South PropMan
Rentals Sectional Schemes Request a quote Compliance Blog Help
Sign in Request a trial
← All posts
compliance 22 April 2026 3 min read

POPIA for landlords — a survival guide, not a compliance cosplay

Five things POPIA actually asks of South African landlords, five things it doesn't, and how to pick tenants you can serve without hoarding data you shouldn't.

SP

South PropMan team

Two years after POPIA took full effect there’s still a split in the market. One camp thinks “we took down the tenant database from a shared Google Drive, we’re fine”. The other camp paid a consultant R85 000 for a binder nobody reads. Both are losing.

Here’s what POPIA actually asks of a working landlord — and the smallest set of habits that gets you there.

1. You need a lawful basis for every piece of PII you hold

Not vibes. Not “we’ve always collected that”. One of: consent, contract performance, legal obligation, legitimate interest, vital interest, public task. For tenant onboarding the honest answer is usually contract performance (ID, bank details for rent reconciliation) plus legal obligation (FICA-equivalent KYC).

That’s it. A landlord does not need a tenant’s:

  • Religion
  • Marital status (unless co-signing)
  • Children’s school names
  • Previous landlords’ bank details
  • A personal guarantor’s medical history

If you can’t say which of the six bases covers the field on your application form, delete the field.

2. The purpose test isn’t optional

Every purpose must be specific, explicit and lawful. “Marketing” is not a purpose; “inviting the tenant to renew their lease 60 days before expiry” is. The test matters because it scopes retention: once the purpose is done, the lawful basis evaporates and you’re now holding personal information without authority.

A concrete workflow:

  1. Write down, per field on your application form, the one sentence that describes why you need it.
  2. Put a sunset date on each one. “ID copy — retained for the duration of tenancy plus 5 years (statutory accounting retention).” Not “forever”.
  3. Run a retention sweep quarterly. Anonymise everything past its sunset.

The product has a retention sweep job that does step 3 automatically once you’ve entered step 2.

3. Data-subject rights are real, time-bound, and specific

A current or former tenant can ask you to:

  • Confirm what personal information you hold about them
  • Give them a copy of it
  • Correct anything inaccurate
  • Delete anything beyond its retention purpose
  • Object to a processing activity they find objectionable (e.g. profiling)

You have reasonable time — interpret as 30 days — to respond. “I was busy” is not a defence. The Information Regulator has started issuing enforcement notices; first offences have been warnings, second offences will be fines.

Practical setup: publish an Info Officer email on your site (it’s required anyway) and route every incoming request through one queue. Our Compliance console does the triage state machine if you’d rather not build one.

4. Cross-border transfer is the quiet trap

If your property management software is hosted abroad, or if you email tenant data to a reporting accountant who’s on a foreign Gmail, you’ve made a cross-border transfer. POPIA allows these, but you need one of:

  • The recipient country has adequate protection (SA has given this finding to exactly zero jurisdictions so far)
  • Binding corporate rules (intra-group only)
  • Standard contractual clauses with the recipient
  • Explicit consent from the data subject

Most breach investigations surface a cross-border transfer the landlord didn’t know they were making. Audit your sub-processors. Our privacy policy lists every one of ours.

5. The 72-hour breach rule is real

If personal information under your control is compromised — a leaked spreadsheet, a stolen laptop, a bad email to the wrong distribution list — you must notify the Information Regulator as soon as reasonably possible and affected data subjects. Everyone panics about the 72 hours; the real work is realising it’s a breach at all.

Three practical guards:

  1. Encrypt laptops. A stolen encrypted laptop is not a breach.
  2. Use two-factor auth on email. An intercepted email thread is a breach.
  3. Log who touched what. Without an audit log you can’t determine scope, which means you must assume worst-case — and notify everyone.

What POPIA does not require

  • A 400-page policy document. A working policy fits on one page.
  • An external consultant. Helpful, not mandatory.
  • A “POPIA banner” on every email. That was a brief marketing trend; it’s never been in the act.
  • Separating marketing consent from operational communication about an existing contract. Transactional emails about a tenant’s lease aren’t marketing.

The bottom line

POPIA rewards small habits, not binders. Collect less. Write down why. Sunset everything. Log access. Respond to requests. If a consultant sells you a product that doesn’t make those five things easier, they’re selling you compliance cosplay.

If you’d like to see how South PropMan turns each of those into a product primitive, talk to us. The first conversation doesn’t need any of your data.

Tags compliance popia playbook