SARS & VAT

What is POPIA and What Does It Mean for Your Business Invoices?

How POPIA (the Protection of Personal Information Act) applies to South African business invoicing. What client data you hold, what POPIA requires, and how to stay compliant.

R
Rebill Team
·

POPIA (the Protection of Personal Information Act) requires South African businesses to handle client personal information responsibly. When you invoice clients, you collect and store personal data including names, addresses, email addresses, and bank details. POPIA applies to all of this data and requires you to protect it, use it only for legitimate purposes, and respect clients’ rights over their own information.

What is POPIA?

The Protection of Personal Information Act (POPIA) is South Africa’s primary data privacy law, fully effective since 1 July 2021. It is regulated by the Information Regulator and aligns closely with international standards like the EU’s GDPR.

POPIA applies to any “responsible party” (a person or organisation that determines why and how personal information is processed) and any “operator” (who processes information on behalf of a responsible party).

As a business that invoices clients, you are a responsible party for the personal information you hold about them.

What personal information do you hold when invoicing?

When you create and send invoices, you typically store:

  • Client name (individual or business name)
  • Contact details (email address, phone number, WhatsApp number)
  • Physical or postal address
  • Company registration number and VAT number (for VAT-registered clients)
  • Banking details (if clients pay by EFT and you record their account details)
  • Transaction history (what was purchased, for how much, and when)

All of this constitutes “personal information” under POPIA if it relates to an identifiable natural person (an individual, not a company). For company clients, POPIA applies to the personal details of individuals within those companies (such as the billing contact’s name and email).

What does POPIA require you to do?

POPIA’s 8 conditions for lawful processing are:

  1. Accountability: You take responsibility for ensuring compliance in your business
  2. Processing limitation: Only collect personal information you actually need
  3. Purpose specification: Be clear about why you are collecting the information and only use it for that purpose
  4. Further processing limitation: Do not use information for purposes incompatible with why it was collected
  5. Information quality: Keep the information accurate and up to date
  6. Openness: Tell clients what information you hold and why
  7. Security safeguards: Protect the information against unauthorised access, loss, or damage
  8. Data subject participation: Allow clients to access, correct, or delete their information

Quick answer

What is POPIA and how does it apply to invoicing in South Africa?

POPIA (the Protection of Personal Information Act) is South Africa’s data privacy law, fully effective since 1 July 2021. It regulates how businesses collect, store, and use personal information. When you invoice clients, you collect personal data including names, contact details, addresses, and banking information. POPIA requires you to only collect information you need, use it only for the purpose it was collected (processing invoices and managing payments), store it securely, and allow clients to access or delete their data on request. Businesses that store client data on cloud invoicing platforms like Rebill benefit from the platform’s built-in security measures, including encryption and access controls. The Information Regulator enforces POPIA and can impose fines of up to R10 million for serious breaches or refer cases for criminal prosecution in cases of deliberate non-compliance.

Practical steps for POPIA-compliant invoicing

1. Only collect what you need. Do not ask for a client’s ID number or bank account details unless your process specifically requires them.

2. Store data securely. Use invoicing software with encryption and access controls rather than unprotected spreadsheets or email folders. Cloud invoicing software like Rebill stores client data on secure servers with encryption in transit and at rest.

3. Have a privacy policy. Your business should have a basic privacy policy explaining what data you collect, why, and how long you keep it. This does not need to be complex for a small business.

4. Respond to access requests. If a client asks what information you hold about them, or asks you to correct or delete their records, you are required to respond.

5. Notify the Information Regulator if there is a breach. If client data is lost or accessed without authorisation (such as a data breach), you must notify the Information Regulator and affected parties as soon as reasonably possible.

6. Do not share client data with third parties without permission. Do not sell, share, or pass client contact details to other parties without the client’s consent, unless required by law.

Does POPIA affect email marketing?

Yes. If you send newsletters or promotional emails to clients, POPIA requires that:

  • You obtained their consent to receive marketing communications
  • You provide a clear unsubscribe option in every marketing email
  • You honour unsubscribe requests promptly

Transactional emails (invoices, payment reminders, receipts) are not marketing and do not require explicit consent.

How Rebill supports POPIA compliance

Rebill is designed with security as a core requirement:

  • Client data is stored on encrypted servers
  • Data is accessible only to authorised users on your account
  • Rebill’s privacy policy is publicly available at rebill.co.za/legal/privacy
  • You can export and delete client data from your Rebill account if a client requests it

Frequently asked questions

Does POPIA apply to small businesses in South Africa?

Yes. POPIA applies to all responsible parties in South Africa that process personal information, regardless of business size. There is no exemption for small businesses or sole proprietors. However, the Information Regulator's enforcement priority is typically focused on larger organisations with significant data holdings. Small businesses should still comply in practice, as penalties can apply to any organisation.

How long can I keep client invoicing data?

SARS requires you to retain business records, including invoices, for at least 5 years. This overrides POPIA's principle of not retaining data longer than necessary for the purpose it was collected: tax compliance is a legitimate purpose that justifies keeping invoice records for 5 years. After 5 years, if there is no ongoing business relationship, you can delete the data.

What is the penalty for not complying with POPIA?

The Information Regulator can impose administrative fines of up to R10 million for serious breaches. Deliberate and egregious violations can result in criminal prosecution with imprisonment of up to 10 years. For most small business compliance failures (such as not having a formal privacy policy), the Regulator is more likely to issue a warning and require corrective action than to impose immediate penalties.

Do I need to appoint an Information Officer for POPIA?

Yes. Under POPIA, every organisation that processes personal information must appoint an Information Officer. For sole proprietors and very small businesses, the owner is automatically the Information Officer. You must register your Information Officer with the Information Regulator via their online portal. The registration is free. Larger businesses with significant data processing may also appoint Deputy Information Officers.

Ready to simplify your invoicing?

Free forever. Built for South Africa. No credit card required.

Start for free See pricing