Where did you get my telephone number?

SA companies seem to be struggling with the new Protection of Personal Information Act and the management of customer data.
Be careful what you click on – ‘opting in’ can happen all too easily. Image: Brendon Thorne, Bloomberg

Seldom have a few simple questions elicited such frantic responses. After receiving more than 20 text messages from 10 different companies – all in the space of three weeks – the senders were contacted and asked the same question: Where did you get my telephone number?

It’s a reasonable question but few could respond to it quickly, while some of the answers stretched the new Protection of Personal Information Act (Popia) to the point of breaking the law.

The companies could not answer questions relevant to the provisions of Popia easily, some taking up to two weeks to “investigate”.

The new legislation gives everyone the right to enquire about how companies use their personal information – and companies are obliged to answer queries, including:

  • Where did you get my contact details?
  • What information do you have about me?
  • Do you share my personal information with third parties?
  • What do you use my personal information for?

New legislation

Popia became effective from July 2020 and was fully implemented in July 2021 after a grace period of 12 months to give companies time to ensure compliance.

Wendy Tembedza, senior associate at law firm Webber Wentzel, says the spirit and purpose of Popia is, among other things, to protect a person’s right to have a say in how their personal information is used.

“Under Popia, a data subject [person] must be informed of all the ways in which a responsible party [the companies] will use their personal information at the time when the information is collected, or as soon as reasonably possible after collection. If the data subject has not been advised of the potential sale or sharing of their information, any such sale or sharing will in most instances be unlawful.

“In addition, Popia requires that any further processing of personal information [being processing of personal information for purposes other than that for which the information was initially collected], must be compatible with the purpose for which it was initially collected. In this regard, the responsible party would have to assess factors such as the relationship between the purpose for initial collection and the intended further processing, the nature of information concerned and the consequences of the intended further processing for the data subject,” says Tembedza.

“Popia has introduced a major shift in how personal information, including contact details on large databases, can be dealt with.

“Essentially, the wholesale commercialisation of contact details has been prohibited due to, in part, the broad definition of personal information which is protected under Popia.”

Tembedza adds that while direct marketing is allowed, companies should ensure that they fully understand their obligations under Popia.


“While there are nuances relevant to the question of whether a responsible party can send you direct marketing materials, the basic requirement is that direct marketing is only permitted in instances [where] either the data subject is an existing customer of the responsible party [subject to additional qualifying requirements], or where the data subject has given consent for their personal information to be used for direct marketing.

“Unless the direct marketing is taking place in one of these two scenarios, it will be unlawful,” says Tembedza.

She adds that the new act makes provision for steep penalties, including imprisonment and/or a fine of up to R10 million for a breach of the act.

“In relation to contact lists, the risk increases because these lists can run into the tens of thousands. This is particularly important because factors such as the number of data subjects affected will be taken into account by the Information Regulator when determining the appropriate fine,” she says.

She confirms that companies are obliged to disclose where a data subject’s details were collected from.


It seems that companies are struggling with the new legislation, with only a few able to give a quick response to queries.

Budget Insurance answered within two days, reminding me that I had a policy with it some years ago and that this counts as a client relationship within the provisions of Popia.

In addition, I opted in to receive marketing messages when using the Hippo Comparative Services website (hippo.co.za) a few months ago.

Thus, Budget Insurance knows a lot about me. I have provided it with my (new) telephone number, while it already had my e-mail address, home address, identity number and a lot of other personal information as well. Budget might even still know what car I drove a few years back and what furniture I had in my house at the time.

Worst experience

That I received no fewer than four text messages from Scorpion Legal Services within a few weeks came as a surprise.

I have never dealt with the company nor have I responded to any of their advertisements that try to sell legal insurance policies.

Asking Scorpion Legal Services where they got my contact details and whether they have other personal information about me was a bad experience.

The firm used Popia as an excuse not to provide the very information that Popia says it must provide to people.

Scorpion Legal Services said it has no personal information about me because it uses third parties to conduct advertising campaigns and generate leads.

“In order to abide by Popia we are only able to divulge the information linked to this cell number to the person who owns the number. The third party involved [is] happy to engage with you directly, if you can provide evidence that the cell number that the SMS was sent to belongs to you,” answered an executive in an e-mail.

She asked to remain anonymous, adding that I should contact my service provider and ask them for confirmation of my cell number.

That my number is included in my official signature to the bottom of every email I sent to Scorpion Legal Services was not acceptable. “Anyone can send an e-mail and sign it with a cell number,” according to Scorpion.

That the executive called me on the number, and insisted on recording the conversation, including my verbal declaration that it is my number, did not help either as “you could have picked up the phone in the street”.

One would have thought that getting confirmation of your own cellphone number would be easy.

It took several calls to get hold of a human at the MTN call centre, who referred me to a different department. Unfortunately, the call looped back to the same call centre menu.

Someone said the information would be readily available in an MTN store, but the shop assistant referred me back to the call centre.

The MTN press office eventually explained: “As per the Numbering Plan Regulations 2016 numbers are a national resource and are neither owned by the licensee to whom they have been allocated to nor the subscriber to whom a number is assigned.

“We have noted that the [number] is currently on Pay As You Go, therefore MTN does not keep personal records that were used to register or activate the number. These are kept under [the] Regulation of Interception of Communications and Provision of Communication-Related Information Act and this information can only be made available to parties via Subpoena 205 [court order].

“MTN is not authorised to provide written confirmation that the user is the owner of the mobile number,” according to MTN.

Common sense

Management of the firm that runs advertising campaigns and generates leads for Scorpion Legal Services responded to my queries directly.

Stephanus van Deventer, MD of Black Moon Investments (BMI), went the extra mile to answer my queries. Actually, he drove 500km because he insisted on a face-to-face meeting.

“I delegate a lot of tasks, but I deal with complaints myself,” he says, “and more than one of your queries led to BMI.”

The meeting was informative, explaining how this small part of the digital marketing industry works.

Van Deventer provided proof that I opted in on his database after responding to an earlier general advertising campaign.

“Based on [the] aforementioned response and relationship established, the data subject was profiled as a high propensity responder to a number of products and services and would therefore have been included in product and service offerings targeted via direct various marketing efforts through the respective electronic channels,” concluded his investigation into the queries.

BMI also sent messages on behalf of Sanlam, Liberty, Apex Motor Warranties and Hollard Life, all of whom have responded to Moneyweb’s queries and answered questions.

Van Deventer explained that the industry went through consolidation as a result of Popia. “I welcome the new act. It is good for the industry as a lot of ‘garage’ outfits closed down,” he says by way of explaining why BMI works for a lot of clients.

However, he admitted to and apologised for an internal problem which resulted in many messages from different (and competing) companies.

The discussion on opting in on a database was interesting, and frightening.

While an advertisement might carry the name of a well-known company that somebody is willing to share personal information with, you opt in to a general database owned by a service provider – because nobody ever bothers to read the terms and conditions or privacy policy before ticking the box.

Forced consent

Sending an e-mail to a company by using the handy enquiry form on their website will often opt in the sender, once again due to not reading the terms and conditions.

This can be seen as forced consent, if the contact form is the only available method of contacting a company, or other contact details are difficult to find.

An interaction with LegalWise – also after receiving a marketing message – serves as an example.

LegalWise responded to the original questions as to why I was receiving marketing messages with the following explanation: “We have confirmed that the SMS messages were sent by a network partner of Reach Republic, one of the third party lead providers used by LegalWise. Reach Republic has confirmed that the message was sent to yourself in error and it was never the intention to communicate the message to yourself.

“The error was a result of a recent data update on the part of the network partner in which your number was incorrectly linked to another party for whom the message was intended.”

LegalWise says it had none of my personal information prior to me using the Contact Us form on its website to query the marketing messages.

They now have my name, surname, telephone number and e-mail address, because I ‘opted in’ when I clicked the submit button on their contact form.

The privacy policy includes: “By submitting your details and/or using the Website you accept the terms and conditions of the policy and expressly consent to the collection, use and disclosure of your personal information in the manner described below. If you object to, or disagree with, any of the terms and conditions of use or with any of the potential uses described in this policy, please leave the Website immediately.”

Opt out

It clearly is easy to opt in to marketing messages and agree to the sharing of your personal information.

Fortunately, there is a way to opt out too.

The Direct Marketing Association of SA (DMASA) offers an opt-out service that will add a telephone number to do-not-contact list.

Members of the umbrella body should check their contact lists against the DMASA database regularly to prevent them from irritating potential customers.

Being marketers, DMSA puts a positive twist on it. “Registering may prevent you from receiving information which you want – thereby cutting you off from relevant and worthwhile opportunities.

“For example you may miss out on special sales or miss the opportunity to support charities who use telemarketing as an economical way to raise awareness and much needed support.”

Listen to Nompu Siziba’s interview with Webber Wentzel’s Wendy Tembedza:



Sort by:
  • Oldest first
  • Newest first
  • Top voted

You must be signed in and an Insider Gold subscriber to comment.


I know this as a fact, having been subject to it, the biggest offenders in selling personal information are the banks.

Followed by: Network operators, ITC, licensing department, rates department etc.

Prior to FICA your personal information was relatively safe. Post FICA KYC bull your information is lying around in boxes all over the place. When I joined Barclays bank in the early 1980’s we had to sign an agreement that forbid any staff member in the bank from divulging any client information. How many people do you think have signed this in the Vodacom stores for example, yet you have to give 3 months bank statements, proof of residence and a copy of your ID when applying for a contract. Where does that information end up one wonders.

Has FICA stopped any illegal activities, no it has just made the bad guys more creative. Consider the stupidity of RICA on a cell phone for a moment. The RICA information is only ever correct once. There is NO LEGAL obligation to inform the network if you have a prepaid phone that you have moved. How stupid is that regulation. Only the honest guys are properly Rica’d anyway.

You can even scrape FaceBook for clients details.

Please don’t get me started on the useless KYC department and their FICA nonsense.

Another useless law imported from the US after their “terror” attacks.

I want to know how many people exactly have been caught by RICA who are involved in criminal activity. It seems they cannot stop the criminals in the regime whatsoever but Mr Joe has to take on the responsibility of providing document after document to the banks and regimes.

Where are those documents going to? How secure are they? Does RICA actually work or are we just copying from Big Brother states because it looks cool?

The think the Scorpion Executive was 100% correct to ask for the verification that the number belonged to him. His argument that he was called on the phone and he said that it was him and that the number was on the bottom of his emails is absolutely preposterous. That’s not verification. It could have been anyone answering the phone or creating and sending an email etc. Of course, you have to be extra cautious given all the scams/ phishing out there, which often emanate from phone calls and emails… the very thing which the executive is been asked to simply trust on his say so. In my mind, She was doing the right thing and applying POPIA.

In any event, if she had just given him the information without the proper verification, who says that this could also not have been used by him against her to say she was in breach of POPIA because she had provided information without doing a verification. You never know what angle a journalist is seeking to take.

Don’t you need to RICA your phone anyway, so how difficult was it for him to provide proof that it was his number. The slating of Scorpion would have been of more value if he had provided her with the required proof and he still didn’t get the information he needed.

As a consumer, I am impressed that she didn’t jump into the trap of providing Mr. Kruger with information simply because he was a journalist. Kudos to the executive.

Rica and ficas sole purpose wasn’t to stop any crime…. It was just to keep an eye on what the milk is up to…… Just think if it was to stop crime and money laundering none of the burnt toast would have been able to pull off any of that digital vibes play….. But they did and it was a lone journalist that bust them….. Not fica or Rica.

In future, whenever i fill out forms and asked to furnish my cell no, i’ll supply the number of CEO’s of all banks and request that my preferred method of contact will be via mail

I am so sick and tired of these calls

Thankfully you can now report and block these numbers on Truecaller..I find that helps

@bobsmith.. The criminals are the same people who create the laws

Lets just call them the Governing party so as not to beat about the bush

A good example was the ban on cigarettes during Lockdown

In retrospect, one realises it was a total overkill and we know who’s family benefitted

A year down the line and mums the word

They roll out new laws like they roll out cadre deployment

TrueCaller …..probably the most essential smartphone app

I found the most wonderful inventions on my phone called “block number” and “report number”.

Now I have less stress answering calls from unknown numbers. First question is always : Who is calling?

Some of the more persistent scam artists keep calling but use different numbers each time. Then they get the POPIA lecture and eventually give up.

The latest trick is to ask you for a phone number when registering on a website. Seems they believe this allows them to invade your space.

Unless I think whoever is asking really needs my number, i.e. I want to be contactable, I always suffer a temporary case of dyslexia when writing my phone number. I just hope I haven’t inconvenienced too many people who are at the other end of my made up number.

No don’t do that…… Keep the fool on the line for as long as possible…. With some Mmmmm, yes…. OK… Just explain that again……. These animals are paid on commission – nothing gets yr name thrown off thier lists quite like someone that wastes there time.. Try it – my best was almost 25 min..

What amuses me is when companies, some with whom I have been dealing with for many years, send me irrelevant adverts that anyone who knew me in the slightest would know are totally unsuitable. The solicit always starts off with an ingenuine personalised salutation that includes my first name, so naturally I assume they have my contact details. It proves to me that some of the SA’s most prominent companies don’t know their customers at all.

I’ve had many of those “how are you’s” calls. My regular response is: “Fine, what are you selling”. Gets them somewhat flustered for a second or two but most are then adamant they are not selling. I’m thinking of responding with the lie that “besides being diagnosed with stage 5 cancer, I’m fine – and you?”, but then that might be tempting fate a bit too far. Need to do some work on more creatively shocking answers.

My favourite one are the calls selling funeral policies, Clientele at the top of the list

Once they’re done with the sales pitch i tell them i’m not the owner of the phone but his brother and i’m at his funeral..Can we still take out a policy for him i ask?

And by the way, pop around for some funeral eats, the koeksisters and cheese sandwiches are delicious

That Scorpion executive’s arrogance and attitude deserves that you lay a charge under POPIA.

Yes. What a terrible response designed to avoid actually answering how they got that number. That an executive would be so deliberately obtuse and rude is disgusting.

I would like to know if readers would feel the same if they knew that there are convenient truths left out of this story. What if a response was provided to the journalist the same day and within two days the lead providers and Company had opted out, the cell number given, of their databases for future marketing and had directed the journalist to list the number on DMA. What if, out of courtesy, a follow up e-mail was sent to the journalist two weeks later. There’s a failure to disclose that the lead providers were ASKED to contact him. What if the cell number was listed as belonging to someone else and that is why the specific opt in information could not be provided. POPIA protects giving out information to anyone else but the data subject. What if the data subject listed as the opt in is not Adriaan Kruger? Don’t be sheep.There’s always more to the story…

I would like to know if readers would feel the same if they knew that there are convenient truths left out of this story. What if a response was provided to the journalist the same day and within two days the lead providers and Company had opted out, the cell number given, of their databases for future marketing and had directed the journalist to list the number on DMA. What if, out of courtesy, a follow up e-mail was sent to the journalist two weeks later. There’s a failure to disclose that the lead providers were ASKED to contact him. What if the cell number was listed as belonging to someone else and that is why the specific opt in information could not be provided. POPIA protects giving out information to anyone else but the data subject. What if the data subject listed as the opt in is not Adriaan Kruger? Don’t be sheep. There’s always more to the story…

Excellent article, thanks.

Cellular telecom companies sell information. I got a new SIM – nobody has the number except the SIM supplier – then in comes the spam!

…yes, we think we are “customer”, but in fact our information is “the product” being sold on to others.

Agreed. Each and every person using the internet is a prize product of Google, plus the rest of the data miners lurking in the land of digital communication.

The cell phone networks are quick to recycle unused phone numbers nowadays, both my previous numbers have new owners already. That might explain spam messages on a “new” number

It’s gotten to the point where I don’t bother answering the phone if I don’t recognise the number.

From cold calls to the DA’s automated voice calls. Block block block.

Used to do the same. Be careful, I missed a few important calls from medical practitioners.

Agree – my phone is set that it does not even ring if the number is not recognized on my phone. If it is/was important, they will leave a voicemail – which doen not happen 99.9% of the time.

I get harassed by DA SMS messages, alleging that I am registered to vote in northern Joburg somewhere. I’ve never lived in Joburg. Wonder where the DA gets its defective data from?

When and article like this is produced from time o time we name and shame them. My bug bear is Luno who keep sending me messages offering me loans at stupid interest rates. When I block one nmber they send from another number to date I have probably blocked 10 of their number.
Pathetic that we have these trolls clogging up networks

Banks will be subject to Open Banking protocol soon which will allow others to access their clients’ information.

The thing with POPI is that the recourse is very slow and poorly executed at the moment for those contravening the law.

All my experiences in this regard have been with financial institutions e.g. banks and insurance pimping their products. Some companies that are in various branches of the industry also leverage your existing information. e.g. Discovery Health being used to pimp Discovery Bank.

The most pestering ones for me have been Dawn Wing couriers who are incorrectly messaging me for someone receiving parcels in Pretoria. They have been doing this for about a year and I can’t get hold of them and they refuse to respond to messages to get the details changed.

The other is estate agents that are fishing at the moment. Contacting everyone that they possibly can. My mom (in a different city) is getting messages from agents in my area addressing me to sell my house or give a valuation.

It’s chaos out there.

I have received sms’s and calls from the DA. At no point did I register with them. This is clearly in violation of the POPIA act. They are serious offenders and should be investigated.

They got my number because I went online to check my voter registration status. Maybe Adriaan can check with the IEC and the DA as to how this works?

In many cases party affiliation is a highly confidential matter. Being associated with a political party can be hazardous to your health, especially in KZN.

Don’t you normally just shout across the valley to talk to someone else?

@EFF. You SHOULD register with the DA! I dare you….

The cold callers peddling extra phones, funeral policies or insurance on my hardly used decoder I love to string along till they ring off.

It’s the “hello how are you” as if you are long lost buddies with this robotic, incoherent mong on the other end that gets me …what happened to a more courteous introduction of who you are and who you represent and are you interested in X and if not, can we remove your details from our marketing data-base to avoid irritating you in future with our unsolicited nuisance calls.

Try asking them for their home number so when you are finished with your business you can call them back later in the night!

That usually results in “we are not allowed to give out personal numbers’….and neither do I, so take a hike….click!

Or just keep on repeating, hello, hello, hello….that usually flummoxes them and they hang up after numerous and fruitles exchanges of nothing more than back and forth “Hellos”…..my record is 15 such “duets”, before the caller mutters something, hangs up believing they cant be heard and moves on to terrorise the next unsuspecting mug!

“Hello, hello, hello, . . . ” What a good idea!! Thanks for simple solution to these irritating callers.

Thanks. I will certainly add your strategies to my arsenal.

I sometimes entertain myself by trying to get the caller to hang up.

Like this one lady from Vodacom. I told her I already have a cell phone so she asks me what about a phone for a loved one? I said “I don’t have a loved one. Do you want to be my loved one?” She didn’t call again


I no longer get any of these calls after assiduously blocking and deleting but when I did, I used ask where they’re phoning from, what’s the weather like, do they have any children, is it a nice office with a canteen, do you have a view etc … and then when I got bored I would say: “It’s been lovely chatting to you, have a wonderful day!”

And hang up …

I would pay to know how Adriaan managed to speak to a human at MTN. I tried so hard and searched the Internet – no success.

I want MTN to delete my details from their system. I had a data-SIM many years ago. Then probably an “insider” fraudulantly took my details and took out 2 contracts. After a lot of effort the accounts were closed and the matter “resolved”, but this can happen any time again for as long as they have my “profile”.

Hours spent trying to speak to anything but a computer- no luck. Even an email to their fraud department send an auto reply to contact their call centre?

POPIA is a joke – try communicate with the Information Regulator, or lodge as an Information officer on their portal and you can’t, its easier to find an honest cadre. BTW, the Department of Justice is subject to an ongoing ransomware attack, the very department that manages POPIA and national data security rules – bwahahahahahahaha!! You CANNOT make this stuff up …

Fica, Rica, PPIA, Bank Acts, blah, blah, blah,in the new SA it all means diddly squat, Nige can get off the plane from Lagos and open any account he wants quicker than any honest SA citizen, AND he can get hold of your info and use it without you knowing! There’s rules, then there’s ways and means that trump the rules and preventatives quickly!

The challenge with consenting to give personal information, or just ticking the box, is due to very long terms and conditions as well as privacy policies that are not written in plain language. The notion of forced consent is so subtle that it is not easily noticiable to most people. The fraudsters also use our personal information and don’t care about responding to the question “where did you get my numbers from”

The SA public is becoming confused.

First we get the Promotion of ACCESS TO Information Act (“PAIA”)

And now the “PROTECTION OF Personal Information Act (“POPIA”)

In summary thus, on the one end, PAIA is an “Access” law, all about Freedom of Information.
POPIA on the other end, is about Privacy – prevention of exposure of information.

I’m lost too!

The use of VOIP numbers (087…) for advertising campaigns must be prohibited as it costs the offenders basically noting to harass the public.

These companies must be forced to phone us from their business numbers and they must be charged at least R10 a minute by the network provider when they harass us like this.

In my opinion it is criminal how they invade our privacy and harass us as citizens on our private phones.

I’ve “Opt out” numerous times with Direct Axis but they just keep on contacting me on a regular basis, ignoring my request to Opt out.

Hollard insurance is the worst of I’ve experienced. Phoning 14 times in a row when blocked by Truecaller.

I have appreciation for the POPI act and its reason to be, but I also have a large number of contact details on my PC, which I obtained before the POPI law was enacted, AND which I can’t remember the source of. So do many other people and companies. Where do we draw which lines: If someone bought my contact detail 3 years ago, may I sue them because I hadn’t – then – given permission? And if I use the detail of someone he hadn’t given permission for at the time I had obtained it? This is relevant right now. Thank you

The POPIA act expected you to destroy all personal detail you had this year, up to a point, given a certain time limit. Therefore nobody should be sitting on piles of old and obsolete customer details. If another party now use the detail of data you provided them with 3 years ago, they are at fault, not you, as they were supposed to destroy it.

I would like to know if readers would feel the same if they knew that there are convenient truths left out of this story. What if a response was provided to the journalist the same day and within two days the lead providers and Company had opted out, the cell number given, of their databases for future marketing and had directed the journalist to list the number on DMA. What if, out of courtesy, a follow up e-mail was sent to the journalist two weeks later. There’s a failure to disclose that the lead providers were ASKED to contact him. What if the cell number was listed as belonging to someone else and that is why the specific opt in information could not be provided. POPIA protects giving out information to anyone else but the data subject. What if the data subject listed as the opt in is not Adriaan Kruger? Don’t be sheep.There’s always more to the story…

End of comments.




Instrument Details  

You do not have any portfolios, please create one here.
You do not have an alert portfolio, please create one here.

Follow us:

Search Articles:
Click a Company: