credit reporting (for example credit bureaus).
  • Transferring special personal information or personal information of children to a third party in a foreign country that does not have adequate data protection laws.

    • Tip: if you use cloud service providers to store your organisation's data, find out which country their servers are based in – you may unintentionally contravene the requirement to obtain prior authorisation if their servers are based in a country without sufficient data protection laws.

We have published an update on the Information Regulator's guidelines for applicants who require prior authorisation to process certain categories of information under POPIA.​


These materials are provided for general information purposes only and do not constitute legal or other professional advice. While every effort is made to update the information regularly and to offer the most current, correct and accurate information, we accept no liability or responsibility whatsoever if any information is, for whatever reason, incorrect, inaccurate or dated. We accept no responsibility for any loss or damage, whether direct, indirect or consequential, which may arise from access to or reliance on the information contained herein.

© Copyright Webber Wentzel. All Rights reserved.

Webber Wentzel > News > Information Regulator extends commencement date for POPIA prior authorisation
Johannesburg +27 (0) 11 530 5000
Cape Town +27 (0) 21 431 7000
Validating email against database, please wait...
Validating email: please wait...
Email verified: Please click the confirmation link sent to your mailbox, also check junk/spam folder. If you no longer have access to this email address or haven't received the verification email then email
Email verified: You are being redirected to manage your subscription
Email could not be verified: Please wait while you are redirected to the Subscription Form
Unanticipated error: Saving your CRM information Subscription Form