The South African regulator (Information Regulator) published a draft Code of Conduct under the POPIA (Protection of Personal Information Act) on April 30, 2026, to govern the processing of personal data in controlled-access areas (such as residential complexes and public buildings). The text requires limiting data collection (names, license plates, biometrics), ensuring transparency, consent, and security, with short retention periods (30 to 90 days). Those responsible must appoint an Information Officer, assess risks (e.g., CCTV, facial recognition), and provide avenues for redress. Open for public comment for 14 days, the code aims to balance security and privacy.
