{"id":637213,"date":"2026-04-01T09:03:53","date_gmt":"2026-04-01T07:03:53","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=637213"},"modified":"2026-04-01T09:49:40","modified_gmt":"2026-04-01T07:49:40","slug":"new-rules-for-residential-estates-in-south-africa-about-visitor-data","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/637213-new-rules-for-residential-estates-in-south-africa-about-visitor-data.html","title":{"rendered":"New rules for residential estates in South Africa about visitor data"},"content":{"rendered":"\n

South Africa’s Information Regulator is finalising a code of conduct for how complexes, estates, and gated communities process the private data of visitors upon arrival by the end of March 2026. <\/p>\n\n\n\n

Part of the code, published in a government gazette in 2023, sets out what personal information gate guards and surveillance systems can legally collect from visitors and how they should handle it.<\/p>\n\n\n\n

Local digital access control specialists ATG Digital said the incoming code is aimed at any entity that has a security team controlling entry or exit points and collecting personal information from visitors. <\/p>\n\n\n\n

This includes residential estates and sectional title schemes, lifestyle estates and gated communities, bodies corporate and homeowner associations (HOAs), commercial or industrial parks, and office parks. <\/p>\n\n\n\n

“The big shift is from ‘collect everything, just in case’ to ‘collect only what you really need,'” ATG writes in a new guide<\/a> for estates and complexes to manage POPIA compliance. <\/p>\n\n\n\n

“Under POPIA, that means personal information must be relevant, not excessive, and used for a clearly defined purpose.” <\/p>\n\n\n\n

Gate guards will usually be allowed to ask for your name, surname, ID or passport numbers, mobile number, vehicle registration and time, date, gate, and host details. <\/p>\n\n\n\n

However, this information should be collected only if it is justified by the company’s and visitors’ risk profiles, and guards should avoid collecting personal information “just in case.”<\/p>\n\n\n\n

“Many estates already use ID scanners, licence plate recognition (LPR), CCTV, and even facial recognition to keep people and assets safe,” ATG explained. <\/p>\n\n\n\n

“The Regulator’s concern is not the tech itself, but how it’s used: consent, transparency, scope, and retention.”<\/p>\n\n\n\n

Fines, jail time, and litigation<\/h2>\n\n\n\n
\"\"
Pansy Tlakula, chairperson of the Information Regulator of South Africa. <\/figcaption><\/figure>\n\n\n\n

Information Regulator chair Advocate Pansy Tlakula said that the Protection of Personal Information Act (POPIA) is clear that only minimal information can be taken from visitors.<\/p>\n\n\n\n

The act of getting your driver’s licence scanned, she said in 2024, potentially opened up<\/a> a wide range of POPIA violations.<\/p>\n\n\n\n

“How are they protecting it? Where does it end up? That disc has your name, home address, and ID number linked to it,” she said.<\/p>\n\n\n\n

She said that these questions influence the regulator issuing a code of conduct for the surveillance sector, including companies that maintain estates and complex gateways.<\/p>\n\n\n\n

Companies could find themselves investigated by the regulator if they are found to have guards leave sensitive information available to everyone, such as leaving visitor information books open.<\/p>\n\n\n\n

Copying ID books or licences without due cause, and collecting unnecessary information such as employment history and family details are also red flags that companies should avoid.<\/p>\n\n\n\n

If visitors record these instances and report them to the regulator, companies or bodies could be charged for breaching POPIA and potentially face fines or criminal prosecution.<\/p>\n\n\n\n

The exact amount of the fine depends on the seriousness or scale of the breach, with the regulator legally allowed to issue administrative fines up to R10 million.<\/p>\n\n\n\n

For example, in 2023, it issued the Department of Justice a R5 million fine for failing to comply with an enforcement notice following a ransomware attack and data breach.<\/p>\n\n\n\n

While prison sentences and fines are within the regulator’s scope for serious infringements, the biggest risk for entities such as residential estates or commercial offices is potential civil liability.<\/p>\n\n\n\n

POPIA allows any data subject (e.g. a visitor) to bring a civil action for damages against a company. A visitor could sue a body corporate for “distress” caused by the mishandling of personal data.<\/p>\n\n\n\n

POPIA compliance is underpinned by what happens to the data<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

ATG’s guide explained that a POPIA-compliant approach to scanning IDs and licences at gates is based on what happens to the personal information after it is digitally scanned.<\/p>\n\n\n\n

You should use “secure, access-controlled systems” to scan licences, not personal phones, and guards should collect only the information necessary for positive identification and incident tracing.<\/p>\n\n\n\n

This personal information should be encrypted on this secure system, and companies should have automated retention rules in place to delete data after a justified period has expired, such as 5 years.<\/p>\n\n\n\n

Biometric checks, CCTV monitoring, and LPR for vehicles can also be conducted in compliance with POPIA, provided visitors are clearly informed about their use and the reasons for them.<\/p>\n\n\n\n

These systems should be used for legitimate security purposes at all times, and the data they collect should be protected by digital encryption and good organisational practices from staff. <\/p>\n\n\n\n

The POPIA Code of Conduct identifies that the estate, HOA, body corporate, or property owner is the responsible party for any infringements, even if the guards or technology providers were responsible.<\/p>\n\n\n\n

“The guarding or technology provider is typically an operator,” writes ATG, “They process data on your behalf.”<\/p>\n\n\n\n

Property owners should obtain written agreements from their operators confirming that they are covering POPIA obligations, the policies they are implementing, and the conditions under which they will apply.<\/p>\n","protected":false},"excerpt":{"rendered":"

Residential estates and office parks face new rules from the Information Regulator regarding the scanning of driving licences and the collection of visitor data.<\/p>\n","protected":false},"author":341213,"featured_media":637225,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[97513,7719,93873,104152,66803,104151,62830,40824],"class_list":["post-637213","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-atg-digital","tag-cctv","tag-estates","tag-gated-communities","tag-information-regulator-of-south-africa","tag-licence-plate-registration","tag-popia","tag-protection-of-personal-information-act"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/637213"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=637213"}],"version-history":[{"count":12,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/637213\/revisions"}],"predecessor-version":[{"id":637653,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/637213\/revisions\/637653"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/637225"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=637213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=637213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=637213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}