Data Advocacy for South Africa

The Act sets out the essential parameters for the lawful processing of personal information, including:

  • eight “core-information-protection principles”;
  • a number of substantive issues concerning, inter alia, the processing, collecting, transferring and maintaining of personal information;
  • exemptions from the information protection principles;
  • the rights of Data Subjects regarding unsolicited electronic communications and automated decision making;
  • the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of the Act and the Promotion of Access to Information Act, 2000;
  • the regulation of trans-border information flows; and
  • enforcement mechanisms.

The Act introduces terminology and concepts which are, to a certain extent, novel to South African law, the broad formulation of which is likely to have significant implications in respect of both the citizens of South Africa whose information is processed by companies and public bodies, and the companies and public bodies doing the actual processing (whether this is in South Africa or not).

The Act will not apply to the processing of information:

  • in the course of a purely personal or household activity;
  • that has been “de-identified” (i.e., deleted to the extent that it cannot be retrieved);
  • by or on behalf of the State, relating to national security, investigation of offenses, and the like;
  • for exclusively journalistic purposes by responsible parties who are subject to a code of conduct by virtue of office;
  • by cabinet, provincial executive councils and municipal councils; and
  • relating to the judicial conduct of a court.

We note the following salient principles arising from the Act:

Personal information may only be processed in a fair and lawful manner that is transparent to the individual, and requires an individual’s explicit consent.

Responsible parties processing information must ensure that personal information is only processed for specific, explicitly defined and legitimate reasons relating to the functions or activities of the organization, and the organization must take steps to make affected Data Subjects aware of the purposes for which the personal information will be processed. Personal information may only be kept for as long as it is required to fulfil the purpose for which it was collected.

A responsible party is required to:

  • appoint an Information Officer and Deputy Information Officer to ensure compliance with the conditions set out in the Act and deal with complaints from Data Subjects who seek to enforce the Act;
  • maintain documentation of all processing; and
  • secure the integrity and confidentiality of personal information in its possession or under its control and ensure that it is appropriately safeguarded against loss, destruction or unlawful access.

The Constitution of the Republic of South Africa, 1996 (“Constitution”) recognizes a general right to privacy. Data protection and privacy issues are also currently regulated under the common law and various sector specific statutes and laws governing particular aspects of data protection.

Under common law, privacy embraces all those personal facts which the person concerned has determined to exclude from the knowledge of outsiders and intends to keep private. The Constitution provides, in section 14, that everyone has the right to privacy, which includes, on a broad interpretation, the right:

  • to protection against the unlawful collection, retention, dissemination and use of personal information; and/or
  • not to have the privacy of their communications infringed.

The constitutional right of privacy is not absolute and an infringement of the right may be justifiable in terms of the general limitation clause in the Constitution. What constitutes a reasonable and justifiable limitation will depend on the circumstances of each case. A high level of protection is given to the intimate personal sphere of life, and a lower level is given to the business, commercial and public spheres of life.

Generally, ordinary delictual (tort) remedies such as a claim for personal injury, patrimonial loss and/or an injunctive relief would be available for a claim arising from wrongful data processing.

The Electronic Communications and Transactions Act, 1998 (“ECT Act”) prescribes certain principles for the electronic collection of personal information of individuals. Under the ECT Act, a Data Controller (being a person who electronically requests, collects, collates, processes or stores personal information from or in respect of any natural person) would only be required to subscribe to the data protection principles if it has voluntarily agreed to do so with the Data Subject.

The stated purpose of the Act is to give effect to the constitutional right to privacy. The Constitution, together with the Act, will regulate the parameters for the lawful processing and protection of personal information by automated and manual means.

Definition of personal data

POPI applies (subject to certain exclusions discussed below) to the processing of ‘personal information’ which is defined as information relating to an identifiable, living, natural person, and where applicable, an identifiable juristic person, including:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin; colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief; culture, language and birth of the person;
  • information relating to the education, medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

POPI does not apply to the processing of ‘personal information’:

  • in the course of a purely personal or household activity;
  • in a way in which it has been de-identified to the extent that it cannot be re-identified again;
  • by or on behalf of the State with regard to national security, defence or public safety, or the prevention, investigation or proof of offences;
  • for the purposes of the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in specific legislation for the protection of such personal information;
  • for exclusively journalistic purposes by responsible parties who are subject to, by virtue of office, employment or profession, a code of ethics that provides adequate safeguards for the protection of personal information;
  • for bona fide literary or artistic expression;
  • by Cabinet and its committees, the Executive Council of a province and a Municipal Council of a municipality (this option may be deleted in the final version of the PPI Act when it is promulgated);
  • for purposes relating to the judicial functions of a court referred to in section 166 of the Constitution;
  • solely for the purposes of journalistic, literary or artistic expression to the extent that such exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression; and
  • under circumstances that have been exempted from the application of the information protection principles by the Information Regulator in certain circumstances.

Definition of sensitive personal data

Personal information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information or criminal behaviour (to the extent that such information relates to the alleged commission of an offence or any proceedings in respect of any offence allegedly committed, or the disposal of such proceedings) is defined as “special personal information”.

Subject to certain prescribed exceptions, the processing of special personal information is prohibited.

Data Processing:

The Act applies to manual and automated data processing. “Processing” is broadly defined as activity, whether automated or not, concerning personal information, which includes:

  • the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • dissemination by means of transmission, distribution or making available in any other form; or
  • merging, linking, blocking, degradation, erasure or destruction of information.

Personal information may only be processed if:

  • the Data Subject or a competent person, where the Data Subject is a child, consents to the processing;
  • processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party;
  • processing complies with an obligation imposed by law on the responsible party;
  • processing protects a legitimate interest of the Data Subject; and/or
  • processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

Processing by Data Controllers:

The Act applies to those responsible parties who determine the purposes for which and the manner in which any personal information is, or is to be, processed. A responsible party is defined in the Act as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

Jurisdiction/Territoriality:

The provisions of the Act will apply to the processing of personal information entered in a record by or for a responsible party that is domiciled in South Africa. The Act will also apply where the responsible party is not domiciled in South Africa but is using either automated or non-automated means to process personal information in South Africa.

Sensitive Personal Data:

Subject to specific limitations and additional requirements, the Act expressly prohibits the processing of “special personal information” ‒ that is, personal information relating to:

  • the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or
  • the criminal behavior of a Data Subject to the extent that such information relates to:
  • the alleged commission by a Data Subject of any offense; or
  • any proceedings in respect of any offense allegedly committed by a Data Subject or the disposal of such proceedings.

The prohibition on processing special personal information does not apply if the:

  • processing is carried out with the consent of a Data Subject;
  • processing is necessary for the establishment, exercise or defense of a right or obligation in law;
  • processing is necessary to comply with an obligation of international public law;
  • processing is for historical, statistical or research purposes to the extent that:
    • the purpose serves a public interest and the processing is necessary for the purpose concerned; or
    • it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the Data Subject to a disproportionate extent information has deliberately been made public by the Data Subject; or provisions of specific sections in the Act relating to the relevant types of special personal information are complied with.

The Information Regulator may, subject to subsection 27(3), upon application by a responsible party and by notice in the Government Gazette, authorize a responsible party to process special personal information if such processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the Data Subject. The Information Regulator may impose reasonable conditions in respect of any such authorization.

Employee Personal Data:

South African employment legislation requires every employer to keep a record of certain basic information on an employee, including:

  • the employee’s name and occupation;
  • the time worked by each employee;
  • the remuneration paid to each employee;
  • the date of birth of any employee under 18 years of age; and
  • any other prescribed information.

The employer must keep a record for a period of three years from the date of the last entry in the record. The collection of such information from the employee may be collected without employee consent, as it is required by law, and an employer will generally be able to justify processing such information.

However, the restrictions on processing special personal information about an employee are more stringent and would need to comply with local employment legislation and the Act. For example, the record of any medical examination performed in terms of the Basic Conditions of Employment Act 1997, must be kept confidential and may be made available only:

  • in accordance with the ethics of medical practice;
  • if required by law or court order; or
  • if the employee has, in writing, consented to the release of that information.

Consent:

General:

Consent of the Data Subject, though not mandatory, is listed as a justification for processing personal information under the Act. The Act defines “consent” as any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. Under the Act and prior to the collection of the information, or as soon as possible thereafter, the responsible party must take reasonable steps to ensure that the Data Subject is aware of:

  • the information being collected and, where the information is collected from the Data Subject, the source from which it is collected; the name and address of the responsible party;
  • the purpose for which the information is being collected; whether or not the supply of the information by that Data Subject is voluntary or mandatory; the consequences of failure to provide the information; any particular law authorizing or requiring the collection of the information; the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organization and the level of protection afforded to the information by that third country or international organization; any further information such as the: recipient or category of recipient of the information; nature or category of the information; and
  • the existence of his or her right of access to and the right to rectify the information collected; the existence of the right to object to the processing of personal information; and the existence of the right to lodge a complaint with the Information Regulator and the contact details of the Information Regulator, which are necessary, having regard to the specific circumstances in which the information is or is not to be processed to enable reasonable processing.

The form of consent has not been prescribed. However, in order to demonstrate consent for the purposes of the Act, the responsible party will likely need to prove compliance with the above requirements.

Sensitive Data:

The processing of information relating to the race and ethnic origin of a Data Subject for diversity monitoring purposes would, under relevant employment equity legislation, require the written consent of the employee in the prescribed form. In addition, the collection of any health-related information requires the written “informed” consent of the patient.

The Act expressly prohibits the processing of special personal information. However, this prohibition on processing special personal information under the Act does not apply if the processing is carried out with the consent of a Data Subject. The form of consent, although not prescribed under the Act, should be explicit and clear and should include reference to the requirements listed in paragraph 5a above.

Minors:

The Act provides that a responsible party may not process personal information concerning a child (being a natural person under the age of 18 years). However, the prohibition on processing personal information of children does not apply if:

  • the processing is carried out with the prior consent of a competent person (being any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child);
  • necessary for the establishment, exercise or defense of a right or obligation in law;
  • necessary to comply with an obligation of international public law;
  • for historical, statistical or research purposes to the extent that the purpose serves a public interest and the processing is necessary for the purpose concerned;
  • it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent; or
  • the personal information has deliberately been made public by the child with the consent of a competent person.

The Information Regulator may, upon application by a responsible party and by notice in the Government Gazette, authorize a responsible party to process the personal information of children if the processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the child. The Information Regulator may impose reasonable conditions in respect of any authorization so granted.

Employee Consent:

There is no provision under the Act that specifically addresses consent requirements for employees. With reference to paragraph (4.f) above, it is noted that depending on the type of information collected, local employment legislation may require that consent be procured in writing.

Online/Electronic Consent:

Electronic consent is permissible and can be effective in South Africa, provided that it is properly structured and evidenced.

The first members of the Information Regulator have been appointed, with effect from 1 December 2016.

The powers, duties and functions of the office of the Information Regulator include providing education regarding the protection and processing of personal information; monitoring and enforcing compliance with the provisions of POPI; consulting with interested parties and acting as mediator; receiving, investigating and attempting to resolve complaints; issuing enforcement notices and codes of conduct; and facilitating cross-border cooperation.

Data protection officers (referred to in POPI as “information officers”) must be registered with the Information Regulator prior to taking up their duties in terms of the Act.

No registration is required to process personal information, however, prior authorisation must be obtained from the Information Regulator before processing of personal information in certain circumstances, prescribed in section 57 of POPI.

In terms of POPI the duties and responsibilities of a body’s data protection officer (information officer) include encouraging and ensuring compliance, by the body, with POPI; dealing with any requests made to that body in terms of POPI; and working with the Information Regulator in relation to investigations by the Information Regulator in relation to that body.

Processing” of information is defined in POPI as any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:

  • The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • Dissemination by means of transmission, distribution or making available in any other form; or
  • Merging, linking, as well as blocking, degradation, erasure or destruction of Information.

POPI prescribes eight conditions for the lawful processing (which includes collection) of personal information namely accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.

Various requirements are listed under each condition. These include that:

  • the processing is performed in a reasonable manner that does not infringe the data subject’s privacy and is adequate, relevant and not excessive
  • all necessary notifications and consents (as prescribed) are obtained
  • personal information is collected for a specific, explicitly defined and lawful purpose and, except in certain prescribed exceptions, is collected directly from the data subject
  • appropriate steps are taken to secure the integrity and confidentiality of personal information
  • data subjects may request that their personal data be corrected or deleted.

POPI caters for two scenarios relating to the transfer of personal information, namely where a responsible party in South Africa sends personal information to another country to be processed and where a responsible party in South Africa processes personal information which has been received from outside South Africa.

Receiving personal information from other countries

The requirements for the processing of personal information prescribed in POPI will apply to any personal information processed in South Africa, irrespective of its origin.

Sending personal information to other countries for processing

A responsible party in South Africa may not transfer personal information to a third party in another country unless:

the recipient is subject to a law, binding corporate rules or a binding agreement which:

  • upholds principles for reasonable processing of the information that are substantially similar to the conditions contained in POPI, an
  • includes provisions that are substantially similar to those contained in POPI relating to the further transfer of personal information from the recipient to third parties who are in another country;

ii.the data subject consents to the transfer

iii. the transfer is necessary for the performance of a contract between the data subject and responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;

iiii. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party, or the transfer is for the benefit of the data subject and:

  • it is not reasonably practicable to obtain the consent of the data subject to that transfer, and
  • if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.

International Data Transfers:

Currently, there is nothing in South African law that expressly restricts/limits the international transfer of personal information. However, under the Act, a responsible party in South Africa may not transfer personal information about a Data Subject to a third party located in a foreign country unless:

  • the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that effectively upholds the principles for reasonable processing of information which are substantively similar to the principles applicable in South Africa;
  • the law, binding corporate rules or binding agreement includes provisions that are substantially similar to those in the section of the Act relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
  • the Data Subject consents to the transfer;
  • the transfer is necessary for the performance of a contract between the Data Subject and the responsible party; or
  • the transfer is for the benefit of the Data Subject and it is not reasonably practicable to obtain the consent of the Data Subject to that transfer; and if it were reasonably practicable to obtain such consent, the Data Subject would be likely to give it.

For clarification, it is noted that within the context of the above:

“binding corporate rules” means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and “group of undertakings” means a controlling undertaking and its controlled undertakings.

Section 19 of POPI places an obligation on a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage to, or unauthorised destruction of; and unlawful access to, personal information.

To comply with this obligation, the responsible party must take reasonable measures to:

  • identify all reasonably foreseeable internal and external risks to personal information under its control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The responsible party must also have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

In terms of section 22 of POPI, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and the data subject, unless the identity of such data subject cannot be established.

The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.

The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Information Regulator determines that notification will impede a criminal investigation by the public body concerned and must be in writing and communicated to the data subject a prescribed manner.

The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including

a description of the possible consequences of the security compromise;

a description of the measures that the responsible party intends to take or has taken to address the security compromise

a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and

if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.

The Information Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Information Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

 

The Act provides for the notification of security compromises. Where there are reasonable grounds to believe that the personal information of a Data Subject has been accessed or acquired by any unauthorized person, the responsible party must notify the Information Regulator and the Data Subject, unless the identity of such Data Subject cannot be established.

The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.

The responsible party may only delay notification of the Data Subject if a public body responsible for the prevention, detection or investigation of offenses or the Information Regulator determines that notification will impede a criminal investigation by the public body concerned.

The notification to a Data Subject must be in writing and communicated to the

Data Subject in at least one of the following ways:

emailed to the Data Subject’s last known physical or postal address;

sent by e-mail to the Data Subject’s last known e-mail address;

placed in a prominent position on the website of the responsible party;

published in the news media; or

as may be directed by the Information Regulator.

The notification must provide sufficient information to allow the Data Subject to take protective measures against the potential consequences of the compromise, including:

  • a description of the possible consequences of the security compromise;
  • a description of the measures that the responsible party intends to take or has taken to address the security compromise;
  • a recommendation with regard to the measures to be taken by the Data Subject to mitigate the possible adverse effects of the security compromise; and
  • if known to the responsible party, the identity of the unauthorized person who may have accessed or acquired the personal information.

The Information Regulator may direct a responsible party to publicize, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Information Regulator has reasonable grounds to believe that such publicity would protect a Data Subject who may be affected by the compromise.

An organization that is involved in a data breach situation may be subject to an administrative fine, penalty or sanction, or civil actions and/or class actions.

Any person may submit a complaint to the Information Regulator alleging non-compliance with POPI. The Information Regulator may also initiate and investigation into interference with the protection of personal information.

Upon receipt of a complaint, the Information Regulator may, , conduct a pre-investigation or full investigation of the inter alia complaint, act as conciliator, refer the complaint to another regulatory body if the Information Regulator considers that the complaint falls more properly within the jurisdiction of the other regulatory body, or decide to take no further action.

The Information Regulator’s powers, for purposes of investigating a complaint include the power to summons and enforce the appearance of persons before the Information Regulator to give evidence or produce records or things; enter and search the premises occupied by a responsible party; and conduct interviews and inquiries

If the Information Regulator is satisfied that a responsible party has interfered or is interfering with the protection of the personal information of a data subject it my issue an enforcement notice prescribing action to be taken by the responsible party to remedy the situation.

A responsible part who fails to comply with an enforcement notice is guilty of an offence and is, liable, on conviction, to a fine or imprisonment (or both) for a period of no longer than ten years (in terms of section 107), or alternatively to an administrative fine (in terms of section 109) . Currently, the maximum fine which may be imposed in terms of both sections 107 and 109 is ZAR10 million although this may change once the regulations are promulgated.

Section 99 also makes provision for a civil action for damages resulting from non-compliance with POPI.

The Electronic Communications and Transactions Act and the Consumer Protection Act empowers consumers to restrict unwanted direct marketing.

In terms of POPI, the processing of a data subject’s personal information for the purposes of direct marketing is prohibited unless the data subject has given its consent, or the email recipient is a customer of the responsible party. When sending emails to a data subject who is a customer, the responsible party must have obtained the details of the data subject through a sale of a product or service, the marketing should relate to its own similar products or services and the data subject must have been given a reasonable opportunity to object to the use of its personal information for marketing when such information was collected.

There are no sections of POPI which regulate privacy in relation to cookies and location data. These issues may be dealt with in subsequently regulations or codes of conduct to be issued by the Information Regulator.

Rights of Individuals:

Under the Act, Data Subjects have the general right to:

  • be informed by an organization of the personal information the organization holds about the Data Subject and how the personal information is being processed;
  • access the Data Subject’s personal information subject to some restrictions and/or qualifications;
  • request the correction of the Data Subject’s personal information; and
  • request the deletion and/or destruction of the Data Subject’s personal information.

Accountability:

Under the Act, organizations are required to furnish evidence relating to the effectiveness of the organization’s privacy management program to privacy regulators upon request.

Whistle-Blower Hotline:

Whistle-blower hotlines may be established in South Africa, provided that they are in compliance with local laws.

E-Discovery:

When implementing an e-discovery system, an organization is required to obtain the consent of employees if the collection of personal information is involved, and advise the employees of the implementation of such system, the monitoring of work tools and the storage of information.

Anti-Spam Filtering:

When implementing an anti-spam filter solution into its operations, an organization is required to inform employees of monitoring policies being implemented in the workplace. They may be required to give employees the opportunity to opt out from the spam-filtering solution, and give the employees the opportunity to review the isolated e-mails designated as spam.

Cookies:

The use of cookies must comply with data privacy laws. As such, the consent of Data Subjects may have to be obtained before cookies can be used and deployed. Some types of cookies that track or monitor the user may not be permitted.

Direct Marketing:

Under the Act, an organization that plans to engage in direct marketing activities with a Data Subject is required to obtain the Data Subject’s prior consent, which cannot be inferred from a Data Subject’s failure to respond. Consent of the Data Subject must be obtained for a specific activity. Bundled consent is not considered valid consent.

Currently, responsible parties are required to afford a recipient of direct marketing communications the opportunity to opt out at no cost.

webmail.co.za  115020

mweb.co.za  74995

vodamail.co.za  64783

live.co.za  38306

absamail.co.za  18689

hotmail.co.za  13292

ananzi.co.za  12460

iburst.co.za  10953

mobileemail.vodafonesa.co.za  10714

mtnloaded.co.za  10063

absa.co.za  9844

eskom.co.za  9389

ukzn.ac.za  9375

standardbank.co.za  8857

yahoo.co.za  8629

nedbank.co.za  8032

sun.ac.za  7820

gmail.co.za  7637

polka.co.za  7515

icon.co.za  6279

cput.ac.za  6159

worldonline.co.za  5882

nmmu.ac.za  5708

mailbox.co.za  5275

netactive.co.za  5195

global.co.za  5167

fnb.co.za  5128

uct.ac.za  5059

uwc.ac.za  4668

vodacom.co.za  4513

tuks.co.za  4392

tiscali.co.za  4077

sars.gov.za  3815

telkom.co.za  3811

gauteng.gov.za  3647

mtn.co.za  3451

xsinet.co.za  3205

students.wits.ac.za  3161

intekom.co.za  2778

capetown.gov.za  2744

cybersmart.co.za  2630

student.nwu.ac.za  2589

sabc.co.za  2442

unisa.ac.za  2441

discovery.co.za  2411

yebo.co.za  2371

mighty.co.za  2334

wol.co.za  2278

multichoice.co.za  2141

bcx.co.za  2138

up.ac.za  2130

tshwane.gov.za  2107

justice.gov.za  2072

cellc.co.za  2037

nwu.ac.za  2017

workmail.co.za  1993

thepub.co.za  1944

starmail.co.za  1869

liberty.co.za  1844

campus.ru.ac.za  1830

deloitte.co.za  1805

momentum.co.za  1745

mylife.unisa.ac.za  1736

mailmate.co.za  1728

magicmail.co.za  1725

student.uj.ac.za  1710

uj.ac.za  1694

wits.ac.za  1688

pgwc.gov.za  1647

webafrica.org.za  1621

investec.co.za  1588

axxess.co.za  1511

live.nmmu.ac.za  1500

aforbes.co.za  1471

kpmg.co.za  1461

joburg.org.za  1454

woolworths.co.za  1451

highveldmail.co.za  1386

edcon.co.za  1366

vcontractor.co.za  1350

sanlam.co.za  1318

csir.co.za  1311

sita.co.za  1306

webmobile.co.za  1287

wbs.co.za  1282

classicmail.co.za  1257

tut.ac.za  1252

ravemail.co.za  1217

discoverymail.co.za  1202

smartcape.org.za  1186

saymail.co.za  1162

galmail.co.za  1144

executivemail.co.za  1137

labour.gov.za  1112

ufh.ac.za  1096

liblink.co.za  1093

mhg.co.za  1091

nashuaisp.co.za  1088

homemail.co.za  1072

isat.co.za  1035

saps.org.za  1030

wesbank.co.za  1026

ekurhuleni.gov.za  974

mcmotor.co.za  960

ufs.ac.za  959

exclusivemail.co.za  948

nwpg.gov.za  925

rmb.co.za  923

eject.co.za  919

neomail.co.za  915

imaginet.co.za  906

t-systems.co.za  883

metropolitan.co.za  881

mwebbiz.co.za  876

petrosa.co.za  864

agsa.co.za  858

topmail.co.za  849

ru.ac.za  843

mail.uct.ac.za  840

dwaf.gov.za  838

pamgolding.co.za  822

kingsley.co.za  818

dut.ac.za  818

statssa.gov.za  797

airports.co.za  795

ul.ac.za  792

spar.co.za  784

is.co.za  773

distell.co.za  761

netcare.co.za  752

sanlam4u.co.za  749

adept.co.za  746

vwsa.co.za  739

law.co.za  731

harmony.co.za  716

dwa.gov.za  709

goldfields.co.za  707

arc.agric.za  698

tsamail.co.za  694

websurfer.co.za  690

mf.co.za  685

durban.gov.za  669

postoffice.co.za  662

bytes.co.za  662

hollard.co.za  659

pixie.co.za  658

metroweb.co.za  654

inl.co.za  622

mediclinic.co.za  619

shoprite.co.za  615

angloamerican.co.za  614

resbank.co.za  613

thedti.gov.za  612

mnet.co.za  611

medscheme.co.za  606

702mail.co.za  591

santam.co.za  584

lifehealthcare.co.za  584

grinaker-lta.co.za  579

afrihost.co.za  572

gpg.gov.za  566

sassa.gov.za  564

galileosa.co.za  564

clover.co.za  564

mondigroup.co.za  562

bmwdealer.co.za  562

pnp.co.za  557

npa.gov.za  552

studentvillage.co.za  549

neotel.co.za  546

randwater.co.za  540

student.uovs.ac.za  531

ruraldevelopment.gov.za  529

raf.co.za  506

futurenet.co.za  506

myspace.co.za  500

wghs.co.za  499

jdg.co.za  497

anglocoal.co.za  496

wsu.ac.za  494

idc.co.za  490

foschini.co.za  490

goggaconnect.co.za  486

postnet.co.za  485

etv.co.za  485

mrc.ac.za  471

cmh.co.za  471

datacentrix.co.za  464

ufs4life.ac.za  461

treasury.gov.za  461

sai.co.za  461

xnets.co.za  459

wynghs.co.za  458

mandelametro.gov.za  458

telesure.co.za  446

lando.co.za  442

bmw.co.za  442

foreign.gov.za  441

elections.org.za  441

nhls.ac.za  440

implats.co.za  440

makro.co.za  439

gol.gov.za  439

pioneerfoods.co.za  430

myconnection.co.za  427

hatch.co.za  426

unitrans.co.za  425

acenet.co.za  424

avusa.co.za  423

dirco.gov.za  417

bishops.org.za  414

tfmc.co.za  413

teenmail.co.za  412

onthedot.co.za  412

ogilvy.co.za  412

out.co.za  408

capitecbank.co.za  408

avis.co.za  404

parliament.gov.za  403

arivia.co.za  402

dcs.gov.za  400

puk.ac.za  399

fnbcommercial.co.za  397

hermanus.co.za  389

sainet.co.za  383

comair.co.za  383

thegolf.co.za  380

cybertrade.co.za  375

pnetmail.co.za  372

nda.agric.za  370

metrorail.co.za  370

puknet.puk.ac.za  369

ccsabco.co.za  364

aerosat.co.za  364

deat.gov.za  363

allangray.co.za  363

xstrata.co.za  360

freemail.absa.co.za  360

ppc.co.za  359

necsa.co.za  356

total.co.za  355

hixnet.co.za  353

co.za  353

nissan.co.za  352

citypower.co.za  351

drasa.co.za  350

virginactive.co.za  342

wirelessza.co.za  341

wbhs.org.za  341

transunion.co.za  340

caxton.co.za  340

bowman.co.za  340

amplats.co.za  340

brandhouse.co.za  339

africanbank.co.za  339

wspgroup.co.za  337

telkomsa.co.za  336

sabs.co.za  336

internext.co.za  334

glenrandmib.co.za  334

aon.co.za  330

breede.co.za  327

dpw.gov.za  326

cut.ac.za  326

wam.co.za  324

ssi.co.za  324

bks.co.za  320

psgkonsult.co.za  318

quest.co.za  316

mintek.co.za  315

boe.co.za  315

ens.co.za  314

kznhealth.gov.za  313

eoh.co.za  309

afgri.co.za  308

value.co.za  306

everitt.co.za  305

dla.gov.za  303

mfc.co.za  302

eastcoast.co.za  302

clicks.co.za  302

venturenet.co.za  300

regent.co.za  300

flightcentre.co.za  300

tempemail.co.za  296

vut.ac.za  294

new.co.za  294

elvey.co.za  294

therugby.co.za  293

pps.co.za  291

pan.uzulu.ac.za  291

sunint.co.za  289

roshcon.co.za  289

g5.co.za  288

groupfive.co.za  286

parklands.co.za  283

indwerisk.co.za  277

jwater.co.za  276

health.gov.za  276

realpeople.co.za  275

tbwa.co.za  274

firstrand.co.za  272

sanlamsky.co.za  270

po.gov.za  270

jse.co.za  270

twp.co.za  269

wemail.co.za  268

virginmobile.co.za  267

safcorpanalpina.co.za  267

jupiter.co.za  266

stu.ukzn.ac.za  264

ncpg.gov.za  264

harcourts.co.za  264

bell.co.za  263

uti.co.za  261

dst.gov.za  260

ithala.co.za  259

bidvestbank.co.za  259

tracker.co.za  258

wbhs.co.za  257

sanbs.org.za  257

parmalat.co.za  257

illovo.co.za  257

ellerines.co.za  257

chubb.co.za  253

rcf.co.za  252

incredible.co.za  252

hulamin.co.za  251

sandown.co.za  250

hsrc.ac.za  249

ccn.co.za  249

xstratacoal.co.za  245

fsb.co.za  244

pbmr.co.za  243

dha.gov.za  243

consol.co.za  243

idt.org.za  242

ael.co.za  241

coega.co.za  238

sun.co.za  235

eccsystems.co.za  235

mail.co.za  234

btgroup.co.za  234

mpg.gov.za  232

kelly.co.za  232

woodridge.co.za  231

cog.co.za  230

nbc.co.za  229

aberdare.co.za  229

ucs-solutions.co.za  228

siu.org.za  228

caa.co.za  228

trudon.co.za  227

jhi.co.za  225

bwhouse.co.za  225

wbho.co.za  223

student.ufs.ac.za  223

dot.gov.za  223

umgeni.co.za  222

doe.gov.za  222

damelin.co.za  222

mazars.co.za  219

legacyhotels.co.za  219

directaxis.co.za  218

thomasmore.co.za  216

spoornet.co.za  216

seda.org.za  216

harveyworld.co.za  216

workforce.co.za  215

mdd.co.za  213

lovelife.org.za  213

gcis.gov.za  213

ovi.co.za  212

gibb.co.za  211

omnia.co.za  210

gds.co.za  210

autopage.altech.co.za  210

univen.ac.za  209

sanlamhealth.co.za  209

netstar.altech.co.za  209

cti.co.za  208

travel.co.za  207

ackermans.co.za  207

nfp.nedbank.co.za  206

schenker.co.za  204

daff.gov.za  204

plascon.co.za  202

mobileemail.vodafone.co.za  201

buffalocity.gov.za  201

3i.co.za  201

thecricket.co.za  198

citadel.co.za  198

armscor.co.za  197

myuct.ac.za  196

hyperlink.co.za  196

thompsons.co.za  194

pdna.co.za  194

scaw.co.za  193

rtt.co.za  193

sizwentsaluba.co.za  192

primedia.co.za  192

edumail.co.za  192

broll.co.za  192

avi.co.za  192

africon.co.za  192

um.co.za  191

tarsus.co.za  191

gsb.uct.ac.za  191

lancet.co.za  190

sundaytimes.co.za  188

msunduzi.gov.za  188

rghs.wcape.school.za  187

rbm.co.za  187

impilo.ecprov.gov.za  187

gam.co.za  187

environment.gov.za  187

pastel.co.za  186

adamsadams.co.za  186

skytec.co.za  184

qualsa.co.za  184

nashua.co.za  184

kv3.co.za  184

vmed.co.za  183

supersport.co.za  183

mjvn.co.za  183

adcorp.co.za  183

tfg.co.za  182

srk.co.za  182

hbc.ac.za  182

pathcare.co.za  181

vippayroll.co.za  180

stmarys.kzn.school.za  180

netpoint.co.za  180

dcs.discovery.co.za  180

crazyweb.co.za  180

wfs.co.za  178

tsiba.org.za  178

sanbi.org.za  178

nmidsm.co.za  178

medicross.co.za  178

geoscience.org.za  178

pkf.co.za  177

iafrica.co.za  177

europassistance.co.za  177

uec.co.za  176

gpl.gov.za  176

sbv.co.za  175

atns.co.za  175

pinnacle.co.za  174

mangaung.co.za  174

enviroserv.co.za  174

cinet.co.za  174

toyota.co.za  173

capacity.co.za  173

webmai.co.za  172

fraseralexander.co.za  172

salga.org.za  171

mailzone.co.za  171

denelsaab.co.za  171

webamil.co.za  170

ist.co.za  170

fnbcorporate.co.za  170

sentech.co.za  169

rcsgroup.co.za  169

goba.co.za  169

rawson.co.za  168

mtnice.co.za  168

icasa.org.za  168

blue.co.za  168

bdo.co.za  168

10minutemail.co.za  168

megaweb.co.za  167

cargomotors.co.za  167

saharaonline.co.za  166

border.co.za  166

proteacoin.co.za  165

plessey.co.za  165

nrf.ac.za  165

mut.ac.za  165

experian.co.za  165

zurich.co.za  164

ymail.co.za  164

smollan.co.za  163

dpsa.gov.za  163

dbe.gov.za  163

gcs.co.za  162

sias.co.za  161

nhbrc.org.za  161

ampath.co.za  161

soft.co.za  160

golder.co.za  160

dailysun.co.za  160

deneldynamics.co.za  159

budget.co.za  159

web4us.co.za  158

tsb.toyota.co.za  158

mpsa.co.za  158

gepf.co.za  158

compuscan.co.za  158

babcock.co.za  158