Section 5 of POPIA grants data subjects (individuals whose personal information is processed) specific rights that organisations are legally required to respect. Failing to respond appropriately to a data subject request is itself a POPIA violation and can result in a complaint to the Information Regulator.
Data subjects have the right to request confirmation of whether an organisation holds their personal information and to receive a copy of that information. Requests must be responded to within a reasonable time — POPIA does not specify an exact period, but within 30 days is generally considered the standard.
If personal information is inaccurate, incomplete or outdated, the data subject has the right to request correction or deletion. The organisation must either make the correction or explain why it declines to do so.
Data subjects may request the deletion of personal information where it is no longer necessary for the purpose for which it was collected, where consent has been withdrawn, or where it was unlawfully processed. Deletion requests do not override legal retention obligations — if the law requires you to keep a record, you may decline a deletion request for that reason.
Data subjects may object to processing for legitimate interest grounds or for direct marketing purposes. An objection to direct marketing must be honoured immediately and permanently.
Every data subject has the right to lodge a complaint with the Information Regulator of South Africa. The Regulator may investigate, require remediation, and impose sanctions.
Data subjects have the right not to be subject to decisions taken solely on the basis of automated processing that significantly affect them, without human review.
Under PAIA, private organisations are required to have a PAIA manual that describes how access to information (including personal information) may be requested. This manual must be submitted to the South African Human Rights Commission. Many organisations have not done this, which is itself a compliance gap.
In practice, the biggest challenge with data subject rights is finding the personal information on request. An organisation with a disorganised file system and no data map will struggle to respond to access requests within a reasonable timeframe. A repository assessment and proper document classification are prerequisites for managing data subject rights effectively.
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used. A structured assessment gives management the visibility to know - not just assume.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.