Skip to content Skip to sidebar Skip to footer

POPIA: The Complaints Procedure

Article provided for SEESA

The promulgation of the POPIA has taken South Africa by storm and has left many businesses with the question of how they can practically implement the Act within their company and whether they will ever be fully POPIA compliant. Luckily, the Information Regulator has released regulations with guidelines to ensure we all have a better grip on POPIA and its implementation.

With consent documents looming on the one hand, and questionable marketing calls that are currently flooding consumers, one important question that is always raised is whether there is any recall for the general public towards any data breaches and the abuse of information that companies may take part in.

This article summarises the complaint procedure in terms of POPIA and an individual’s personal information.

Who may lodge a complaint?

In terms of the Act [1] and its Regulations [2], any person or person who has a sufficient interest in a data breach/abuse of data may complain.

How?

  • All complaints should be submitted in writing to the Information Regulator – either online or by completing a Form 5 which is available for download on the Information Regulator’s website under the tab “Documents” [3]. The Information Regulator also assists should there be the need to have the document translated;
  • Complaints must be lodged at a relevant complaints office within three years from the date of grievance noted. Complainants should bear in mind that this is only applicable to matters that occurred after the 01st of July 2021.[4];
  • Should a company receive a complaint, please note that the Information Regulator will notify the company, and the company can make written submissions against the complaint received. This must be done within 21 days of receipt of the complaint.

What information should be provided?

The following information is necessary when lodging your complaint [5]:

  • Name and surname/ registered name of the complainant;
  • What your identifier is (this could be an ID number, company name etc.);
  • Address of complainant;
  • Contact details (email, phone number etc.);
  • Your reasons for the complaint;
  • Details of the Responsible Party;
  • Address of the Responsible Party;
  • Contact details of the Responsible Party (email and telephone numbers).

Besides the above, you as a complainant may also include any other relevant information about the data breach/incident that may benefit your matter. A Complainant may also keep their identity anonymous – this can be done if the compliant requests it.

What happens next?

Once the Information Regulator has received your complaint, he/she has the prerogative to decide whether your complaint is valid and whether they will take action on the evidence you have provided. If it is decided that the complaint is indeed valid, the Information Regulator will investigate and conclude whether there will be a hearing. A complainant should exercise due care when lodging a complaint and ensure that all the information provided is accurate, correct and relevant.

Can a complainant have the complaint reviewed if it is denied?

The Information Regulator must give the Complainant justifiable grounds as to why the complaint is denied. Should the Complainant not be happy with such an outcome, or if more information has come to light, the Complainant may fill in an internal review application, namely a Form 20, which is also available on the Information Regulator’s website under the tab “Documents,” and lodge it within 14 days of receipt of the denied application.[6] Again, the Information Regulator will inform the Complainant of their decision. Should the Complainant still not be satisfied, they may approach a competent Court with jurisdiction to make a ruling on the decision of the Information Regulator.[7] A Complainant should also take note that such application to Court will be at the Complainant’s cost.

Should you require more information on the procedure, please do not hesitate to contact your Consumer Protection and POPI Legal advisor.

About the author

Brad Strydom stated his career at SEESA in 2021 and is currently a Consumer Protection and POPI Legal Advisor at SEESA’s Pretoria branch. He obtained both his BCom Law and LLB Degrees from the University of Pretoria. Brad is an admitted attorney.

Resources

  • Protection of Personal Information Act of 4 of 2013;
  • GN 1383, of GG No. 42110, 14/12/2018;
  • https://www.justice.gov.za/inforeg/legal/20211012-InfoReg-RulesOfProcedure-HandlingPOPIAcomplaints.pdf;
  • Information Regulator Website – https://www.inforegulator.org.za/;
  • Form 5 – https://www.justice.gov.za/inforeg/docs/forms/POPIA-ComplaintsForm5-eForm.pdf;
  • Form 20 – https://www.justice.gov.za/inforeg/legal/20211012-InfoReg-RulesOfProcedure-HandlingPOPIAcomplaints.pdf#page=36.
  • [1] Protection of Personal Information Act of 4 of 2013 (Hereafter referred to as “the Act”)
  • [2] GN 1383, of GG No. 42110, 14/12/2018
  • [3] Rules of procedure relating to the manner in which a complaint must be submitted and handled by the Information Regulator, October 2021; 8
  • [4] Rules of procedure relating to the manner in which a complaint must be submitted and handled by the Information Regulator, October 2021; 11
  • [5] Rules of procedure relating to the manner in which a complaint must be submitted and handled by the Information Regulator, October 2021; 9-11
  • [6] Rules of procedure relating to the manner in which a complaint must be submitted and handled by the Information Regulator, October 2021; 12
  • [7] Rules of procedure relating to the manner in which a complaint must be submitted and handled by the Information Regulator, October 2021; 13

SEESA is a proud Partner of the NSBC

Get the best business tips delivered to your inbox!

© NSBC Africa 2023. All Rights Reserved.