The Regulator has wide investigative powers for the purposes of investigating a complaint.

Every data subject has the right to complain to the Information Regulator, in the event of their information being processed unlawfully or non-compliantly. The Information Regulator has the power to handle complaints and deal with these.

Your internal complaints management framework should align with the Regulator’s to ensure a seamless, fair and transparent mechanism. It is therefore important to understand the process followed when complaints are managed, so that your organisation’s rights and responsibilities are clear.

Complaints may be received internally, and in such instance, there should be a robust policy and procedure to deal with these. Where a complaint is received by the organisation, this should be addressed in terms of your internal policy and procedure.


Your organisation must inform each person, before you collect, or continue to process any of their data, of their right to complaint to the Information Regulator. You also need to provide the details of the regulator when making this disclosure. These details are as follows:

The Information Regulator (South Africa) 33 Hoofd Street

Forum III, 3rd Floor Braampark

P.O Box 31533

Braamfontein, Johannesburg, 2017

Mr Marks Thibela Chief Executive Officer

Tel No. +27 (0) 10 023 5200, Cell No. +27 (0) 82 746 4173

Complaints email: General enquiries email: Website:


The Information Officer is responsible for ensuring compliance with the provisions and may be appointed as the organisation’s complaints officer.

Your organisation may appoint one or more other persons as a complaints officer however the information officer will be the contact person for the Information Regulator. Although there is no regulatory qualification or experience required, the person should be suitably qualified with the rights skills, and not be in a position where there is an actual or potential conflict of interest.

Whoever is appointed to manage complaints should be appropriately trained and have a good working knowledge of POPI and PAIA, as well as your internal policies and procedures. The person should have sufficient seniority in order to fulfill the role, and should report to the Information Officer, if the person is not the Information Officer themselves.


Complaints can be submitted to the Information Regulator where someone believes that you have interfered with the protection of personal information of a data subject.

“interference with protection of the personal information” means any breach of :

  • the conditions for the lawful processing of personal information
  • confidentiality by any person acting on behalf of, or under the direction of the Information Regulator
  • requirements in respect of the notification of security compromise
  • requirements in respect of direct marketing by unsolicited electronic communications
  • requirements in respect of directories
  • requirements in respect of automated decision-making
  • requirements when transferring personal information outside the Republic of South Africa
  • any code of conduct issued under the Act

Complaints must be submitted to the Information Regulator in writing. The Regulator must assist any person to put the complaint in writing, where this is necessary. The correct form must be used, so it is important to understand which must be used, under what circumstances. Where a data subject is complaining about data protection interference, he or she must complete part 1 of Form 5.

Where a complainant or the organisation wants to complain to the Information Regulator if aggrieved with the determination of an adjudicator, this must be done on Part II of Form 5.

The Regulator will follow a regulated process when dealing with any complaints and may decide to take no action, investigate the complaint, refer the matter to the Enforcement Committee or act as conciliator.

If the Regulator is satisfied that there has been interference with the personal information’s protection, it can issue an enforcement notice. This notice can require you to take specified steps within a certain time period or to stop processing personal information in totality, or to stop processing information for a specific purpose (e.g. direct marketing).

An enforcement notice can only apply a minimum of 3 days after which the notice was served. Where circumstances have changed which make the enforcement notice no longer necessary, the organisation may apply to have it cancelled.


An enforcement notice may be appealed if this is taken to the High court with jurisdiction within 30 days of the organisation being notified of the outcome. The provisions of the notice do not need to be complied with while it is taken on appeal.