Protecting your visitors' personal data - New rules are coming for security complexes.

Janet Mc Intosh | SchoemanLaw Inc

Category: Sectional Title Law

Introduction

Security measures at gated sectional title complexes often require visitors to provide personal information before access is granted.

While these practices are intended to promote safety, they also raise important questions about privacy and compliance with the Protection of Personal Information Act 4 of 2013 (POPIA).

The Information Regulator’s draft code on the processing of personal information at gated access signals a move towards clearer rules for how visitor information should be collected, used, stored and protected.

What Is The Draft Code?

On 30 April 2026, the Information Regulator published a proposed code of conduct for comment, dealing specifically with the processing of personal information at gated access points in South Africa.

Comments closed on 29 May 2026 and are now being considered by the Regulator.

According to the notice, the purpose of the draft code is to give practical effect to POPIA’s eight conditions for lawful processing in gated access environments, promote appropriate practices, ensure proportionality between security needs and privacy rights, standardise lawful access control practices, regulate high-risk technologies such as CCTV and biometric systems, and strengthen governance, accountability, complaints and enforcement mechanisms.

Although the code is not yet binding, it is a strong indication of the standards the Regulator expects responsible parties to meet.

For bodies corporate, trustees, managing agents and security providers, the draft code is important because many existing access practices were developed for operational convenience rather than formal data-protection compliance.

The draft signals that convenience alone will not justify intrusive collection practices if they go beyond what is necessary for a legitimate security purpose.

What Information Is Usually Collected At The Gate?

At many gated complexes, visitors are asked to provide names, contact details, identity or passport information, vehicle registration numbers, unit numbers, appointment details and, in some cases, photographs or biometric identifiers.

CCTV footage may also be captured automatically as part of access control and general security monitoring.

The draft code is significant because it recognises that these practices involve personal information and, in some cases, high-risk processing that cannot be treated as routine administrative formalities.

Key POPIA Themes For Gated Sectional Title Complexes

The starting point is that POPIA requires that personal information be processed lawfully and in a reasonable manner that does not infringe the data subject's privacy.

In practice, that means a gated complex should collect only the information that is adequate, relevant and not excessive for the security purpose it wants to achieve.

If the same objective can be met with less intrusive measures, trustees and managing agents should be cautious about collecting identity document numbers, copying identity documents, or using biometric systems as a default.

POPIA also requires that personal information be collected for a specific, explicitly defined and lawful purpose, that data subjects be made aware of the collection, and that appropriate security safeguards be in place to prevent loss, misuse or unauthorised access.

Practical Steps To Consider Now

Even before the code is finalised, sectional title complexes should review what visitor information is collected, why it is collected, who has access to it, how long it is retained, and whether existing notices and policies properly explain the processing.

Contracts with security companies and technology providers should also be reviewed to ensure that roles, responsibilities, and safeguards are clearly defined.

If biometrics, licence disc scanning, facial recognition or extensive CCTV monitoring are used, trustees and managing agents should be particularly careful to assess whether these measures are truly necessary, proportionate and properly governed.

Early review and adjustment will place schemes in a stronger position if the draft code is finalised in substantially similar form.

Conclusion

The draft code makes it clear that access control at gated sectional title complexes cannot be treated as a purely operational issue.

Where personal information is collected for security purposes, bodies corporate, trustees, managing agents, and service providers must ensure that the processing is lawful, proportionate, and properly governed in accordance with POPIA.

Although the code is still subject to finalisation, it provides a valuable opportunity for schemes to review their current practices and strengthen compliance before stricter sector-specific standards take effect.

For further assistance, consult an attorney at SchoemanLaw.

Janet Mc Intosh | SchoemanLaw Inc

Attorney: Civil and Commercial Litigation

https://schoemanlaw.co.za/services/property-and-conveyancing/