What Happens When a POPIA Complaint Reaches the Information Regulator?

What Happens When a POPIA Complaint Reaches the Information Regulator?

If a customer, employee, or other data subject believes your business has mishandled their personal information, they have the right to lodge a formal complaint with the Information Regulator. Understanding how that process unfolds can help you respond constructively and avoid unnecessary escalation.

> Disclaimer: This article is general information based on published Information Regulator guidance and the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation, consult a qualified attorney.

---

Who Can Complain, and About What?

Any person whose personal information has been processed by a responsible party — which includes most South African businesses — can submit a complaint to the Information Regulator. Common grounds include:

• Receiving direct marketing messages without having given consent (relevant to POPIA section 69).
• Being denied access to their own personal information (relevant to POPIA section 23).
• Believing their data was collected for one purpose and used for another (relevant to POPIA section 15).
• A suspected failure to keep their data secure (relevant to POPIA section 19).
• Not being notified after a data breach (relevant to POPIA section 22).

The complaint must first go through an internal resolution attempt with the responsible party before the Regulator will typically investigate. In practice, this means the data subject should have raised the issue with your business and received an unsatisfactory response — or no response at all.

---

Step 1: The Complaint Is Lodged

The data subject submits a written complaint to the Information Regulator, either via the Regulator's online portal or by email to complaints.IR@inforegulator.org.za. The Regulator's published guidance describes the complaint form and supporting documentation required. You can find current guidance on the Regulator's official website at www.inforegulator.org.za.

Note: the brief for this article references "section 74" as a target keyword. POPIA does contain provisions governing the Regulator's complaint and enforcement powers, but section 74 does not appear on our verified citation list. Rather than risk citing it inaccurately, we describe the process as the Regulator has published it publicly. For the precise statutory provisions, consult the Act directly via www.gov.za or seek legal advice.

---

Step 2: The Regulator Decides Whether to Investigate

Once a complaint is received, the Information Regulator reviews it to determine whether it falls within POPIA's scope and whether the internal-resolution requirement has been met. Not every complaint automatically proceeds to a full investigation. The Regulator may:

• Decline to investigate if the complaint is frivolous, vexatious, or outside jurisdiction.
• Refer the parties back to each other if internal resolution has not genuinely been attempted.
• Proceed to an assessment or investigation if there appears to be a material issue.

If an investigation is opened, your business — as the responsible party — will be notified and given the opportunity to respond. This is not the time to go silent. Engaging promptly and professionally is important.

---

Step 3: Your Business Is Asked to Respond

The Regulator will typically request a written response from the responsible party. This is where your documentation matters enormously. Being able to demonstrate:

• A lawful basis for processing the data subject's information (POPIA section 11).
• That the data subject was notified at the time of collection (POPIA section 18).
• That you maintain records of your processing activities (POPIA section 17).
• That you have reasonable security measures in place (POPIA section 19).

...can make the difference between a complaint that is resolved in your favour and one that escalates.

This is precisely the kind of paper trail that a well-maintained compliance programme produces. If you cannot locate the relevant records, that gap becomes part of the problem.

---

Step 4: Conciliation or Formal Enforcement?

The Information Regulator has published that its preference is to resolve complaints through conciliation where possible — bringing both parties to an agreed resolution without formal enforcement proceedings. This can include agreeing to delete data, correcting inaccurate records (POPIA section 24), or implementing new internal procedures.

If conciliation fails, or if the Regulator finds evidence of a serious or ongoing contravention, the matter can be referred to the Enforcement Committee. The Regulator's enforcement powers under POPIA include issuing enforcement notices — formal directions requiring a responsible party to take specified steps — and, in serious cases, referring matters for criminal prosecution or administrative fines.

POPIA's administrative fines can reach R10 million, and certain offences carry imprisonment. These are not theoretical risks; the Information Regulator has publicly stated its intention to use enforcement powers actively.

---

Step 5: Enforcement Notices and Beyond

If an enforcement notice is issued against your business, it will specify what the Regulator requires you to do and within what timeframe. Failure to comply with an enforcement notice is itself a further offence under POPIA. Your business does have the right to appeal to the High Court against a Regulator decision — but that is an expensive and time-consuming route that most SMEs will want to avoid.

---

Practical Takeaways for South African Businesses

While every situation is different, the Information Regulator's published guidance and POPIA's own framework point to a few consistent themes:

1. Have an internal complaints process. Data subjects should be able to raise concerns with you before going to the Regulator. Document every complaint and your response.
2. Know your Information Officer. POPIA section 55 places specific duties on your designated Information Officer, including handling data subject requests and complaints.
3. Keep records. POPIA section 17 requires documentation of processing activities. When the Regulator asks for evidence, you need to be able to produce it.
4. Respond quickly. Delays in engaging with the Regulator — or with the data subject — tend to make matters worse, not better.
5. Get legal advice early. If a complaint has been lodged with the Regulator about your business, consult a qualified attorney before you respond formally.

---

Where to Find Primary Information

• Information Regulator (South Africa): www.inforegulator.org.za
• POPIA (Act 4 of 2013) full text: www.gov.za
• Complaints process and forms: available on the Information Regulator's website under "Complaints"

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation — including if a complaint has already been lodged against your business — consult a qualified attorney.