How Long Can You Keep Customer Data Under POPIA? (Data Retention Guide)

The End of "Keep it Just in Case"

For decades, businesses operated on the principle of keeping customer data forever, just in case they needed it later. The Protection of Personal Information Act (POPIA) makes this illegal. Under the principle of "Storage Limitation", you cannot keep personal data longer than is absolutely necessary.

The General Rule

POPIA states that records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected.

If you collected an email address to send a one-off ebook, you must delete the email address once the ebook is sent, unless you got explicit consent to keep it for marketing.

Legal Exceptions: When You MUST Keep Data

While POPIA says "delete it", other South African laws say "keep it". You are legally allowed (and required) to retain data if another law mandates it. For example:

• Companies Act: Requires certain company records to be kept for 7 years.
• Tax Administration Act (SARS): Requires financial and tax records to be kept for 5 years.
• Basic Conditions of Employment Act: Requires employee records to be kept for 3 years from the last date of employment.
• FICA: Requires accountable institutions to keep client identity and transaction records for 5 years.

Consent and Contracts

You may also keep data longer if the data subject has explicitly consented to it, or if retaining the data is necessary to fulfill a contract between you and the customer.

What to do with Old Data

If the data has outlived its original purpose and is not required by another law, you must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable. "De-identifying" means anonymizing the data so it can no longer be linked to a specific person (useful if you want to keep data for statistical analysis).

Document Your Retention Periods

You should have a Data Retention Policy that lists exactly how long you keep different categories of data, and you should disclose this in your website's Privacy Policy. You can generate a comprehensive, compliant Privacy Policy using POPIA Ready.