POPIA

Your Complete Guide to POPIA Data Removal Rights in 2025

KM
Keoikantse Marungwana
1 March 20258 min read

South Africa's Protection of Personal Information Act (POPIA) gives you powerful rights over your personal data — including the right to have it deleted. Yet most South Africans have never exercised these rights. With the 2025 amendments strengthening enforcement and expanding the Information Regulator's powers, there has never been a better time to take control of your digital identity.

This guide walks you through everything you need to know about your POPIA data removal rights: what the law actually says, how to submit deletion requests, what happens when organisations refuse, and how OremAI can automate the entire process for you.

What POPIA Actually Says About Your Right to Deletion

Two key sections of POPIA govern your right to have personal information removed:

  • Section 11(3)(a) — You may object to the processing of your personal information at any time if it is being processed on the basis of legitimate interest or for a purpose you did not consent to. Once you object, the responsible party must stop processing unless they can demonstrate compelling legitimate grounds.
  • Section 24 — You have the right to request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. The responsible party must comply or provide reasons for refusal.

Together, these sections form the legal backbone of every data removal request in South Africa. Unlike the GDPR's "right to erasure," POPIA's deletion provisions are tightly linked to the accuracy and relevance of data — meaning you do not need to prove harm, only that the data is no longer necessary for its original purpose.

"Under POPIA, the burden is not on you to prove why your data should be deleted. It is on the organisation to prove why they still need it."

The 2025 POPIA Amendments: What Changed

The Information Regulator's 2025 enforcement guidelines introduced several important changes that strengthen your position as a data subject:

  • Stricter compliance timelines: Responsible parties now have a firm 30-day window to respond to deletion requests. Failure to acknowledge receipt within 5 business days is itself a violation.
  • Higher administrative fines: The Regulator can now impose fines of up to R10 million for non-compliance, up from the previous enforcement notice system that lacked financial teeth.
  • Mandatory data broker registration: Companies whose primary business involves aggregating and selling personal information must now register with the Information Regulator, making it easier to identify and target them with removal requests.
  • Cross-border transfer scrutiny: Organisations transferring South African personal data to jurisdictions without adequate data protection laws face heightened obligations.

These amendments transform POPIA from a largely aspirational framework into a law with genuine enforcement power. For the first time, data brokers operating in South Africa face real consequences for ignoring your deletion requests.

Step-by-Step: How to Submit a POPIA Deletion Request

You can submit a POPIA deletion request to any organisation holding your personal information. Here is the process:

  • Step 1: Identify the responsible party. Find the organisation's Information Officer or Deputy Information Officer. By law, every organisation must have one. Check their website for a POPIA notice or privacy policy, which should list contact details.
  • Step 2: Submit a written request. Use the prescribed POPIA Form 1 (Request for Correction or Deletion of Personal Information) available from the Information Regulator's website. Include your full name, ID or passport number, description of the data you want deleted, and the grounds for deletion under Section 24.
  • Step 3: Pay the prescribed fee (if applicable). Some organisations may charge a small processing fee, but this must be reasonable and disclosed upfront.
  • Step 4: Wait for acknowledgement. The organisation must acknowledge your request within 5 business days.
  • Step 5: Await the outcome. They have 30 days from receipt to either comply with your request or provide written reasons for refusal.
  • Step 6: Escalate if necessary. If they refuse or ignore your request, you can lodge a complaint with the Information Regulator at inforeg.org.za.
"The average South African has their personal data held by 50 to 190 different data broker sites — most of which they have never heard of. Submitting individual POPIA requests to each one is a full-time job."

What the Information Regulator Does When You Complain

The Information Regulator (South Africa's data protection authority) has the power to investigate complaints, conduct assessments, and issue enforcement notices. When you lodge a complaint:

  • The Regulator will assess whether your complaint is valid and falls within its jurisdiction.
  • If accepted, it will attempt to facilitate a resolution between you and the responsible party through conciliation.
  • If conciliation fails, the Regulator can refer the matter to the Enforcement Committee, which has the power to impose administrative fines and order specific compliance actions.
  • In serious cases, the Regulator can refer criminal conduct to the South African Police Service. Offences under POPIA carry penalties of up to 10 years imprisonment.

The Regulator has become increasingly active since 2023, with notable enforcement actions against credit bureaus, telecoms providers, and data aggregators. This signals a shift from education-first to enforcement-first — which is good news for data subjects.

How OremAI Automates Your POPIA Data Removal

Submitting individual POPIA requests to dozens of data brokers is time-consuming and complex. OremAI was built specifically for South Africans who want to exercise their POPIA rights without the hassle.

Here is how it works: OremAI scans 19+ South African data broker sites to find where your personal information is exposed. It then generates and submits legally compliant POPIA Section 24 deletion requests on your behalf, tracks response timelines, and follows up with non-compliant organisations. You get a dashboard showing exactly where your data was found, what has been removed, and what is still in progress.

The entire process is POPIA-native — designed from the ground up around South African law, not adapted from an American or European product. Because your data sovereignty matters.

Ready to see where your personal data is exposed? Run your free OremAI scan today and take the first step toward reclaiming your digital privacy under POPIA.

SHARE THIS ARTICLE
LinkedInTwitter/X
KM

Keoikantse Marungwana

MANAGING DIRECTOR, KEOVATION SOLUTIONS

Keoikantse Marungwana is the founder and Managing Director of Keovation Solutions, building OremAI to help South Africans reclaim their digital sovereignty through POPIA-native technology.

View all articles by Keoikantse

Deepen Your Intel

No image
Privacy

What Data Brokers Know About You (And How to Stop Them)

No image
Privacy

68% of SA Recruiters Google You: How to Clean Your Digital Footprint Before Your Next Interview

No image
Guide

How to Remove Your Personal Information from TrueCaller and SA Data Brokers

Concerned about your digital footprint?

Join thousands of South Africans securing their reputation with OremAI's sovereign vault technology.

Start Free Scan