POPIA Explained for Estate Agents
POPIA (the Protection of Personal Information Act) became fully enforceable in July 2021. As an estate agent, you collect a lot of personal information — ID numbers, bank details, income information. POPIA sets strict rules about how you may collect, store, and use that information. Fines for non-compliance can reach R10 million. This guide explains what POPIA means in practice for estate agents.
What counts as personal information?
Almost everything you collect about a buyer, seller, or tenant counts: full name, ID number, email, phone number, physical address, employment details, income, bank account details. Even a photo is personal information under POPIA.
You need a lawful reason to collect information
You cannot collect personal information 'just in case'. You must have one of these reasons: (1) the person gave consent, (2) you need it to fulfil a contract, (3) you are legally required to collect it (e.g. FICA). PropSign records the legal basis for every document you send.
You must tell clients what you are collecting and why
Before collecting information, you must tell clients: what information you are collecting, why, who will have access to it, and how long you will keep it. PropSign's POPIA notice on the signing page does this automatically for every document.
You must protect the information
You are responsible for keeping personal information safe. This means not storing ID copies in WhatsApp chats, not emailing unencrypted spreadsheets with client details, and using secure systems. PropSign stores all data encrypted, with access controls and audit logs.
Clients have rights over their information
A client can ask you to: show them what information you hold about them, correct incorrect information, or delete their information (if you no longer have a lawful reason to keep it). PropSign's dashboard shows you all information held per client so you can respond to these requests.
You must have a Data Processing Agreement with PropSign
Because PropSign processes personal information on your behalf, POPIA requires a written Data Processing Agreement (DPA) between you and PropSign. You can review and accept the DPA in your Compliance Dashboard. It only takes 2 minutes.
Tip
POPIA compliance is not a once-off checklist — it is an ongoing practice. PropSign's Compliance Dashboard shows your current compliance score and tells you what still needs attention.