Your Go‑To Guide to the POPIA Code of Conduct for Gated Access

Picture this: it’s 6pm at a busy estate gate in Joburg, security is juggling licence scans, contractor cards and Uber deliveries while Eskom plays load‑shedding roulette. No pressure, right? The upcoming POPIA Code of Conduct for Gated Access is designed to bring order to that chaos – but only if you know what it expects from you. Here, we unpack the core questions estates, complexes and office parks are asking – then dive into quick, practical answers you can act on today.

Burning Questions About the POPI Act’s Gated Access Code of Conduct 

Click to jump to the answer or keep reading to deep dive this inevitable compliance regulation.

• What exactly is the POPIA Code of Conduct for Gated Access, and who does it apply to?

• What visitor information can we legally collect at the gate – and what is “too much”?

• Is it lawful to scan IDs, driver’s licences, and vehicle registrations under POPIA?

• Can estates use biometrics (fingerprints, facial recognition) and CCTV and still stay compliant?

• How long may we keep visitor data and footage, and who can we share it (SAPS, managing agents, trustees)?

• Are we, the HOA/body corporate, responsible – or is it the security company’s problem?

• What practical changes do we need to make to our visitor management and estate access control processes before the Code comes into effect?

1. What is the POPIA Code of Conduct for Gated Access?

POPIA already sets out eight conditions for lawful processing, but they’re broad. The POPIA Code of Conduct for Gated Access takes those principles. It translates them into day‑to‑day rules for estates, complexes, office parks and other controlled‑access environments.

It will apply to:

• Residential estates and sectional title schemes

• Lifestyle estates and gated communities

• Home Owner Associations (HOAs) and bodies corporate

• Office parks, commercial complexes and industrial parks with boom gates or controlled entrances

In other words, if your security team controls who enters and leaves, and you process personal information to do that, this Code is aimed squarely at you.

2. What Visitor Information Can You Collect at the Gate?

The big shift is from “collect everything, just in case” to “collect only what you really need”. Under POPIA, that means personal information must be relevant, not excessive, and used for a clearly defined purpose.

Generally OK (if justified by your risk profile):

• Name and surname

• ID or passport number (captured and stored securely, not scribbled in a visible book)

• Mobile number

• Vehicle registration

• Time, date, gate and host details

Red flags to avoid:

• Open visitor books where anyone can see previous entries

• Copying ID books or licences “just because we’ve always done it”

• Collecting extra information that has nothing to do with security or access (for example, employment history or family details)

3. Is Licence and ID Scanning POPIA‑Compliant?

Yes – if you do it right. Licence and ID scanning at estate gates were one of the first POPIA flashpoints, because manual and legacy systems were storing too much data for too long, in ways that were easy to access and hard to audit.

A compliant approach includes:

• Scanning IDs and licences into a secure, access‑controlled system (not a personal phone or loose spreadsheet)

• Collecting only the fields you need for positive identification and incident tracing

• Encrypting data in transit and at rest

• Using automated retention rules to delete data after your justified retention period expires

ATG Digital’s At The Gate platform, for example, scans vehicle and driver’s licences, authenticates visitor data in real time and keeps everything within a POPIA‑aligned, cloud‑based environment – no more loose pages or exposed clipboards at the boom.

4. What About Biometrics, CCTV and LPR?

South African estates increasingly rely on:

• Facial recognition at pedestrian turnstiles

• Licence Plate Recognition (LPR) for vehicle access

• CCTV around perimeters and entrances

These technologies can absolutely live in harmony with POPIA if you:

• Clearly inform residents and visitors that biometrics and CCTV are in use and why

• Use them for legitimate security purposes, not unrelated profiling

• Protect biometric templates and footage using strong technical and organisational safeguards

• Limit retention to what you can justify (for example, a defined period for incident investigation)

Think of it as turning your cameras and biometric readers into an intelligent guardian, powerful and rule-abiding. 

 5. Who is Actually Responsible – Estate, HOA or Security Company?

The Code is expected to clarify accountability, but POPIA already gives you the basic structure:

• The estate, HOA, body corporate or property owner is usually the responsible party – they decide why and how personal information is processed.

• The guarding or technology provider is typically an operator – they process data on your behalf.

You’ll need:

• Written operator agreements covering POPIA duties

• Clear policies on who may access visitor data and under what conditions

• A named POPIA champion or information officer on the estate side

The beauty of digitised visitor management is that you can hard‑code those responsibilities into the system – with role‑based access, audit trails and automated reports that show you are living your policies, not just filing them.

6. How Should Estates Prepare Before the Code Takes Effect?

While the Information Regulator finalises the POPIA Code of Conduct for Gated Access, you don’t have to sit on your hands. Several law firms and specialist guides recommend starting now with practical estate access control compliance steps.

Short checklist:

• Map your current data flows at the gate and reception – from scanning or sign‑in to deletion

• Kill off paper visitor books and unsecured spreadsheets

• Standardise notices and signage so visitors know what’s collected and why

• Review retention rules for visitor logs, LPR data and CCTV footage

• Update contracts with guarding and technology providers to reflect POPIA roles

• Train guards – they’re your front‑line data champions as much as your front‑line security

Cloud‑based systems like ATG Digital’s At The Gate and At Reception allow you to centralise these changes once, then roll them out across all your gates, buildings and sites – with real‑time monitoring and reporting baked in.

POPIA Gated Access FAQ (Quick Answers)

What is the POPIA Code of Conduct for Gated Access in South Africa?

• It is a sector‑specific code under POPIA that sets out how gated communities, estates, complexes and controlled‑access sites must process personal information at their entry points, turning POPIA’s general principles into concrete, gate‑level rules.

Does the POPIA Code of Conduct for Gated Access apply to all gated communities?

• Yes. It is expected to cover residential estates, sectional title schemes, lifestyle estates, HOAs, bodies corporate, office parks and other properties where access is restricted, and visitor or resident data is processed.

What is POPIA gated communities compliance in practice?

• POPIA compliance for gated communities means collecting only necessary visitor data, storing it securely, limiting retention, being transparent with residents and visitors, and having clear responsibilities between the estate and its service providers.

Is licence and ID scanning at estate gates POPIA‑compliant?

• Licence and ID scanning is POPIA‑compliant when you use secure, purpose‑built visitor management systems, collect only necessary fields, encrypt and restrict access to the data, and apply clear retention and deletion rules.

How long can estates keep visitor records under POPIA?

• You may keep visitor records only as long as you can justify for security, incident investigation or legal purposes; after that, you should delete or properly anonymise the data according to a documented retention schedule.

Are biometrics and facial recognition allowed for estate access control under POPIA?

• Yes, if used for legitimate security purposes, backed by clear notices, robust safeguards and limited retention, and if you respect data subject rights such as access and objection where applicable.

Who is responsible for POPIA compliance in residential estate access control – the HOA or security provider?

• The HOA, body corporate or property owner is usually the responsible party, while the security or technology provider is the operator; both must have clear contractual and operational arrangements that meet POPIA requirements.

How can ATG Digital help with visitor management POPIA compliance?

• ATG Digital’s At The Gate and At Reception platforms digitise estate access control, authenticate IDs and licences in real time, reduce manual errors and enforce POPIA‑aligned data collection, storage and retention across all your sites.

Ready to Turn Your Gate Into an Intelligent Guardian?

South African estates and office parks are under pressure to keep people safe, keep traffic moving and keep data protected – often during peak‑hour queues and rolling blackouts. The POPIA Code of Conduct for Gated Access is your chance to move from ad‑hoc practices to a repeatable, auditable and resident‑friendly model. If you’d like to see what POPIA‑aligned, digital visitor management looks like in the real world, book a quick ATG Digital walk‑through.