The Protection of Personal Information Act, No.4 of 2013 (POPIA), hereinafter referred to as
“the Act”, provides in terms of Section 40 for establishing an Information Regulator to exercise
certain powers and perform certain duties and functions. One of these duties includes
receiving and investigating complaints about alleged privacy violations of data subjects.
First, it is important to understand the definition of the “Parties to a dispute”, which comprises
the data subject and the responsible party involved in the complaint.
A complaint submitted to the Regulator must be in writing by completing what is called a “Form
5”. This complaint form can be accessed online on the Regulator’s website and is available at
the Regulator’s offices during office hours.
Will the Regulator handle all complaints relating to a data breach?
- The Regulator may, in terms of Section 77(1) and (2) of the Act, decide to take no action or no further action regarding the complaint if:
- the subject matter of the complaint is trivial;
- the complaint is frivolous, vexatious or is not made in good faith;
- the complainant does not desire that action be taken or be continued;
- the complainant does not have a sufficient personal interest in the complaint;
- the complaint and its cause of action arose before 1 July 2021.
Suppose a prior complaint is still pending before another regulatory body or tribunal falls under the exclusive jurisdiction of another regulatory body or tribunal. In that case, the Regulator will not entertain such a complaint.
The process for the appeal of an investigation relating to a complaint:
A responsible party who has received an information or enforcement notice may, within 30 days after receiving same, appeal to the High Court having jurisdiction for the setting aside or variation thereof.
A complainant, who has been informed of the Regulator’s decision to take no action or further action on a complaint in Section 77(3) of the Act, may then appeal within 180 days of receiving the decision against the decision to the High Court.
A complainant who is aggrieved by the Regulator’s decision to cancel or vary an enforcement notice in Section 96 of the Act may, within 180 days of receiving the decision, appeal against the decision to the High Court.
A complainant who is aggrieved by the Regulator’s decision to cancel or vary an enforcement
notice in Section 96 of the Act may, within 180 days of receiving the decision, appeal against
the decision to the High Court.
Rules of procedure detailing how a complaint must be submitted and handled by the
Information Regulator:
An appeal application must be served under the applicable rules of the High Court on all the
parties to a complaint, including the Regulator. The Regulator must inform the complainant
and the responsible party under Form 17 of the Regulations within seven days of receipt of
the appeal application.
An appeal application does not suspend the Regulator’s decision appealed against unless the
High Court determines otherwise. Within seven days of receipt of the court order, the
Regulator must in an appeal application, inform the complainant and the responsible party on
Form 18 of the Regulations.
It is therefore clear that there are strict rules, procedures and timelines to follow to complain if
one believes there has been a data breach on the part of the responsible party.
Want to know more about the procedures pertaining to Data Breaches? Contact your nearest
SEESA Consumer Protection and POPI Legal Advisor. Alternatively, leave your contact
details on our website, and we will contact you.
About the author
Jaco Lombard is a Labour and Consumer Protection & POPI legal advisor at the SEESA Bloemfontein branch. He obtained his LL.B from the University of the Free State in 2019 and was admitted as an Attorney of the High Court of South Africa in June 2022.
Resources
* Protection of Personal Information Act (POPIA (2013)), Act No.4 of 2013
* Guidance Note published October 2021 Information Regulator