Back to BlogCompliance

South Africa Leave Entitlements & POPIA Compliance: The SMB Owner's Guide (2026)

Zara·15 March 2026·9 min read

South Africa has some of the most detailed employment legislation on the continent. Between the Basic Conditions of Employment Act (BCEA), the Labour Relations Act (LRA), and the Protection of Personal Information Act (POPIA), there's a lot for small business owners to get right.

The good news: once you understand the basics, compliance isn't complicated. It just requires a system. Here's your guide to leave entitlements and employee data protection — the two areas where South African SMBs get tripped up most often.

Part 1: Leave Entitlements Under the BCEA

The Basic Conditions of Employment Act (No. 75 of 1997) sets minimum leave entitlements for all employees. These are floors, not ceilings — you can always offer more.

Annual Leave

Employees are entitled to 21 consecutive days of paid annual leave per year, or by agreement, 1 day for every 17 days worked or 1 hour for every 17 hours worked.

Important nuances:

  • The 21 days is consecutive calendar days, which works out to roughly 15 working days (excluding weekends)
  • Leave accrues from the first day of employment
  • Annual leave must be granted no later than 6 months after the end of the annual leave cycle
  • The employer and employee can agree on when leave is taken, but the employer cannot unreasonably refuse
  • Untaken leave can be paid out only on termination — during employment, leave must be taken
  • Leave cannot be bought out or replaced by payment while the employment relationship continues

Common confusion: "21 days" in South Africa means calendar days, not working days. This is different from Kenya (21 working days) and Ghana (15 working days). Make sure your policy is clear about this.

Sick Leave

Sick leave operates on a 3-year cycle, not annually:

  • Over every 36-month cycle, an employee is entitled to the number of days they would normally work in 6 weeks
  • For a standard 5-day-per-week employee, that's 30 working days over 3 years
  • During the first 6 months of employment, an employee is entitled to 1 day of sick leave for every 26 days worked

A medical certificate is required for absences exceeding 2 consecutive days or for any absence on a Monday, Friday, or the day before/after a public holiday (the so-called "sandwich rule" — employers can include this in policy).

Practical tip: Track sick leave on a rolling 36-month basis per employee, not per calendar year. This is where spreadsheets often fail — the calculation requires knowing the employee's exact start date and historical sick leave usage over 3 years.

Maternity Leave

Female employees are entitled to 4 consecutive months (approximately 17 weeks) of maternity leave.

  • Leave may begin at least 4 weeks before the expected date of birth, or on an earlier date if a medical practitioner certifies it's necessary
  • The employee may not work for 6 weeks after the birth, unless a medical practitioner certifies her fit to do so
  • The BCEA does not require the employer to pay maternity leave — however, the employee can claim from the Unemployment Insurance Fund (UIF), which pays up to 66% of salary (capped)
  • Many employers choose to top up the UIF payment to full salary as a benefit

What to include in your policy: Whether you offer paid maternity leave (beyond UIF), the notification timeline, required medical documentation, and how to apply for UIF maternity benefits.

Paternity Leave

Since the Labour Laws Amendment Act of 2018:

  • Employees are entitled to 10 consecutive days of unpaid parental leave at the birth of a child
  • They may claim from the UIF during this period
  • This applies to all parents, not just biological fathers — it covers adoption and commissioning parents in surrogacy as well

Note: Some employers offer paid paternity leave as a company benefit. If you do, specify this clearly in your policy.

Family Responsibility Leave

Employees who have worked for longer than 4 months and work at least 4 days per week are entitled to 3 days of paid family responsibility leave per year for:

  • The birth of a child (in addition to parental leave)
  • Illness of a child
  • Death of a spouse, life partner, parent, adoptive parent, grandparent, child, adopted child, grandchild, or sibling

This is a small allocation, and many employers supplement it with additional compassionate leave as a company benefit.

Public Holidays

South Africa has 12 public holidays per year:

| Date | Holiday | | ------------ | -------------------------- | | January 1 | New Year's Day | | March 21 | Human Rights Day | | Variable | Good Friday | | Variable | Family Day (Easter Monday) | | April 27 | Freedom Day | | May 1 | Workers' Day | | June 16 | Youth Day | | August 9 | National Women's Day | | September 24 | Heritage Day | | December 16 | Day of Reconciliation | | December 25 | Christmas Day | | December 26 | Day of Goodwill |

When a public holiday falls on a Sunday, the following Monday is a public holiday. Employees who work on a public holiday must be paid at double their normal rate.

Part 2: POPIA and Employee Data

The Protection of Personal Information Act (POPIA) has been fully enforceable since July 2021. It applies to every business that processes personal information — and employee records are personal information.

What POPIA Means for Your HR Records

As an employer, you are a "responsible party" under POPIA. This means:

1. You need a lawful basis for processing employee data. For most HR data, this basis is the employment contract (processing is necessary to carry out the contract) or legal obligation (you're required by law to keep certain records).

2. You can only collect what you need. Collecting an employee's religion, political affiliation, or medical history without a legitimate reason violates POPIA. Stick to what's necessary for employment, payroll, and legal compliance.

3. You must keep data secure. Employee records — whether digital or paper — must be protected against unauthorized access, loss, or damage. This means password-protected files, locked filing cabinets, and controlled access.

4. You must tell employees what you collect and why. A simple privacy notice in the employment contract or company handbook is sufficient. It should explain what data you collect, why, how long you keep it, and who has access.

5. Employees have the right to access their data. If an employee asks to see their personnel file, you must provide access within a reasonable timeframe.

6. You must have a data breach procedure. If employee data is compromised (laptop stolen, email hacked, documents leaked), you must notify the Information Regulator and affected employees.

Practical POPIA Compliance for SMBs

You don't need a data protection officer or expensive consultants. Here's the practical minimum:

  • Add a data privacy clause to your employment contracts explaining what data you collect and why
  • Limit access to employee files — not everyone in the company needs to see salary or medical information
  • Use secure storage — password-protected digital files or a proper HR system with role-based access
  • Stop sending employee documents via WhatsApp — it's convenient but not secure
  • Set retention periods — keep records for 5 years after employment ends, then dispose of them securely
  • Document your approach — a simple one-page data protection policy shows good faith

What the Information Regulator Can Do

The Information Regulator has the power to:

  • Issue enforcement notices requiring you to change practices
  • Impose administrative fines of up to R10 million
  • Refer cases for criminal prosecution (for serious violations)

While enforcement has so far focused on large organizations, SMBs are not exempt. Getting the basics right now costs very little and protects you significantly.

Bringing It Together

South African employment law is detailed, but manageable. The key is having a system — whether it's a well-maintained spreadsheet or an HR platform — that tracks leave on the correct cycles, stores documents securely, and gives you the records you need if the CCMA or Information Regulator comes calling.

For a small business, the highest-impact actions are:

  1. Write a clear leave policy covering all BCEA entitlements
  2. Track sick leave on 36-month cycles (not annually)
  3. Add a POPIA privacy notice to employment contracts
  4. Store employee documents in a secure, access-controlled system
  5. Keep records for 5 years after employment ends

Ready to fix your HR?

Cedrios is built for African businesses — compliant, simple, and free to start.