POPIA & CCTV Compliance in South Africa

POPIA's Condition 6 (Openness) requires that data subjects are informed when their personal information is being collected. For CCTV, this means displaying a clear, visible sign before the person enters the area under surveillance.

What the sign must include

• A statement that CCTV surveillance is in operation
• The name of the responsible party (the business, estate, or security company operating the cameras)
• The purpose of the surveillance (e.g. "for the safety and security of persons and property")
• Contact details for enquiries or access requests (a phone number, email address, or office location)

Where signs must be placed

Signs must be positioned at every entrance to the monitored area — gate entrances, building doors, parking area entries, and reception points. The sign must be visible before the person enters the camera's field of view, not after.

Public-facing vs private property cameras

Cameras on commercial premises, estates, office parks, and retail spaces are clearly subject to POPIA signage requirements. Residential cameras that capture only private interior spaces may fall under the household exemption (Section 6 of POPIA) — but any camera that records a pavement, shared driveway, neighbouring property, or public road is processing third-party personal information and requires signage.

Armed response providers who install or monitor cameras on behalf of clients should ensure signage is part of every installation. The responsible party — typically the property owner or body corporate — bears the legal obligation, but installers who fail to advise on signage risk professional liability.

POPIA's Condition 5 (Information Quality) and the storage limitation principle require that personal information — including CCTV footage — is kept only for as long as necessary to fulfil its stated purpose.

Recommended retention periods

POPIA does not prescribe a specific number of days. Industry practice in South Africa is to retain general surveillance footage for 30 to 90 days, depending on the risk profile of the site:

• Residential properties and estates: 30 days is typical
• Commercial and retail premises: 60–90 days, aligned with insurance claim windows
• High-security environments (banks, data centres): 90+ days, often governed by sector-specific regulations

Footage related to an active incident, insurance claim, or criminal investigation must be retained until the matter is fully resolved — regardless of the standard retention period.

Secure storage requirements

POPIA's Condition 7 (Security Safeguards) requires that personal information is protected against loss, damage, unauthorised access, and unlawful processing. For CCTV, this means:

• Recording equipment must be in a locked, access-controlled location
• Cloud-stored footage must use encrypted connections and strong authentication
• Access logs should record who viewed footage and when
• Automatic overwrite/deletion policies should enforce the retention period

Data subject access requests

Under Section 23 of POPIA, any person recorded on CCTV has the right to request access to footage in which they appear. The responsible party must respond within 30 days. Access may only be refused on grounds specified in the Promotion of Access to Information Act (PAIA) — for example, if releasing the footage would compromise an ongoing criminal investigation or reveal another person's personal information.

Armed response control rooms that store footage on behalf of clients should have a documented process for handling access requests.

The Information Regulator is South Africa's designated authority for enforcing POPIA. It has the power to investigate complaints, conduct assessments, and impose penalties.

Administrative fines (Sections 100–106)

Under Sections 100–102, the Information Regulator can impose administrative fines of up to R10 million for serious POPIA breaches. Factors that influence the fine amount include the severity of the breach, whether it was deliberate or negligent, the number of people affected, and whether the responsible party cooperated with the investigation.

Criminal penalties (Section 105–106)

Sections 105 and 106 create criminal offences carrying penalties of up to 10 years' imprisonment. These apply to intentional conduct such as:

• Obtaining or disclosing personal information unlawfully — Section 105(1)(a) (e.g. selling CCTV footage)
• Obstructing the Information Regulator during an investigation — Section 105(1)(b)
• Failing to comply with an enforcement notice — Section 105(1)(c)

Civil liability (Section 99)

Under Section 99, individuals whose personal information has been unlawfully processed can institute civil action for damages. In the CCTV context, this could include footage shared without consent, cameras deliberately pointed at neighbouring private spaces, or failure to secure recordings that are subsequently leaked.

Enforcement in practice

The Information Regulator has been increasingly active since POPIA's full enforcement date of 1 July 2021. Notable actions include enforcement notices against government departments, financial institutions, and telecoms providers for data breaches. While large-scale CCTV-specific fines have not yet been widely publicised, the Regulator has confirmed that CCTV surveillance falls squarely within POPIA's scope and that complaints are being investigated.

The practical risk for armed response companies and security providers is reputational as much as financial. A publicised POPIA complaint — even before a fine is imposed — can damage client trust.

Registration & Governance

Signage

Storage & Retention

Access Control

Data Subject Rights

Incident Response