With the remainder of the Protection of Personal Information Act 4 of 2013 (Popia) which came into effect on July 1, South Africans are finally getting some much-needed protection when it comes to the selling and unauthorised use of their personal information.

The purpose of the Act is to protect people from harm by protecting their personal data, protecting their privacy, and to stop their money and identity from being stolen.

The commencement of the provisions of the Act affects all South African citizens and must be taken seriously.

The law provides protection to individuals whose personal information is gathered and used in any manner, which essentially includes the vast majority of citizens and companies, especially those dealing with the processing and use of personal information, such as banks, medical aids, telecommunication companies, internet service providers, etc.

Popia was promulgated in November 2013 after an investigation into privacy and data protection by the South African Law Reform Commission. The objective of the Act is to give effect to the right to privacy, as provided for in section 14 of the constitution of 1996, and aims to regulate the processing and use of personal information by private and public bodies in line with international standards.

Initially, only certain sections dealing with administrative matters (such as definitions, the establishment of the information regulator and the procedure for making regulations, etc.) came into operation in 2014.

The commencement date of the remainder of the Act was scheduled for July 1, and public and private bodies are provided one year from this date to ensure that their practices comply with the provisions of the Act.

Compliance with the Act is extremely important. Less serious offences, such as obstructing an official in the execution of their duties, could lead to a fine or imprisonment of up to 12 months or both. More serious offences could lead to a fine of up to R10m, or 10 years' imprisonment, or a combination of both.

"Personal information" is defined as information that relates to an identifiable, living, natural person and an identifiable existing legal entity. The Act lists eight specific types of information included in this definition, ranging from your name to your biometric information to your personal opinions. Just as a clarification, though, any information shared on social media is regarded as a publication and will generally not enjoy protection.

The Act clarifies the rights of the "data subject" which is the being to whom the personal information relates.

In this regard, we are afforded the following rights:

• to have access to personal information that is kept or used by any private or public body;
• to be informed if someone is collecting or has accessed our personal information;
• to have any incorrect or obsolete information corrected or destroyed;
• and to object to any unauthorised use (or 'processing') of personal information.

The "responsible party" or "data controller" is the public or private body that essentially processes personal information. This includes employers who process the personal information of their employees and clients.

The "processing" of personal information is any operation or activity, whether automated or not, pertaining to the collection, receipt, storage, modification, sharing or destruction of personal information.

This may only occur with the consent of the data subject, if required by law, if it protects the legitimate interests of the data subject.

*Cilliers is a lecturer at the department of Mercantile Law at the University of the Free State and attorney of the high court of SA.