Legal Grounds for Data Processing

Once POPIA is applied, Personal information can only be processed:

  • with the consent of the data subject (or a competent person where the data subject is a child);
  • if it is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
  • if it complies with an obligation imposed by law on the data controller;
  • to protect a legitimate interest of the data subject;
  • if it is necessary for the proper performance of a public law duty by a public body; or
  • if processing is necessary for pursuing the legitimate interests of the data controller or of a third party to whom the information is supplied.


The processing of personal information for the purpose of direct marketing by means of any form of electronic communication is prohibited unless:

  • the data subject has given his, her its consent, or
  • the data subject is a customer of the data controller. In this case, a direct marketer can only process the personal information:
  • if the responsible party has obtained the contact details of the data subject in the process of the sale of a product or service;
  • and for the purpose of direct marketing of the organisation’s own similar products or services.

In all cases, even where consent has been given, the data subject must be given a reasonable opportunity to object, free of charge, and in an easy to use way on each marketing communication.


Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. It can only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

It is not permitted to process a child’s personal information without the consent of a “competent” adult. A child is defined as any person under the age of 18.

Personal information must be collected directly from the data subject, unless specified by the Protection of Personal Information Act 2013.