South Africa
South Africa
Abstract Shape Background
South Africa

South Africa

South Africa

Senior management and organisation

Please identify the authority’s senior management.

Chairperson: Pansy Tlakula

Full-time member: Lebogang Stroom-Nzama

Full-time member: Collen Weapond

Part-time member: Sizwe Snail ka Mtuze

When was the head of the authority appointed?

The chair was appointed on 1 December 2018.

How long is their term of office?

Five years (renewable).

What is the process for nominating the head of the authority?

The chairperson and members are nominated through the same process. The process is as follows:

  • A committee of the National Assembly, composed of members of parties represented in the Assembly, publishes an advertisement in a national newspaper and on the parliament’s website calling for nominations.
  • The committee agrees on the candidates to be shortlisted for interviews.
  • The shortlisted candidates are interviewed by the committee. Interviews are open to members of the public and the media.
  • The committee recommends five names to the National Assembly.
  • The National Assembly approves the shortlisted candidates by a recommendation adopted with a supporting vote from a majority of the Assembly members.
  • The National Assembly then recommends the appointment of the members by the president of the Republic. The recommendation to the president must indicate which member should be appointed as the chairperson, and which ordinary members must be appointed in a full-time or part-time capacity.

What was the authority’s budget for the most recently available financial year?

27 million rand.

Contacting the authority

How and where should companies or their advisers contact the authority to notify a data breach?      

At the moment companies do not have an obligation to notify the Regulator of a data breach, because not all sections of the Protection of Personal Information Act 4 of 2013 (POPIA) have come into effect. However, the Regulator encourages proactive compliance. As such, companies may notify the Regulator of a data breach through its official email address, which is [email protected].                

Legal and enforcement framework

What are your investigative powers?

The investigative powers of the Regulator are as follows: The Regulator may:

  • summon and enforce persons to appear before it, and compel them to give oral or written evidence under oath, and to produce any records and items that the Regulator considers necessary to investigate a complaint and to the same extent as the High Court;
  • administer an oath;
  • receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that it sees fit, whether or not it is or would be admissible in a court of law; and
  • at any reasonable time, with a search warrant issued by a judge of the High Court, or a regional magistrate or a magistrate, search any premises occupied by a responsible party (a responsible party is a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means of processing personal information).

Can you search premises or force the disclosure of information without having to approach the courts?


What fines can you impose on companies that breach data protection rules?

An administrative fine of up to 10 million rand.

What other measures can you take against companies that breach data protection rules?

The following measures are available:

  • an enforcement notice requiring the responsible party:
    • to take specified steps within a period specified in the notice, or to refrain from taking such steps; or
    • to stop processing personal information specified in the notice, or to stop processing personal information for a purpose or in a manner specified in the notice within a period specified in the notice;
  • a civil action for damages instituted by the Regulator on behalf of a data subject; and
  • criminal prosecution.

Priorities and the future

What are your enforcement priorities over the next year? For example, are you targeting any particular topics, or industry sectors?

The priority for next year is to ensure that the remaining sections of POPIA come into effect. Since we cannot enforce compliance, we intend to engage the health sector and the direct marketing sector.

Would you like to see further reforms to your laws (beyond GDPR implementation legislation, if applicable) or to your enforcement framework? If so, what?

As already indicated, POPIA is not fully effective. It will be premature to consider reforms at this stage.

Unlock unlimited access to all Global Data Review content