For the purposes of this Chapter, interference with the protection of the personal information of a data subject consists, in relation to that data subject, of—any breach of the conditions for the lawful processing of personal information as referred to in Chapter 3;
non-compliance with section 22, 54, 69, 70, 71 or 72; or
a breach of the provisions of a code of conduct issued in terms of section 60.
Any person may submit a complaint to the Regulator in the prescribed manner and form alleging interference with the protection of the personal information of a data subject.
A responsible party or data subject may, in terms of section 63(3), submit a complaint to the Regulator in the prescribed manner and form if he, she or it is aggrieved by the determination of an adjudicator.
A complaint to the Regulator must be made in writing.
The Regulator must give such reasonable assistance as is necessary in the circumstances to enable a person, who wishes to make a complaint to the Regulator, to put the complaint in writing.
On receiving a complaint in terms of section 74, the Regulator may—conduct a pre-investigation as referred to in section 79;
act, at any time during the investigation and where appropriate, as conciliator in relation to any interference with the protection of the personal information of a data subject in the prescribed manner;
decide, in accordance with section 77, to take no action on the complaint or, as the case may be, require no further action in respect of the complaint;
conduct a full investigation of the complaint;
refer the complaint, in terms of section 92, to the Enforcement Committee; or
take such further action as is contemplated by this Chapter.
The Regulator must, as soon as is reasonably practicable, advise the complainant and the responsible party to whom the complaint relates of the course of action that the Regulator proposes to adopt under subsection (1).
The Regulator may, on its own initiative, commence an investigation into the interference with the protection of the personal information of a data subject as referred to in section 73.
The Regulator, after investigating a complaint received in terms of section 73, may decide to take no action or, as the case may be, require no further action in respect of the complaint if, in the Regulator’s opinion—the length of time that has elapsed between the date when the subject matter of the complaint arose and the date when the complaint was made is such that an investigation of the complaint is no longer practicable or desirable;
the subject matter of the complaint is trivial;
the complaint is frivolous or vexatious or is not made in good faith;
the complainant does not desire that action be taken or, as the case may be, continued;
the complainant does not have a sufficient personal interest in the subject matter of the complaint; or
in cases where the complaint relates to a matter in respect of which a code of conduct is in force and the code of conduct makes provision for a complaints procedure, the complainant has failed to pursue, or to pursue fully, an avenue of redress available under that complaints procedure that it would be reasonable for the complainant to pursue.
Notwithstanding anything in subsection (1), the Regulator may in its discretion decide not to take any further action on a complaint if, in the course of the investigation of the complaint, it appears to the Regulator that, having regard to all the circumstances of the case, any further action is unnecessary or inappropriate.
In any case where the Regulator decides to take no action, or no further action, on a complaint, the Regulator must inform the complainant of that decision and the reasons for it.
If, on receiving a complaint in terms of section 74, the Regulator considers that the complaint relates, in whole or in part, to a matter that is more properly within the jurisdiction of another regulatory body established in terms of any law, the Regulator must forthwith determine whether the complaint should be dealt with, in whole or in part, under this Act after consultation with the body concerned.
If the Regulator determines that the complaint should be dealt with by another body, the Regulator must forthwith refer the complaint to that body to be dealt with accordingly and must notify the complainant of the referral.
Posted on
Before proceeding to investigate any matter in terms of this Chapter, the Regulator must, in the prescribed manner, inform—the complainant, the data subject to whom the investigation relates (if not the complainant) and any person alleged to be aggrieved (if not the complainant), of the Regulator’s intention to conduct the investigation; and
the responsible party to whom the investigation relates of the— details of the complaint or, as the case may be, the subject matter of the investigation; and
right of that responsible party to submit to the Regulator, within a reasonable period, a written response in relation to the complaint or, as the case may be, the subject-matter of the investigation.
If it appears from a complaint, or any written response made in relation to a complaint under section 79(b)(ii), that it may be possible to secure—a settlement between any of the parties concerned; and
if appropriate, a satisfactory assurance against the repetition of any action that is the subject matter of the complaint or the doing of further actions of a similar kind by the person concerned,
the Regulator may, without investigating the complaint or, as the case may be, investigating the complaint further, in the prescribed manner, use its best endeavours to secure such a settlement and assurance.
For the purposes of the investigation of a complaint the Regulator may—summon and enforce the appearance of persons before the Regulator and compel them to give oral or written evidence on oath and to produce any records and things that the Regulator considers necessary to investigate the complaint, in the same manner and to the same extent as the High Court;
administer oaths;
receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the Regulator sees fit, whether or not it is or would be admissible in a court of law;
at any reasonable time, subject to section 81, enter and search any premises occupied by a responsible party;
conduct a private interview with any person in any premises entered under section 84 subject to section 82; and
otherwise carry out in those premises any inquiries that the Regulator sees fit in terms of section 82.
A judge of the High Court, a regional magistrate or a magistrate, if satisfied by information on oath supplied by the Regulator that there are reasonable grounds for suspecting that—a responsible party is interfering with the protection of the personal information of a data subject; or
an offence under this Act has been or is being committed, and that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information, that are within the jurisdiction of that judge or magistrate, may, subject to subsection (2), grant a warrant to enter and search such premises.
A warrant issued under subsection (1) authorises any of the Regulator’s members or staff members, subject to section 84, at any time within seven days of the date of the warrant to enter the premises as identified in the warrant, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of personal information and to inspect and seize any record, other material or equipment found there which may be such evidence as is mentioned in that subsection.
A judge or magistrate must not issue a warrant under section 82 unless satisfied that—the Regulator has given seven days’ notice in writing to the occupier of the premises in question demanding access to the premises;
either—access was demanded at a reasonable hour and was unreasonably refused; or
although entry to the premises was granted, the occupier unreasonably refused to comply with a request by any of the Regulator’s members or staff to permit the members or the members of staff to do any of the things referred to in section 82(2); and
that the occupier, has, after the refusal, been notified by the Regulator of the application for the warrant and has had an opportunity of being heard on the question whether the warrant should be issued.
Subsection (1) does not apply if the judge or magistrate is satisfied that the case is one of urgency or that compliance with that subsection would defeat the object of the entry.
A judge or magistrate who issues a warrant under section 82 must also issue two copies of it and certify them clearly as copies.
A police officer who is assisting a person authorised to conduct an entry and search in terms of a warrant issued under section 82 may overcome resistance to the entry and search by using such force as is reasonably necessary.
A warrant issued under this section must be executed at a reasonable hour unless it appears to the person executing it that there are reasonable grounds for suspecting that the evidence in question would not be found if it were so executed.
If the person who occupies the premises in respect of which a warrant is issued under section 82 is present when the warrant is executed, he or she must be shown the warrant and supplied with a copy of it, and if that person is not present a copy of the warrant must be left in a prominent place on the premises.
A person seizing anything in pursuance of a warrant under section 82 must give a receipt to the occupier or leave the receipt on the premises.
Anything so seized may be retained for as long as is necessary in all circumstances but the person in occupation of the premises in question must be given a copy of any documentation that is seized if he or she so requests and the person executing the warrant considers that it can be done without undue delay.
A person authorised to conduct an entry and search in terms of section 82 must be accompanied and assisted by a police officer.
A person who enters and searches any premises under this section must conduct the entry and search with strict regard for decency and order, and with regard to each person’s right to dignity, freedom, security and privacy.
A person who enters and searches premises under this section must before questioning any person—advise that person of the right to be assisted at the time by an advocate or attorney; and
allow that person to exercise that right.
No self-incriminating answer given or statement made to a person who conducts a search in terms of a warrant issued under section 82 is admissible as evidence against the person who gave the answer or made the statement in criminal proceedings, except in criminal proceedings for perjury or in which that person is tried for an offence contemplated in section 102 and then only to the extent that the answer or statement is relevant to prove the offence charged.
Subject to the provisions of this section, the powers of search and seizure conferred by a warrant issued under section 82 must not be exercised in respect of—any communication between a professional legal adviser and his or her client in connection with the giving of legal advice to the client with respect to his or her obligations, liabilities or rights; or
any communication between a professional legal adviser and his or her client, or between such an adviser or his or her client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act, including proceedings before a court, and for the purposes of such proceedings.
Subsection (1) applies also to—any copy or other record of any such communication as is mentioned therein; and
any document or article enclosed with or referred to in any such communication if made in connection with the giving of any advice or, as the case may be, in connection with or in contemplation of and for the purposes of such proceedings as are mentioned therein.
If the person in occupation of any premises in respect of which a warrant is issued under this Act objects to the inspection or seizure under the warrant of any material on the ground that it—contains privileged information and refuses the inspection or removal of such article or document, the person executing the warrant or search must, if he or she is of the opinion that the article or document contains information that has a bearing on the investigation and that such information is necessary for the investigation, request the Registrar of the High Court which has jurisdiction or his or her delegate, to attach and remove that article or document for safe custody until a court of law has made a ruling on the question whether the information concerned is privileged or not; or
consists partly of matters in respect of which those powers are not exercised, he or she must, if the person executing the warrant so requests, furnish that person with a copy of so much of the material as is not exempt from those powers.
A warrant issued under section 82 must be returned to the court from which it was issued— after being executed; or
if not executed within the time authorised for its execution, and the person who has executed the warrant must make an endorsement on it stating what powers have been exercised by him or her under the warrant.
The Regulator, on its own initiative, or at the request by or on behalf of the responsible party, data subject or any other person must make an assessment in the prescribed manner of whether an instance of processing of personal information complies with the provisions of this Act.
The Regulator must make the assessment if it appears to be appropriate, unless, where the assessment is made on request, the Regulator has not been supplied with such information as it may reasonably require in order to—satisfy itself as to the identity of the person making the request; and
enable it to identify the action in question.
The matters to which the Regulator may have regard in determining whether it is appropriate to make an assessment include— the extent to which the request appears to it to raise a matter of substance;
any undue delay in making the request; and
whether or not the person making the request is entitled to make an application in terms of section 23 or 24 in respect of the personal information in question.
If the Regulator has received a request under this section it must notify the requester— whether it has made an assessment as a result of the request; and
to the extent that it considers appropriate, having regard in particular to any exemption which has been granted by the Regulator in terms of section 37 from section 23 or 24 applying in relation to the personal information concerned, of any view formed or action taken as a result of the request.
If the Regulator—has received a request under section 89 in respect of any processing of personal information; or
reasonably requires any information for the purpose of determining whether the responsible party has interfered or is interfering with the personal information of a data subject,
the Regulator may serve the responsible party with an information notice requiring the responsible party to furnish the Regulator, within a specified period, in a form specified in the notice, with a report indicating that the processing is taking place in compliance with the provisions of the Act, or with such information relating to the request or to compliance with the Act as is so specified.
An information notice must contain particulars of the right of appeal conferred by section 97, and—in a case falling within subsection (1)(a), a statement that the Regulator has received a request under section 89 in relation to the specified processing; or
in a case falling within subsection (1)(b), a statement that the Regulator regards the specified information as relevant for the purpose of determining whether the responsible party has complied, or is complying, with the conditions for the lawful processing of personal information and the reasons for regarding it as relevant for that purpose.
Subject to subsection (5), the period specified in an information notice must not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.
If the Regulator considers that the information is required as a matter of urgency, it may include in the notice a statement to that effect and a statement of its reasons for reaching that conclusion, and in that event subsection (3) does not apply.
A notice in terms of subsection (4) may not require the information to be furnished before the end of a period of three days beginning with the day on which the notice is served.
An information notice may not require a responsible party to furnish the Regulator with any communication between a—professional legal adviser and his or her client in connection with the giving of legal advice on the client’s obligations, liabilities or rights under this Act; or
professional legal adviser and his or her client, or between such an adviser or his or her client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before a court) and for the purposes of such proceedings.
In subsection (6) references to the client of a professional legal adviser include any person representing such a client.
An information notice may not require a responsible party to furnish the Regulator with information that would, by revealing evidence of the commission of any offence other than an offence under this Act, expose the responsible party to criminal proceedings.
The Regulator may cancel an information notice by written notice to the responsible party on whom it was served.
After completing the assessment referred to in section 89 the Regulator—must report to the responsible party the results of the assessment and any recommendations that the Regulator considers appropriate; and
may, in appropriate cases, require the responsible party, within a specified time, to inform the Regulator of any action taken or proposed to be taken to implement the recommendations contained in the report or reasons why no such action has been or is proposed to be taken.
The Regulator may make public any information relating to the personal information management practices of a responsible party that has been the subject of an assessment under this section if the Regulator considers it in the public interest to do so.
A report made by the Regulator under subsection (1) is deemed to be the equivalent of an enforcement notice in terms of section 95.
After completing the investigation of a complaint or other matter in terms of this Act, the Regulator may refer such complaint or other matter to the Enforcement Committee for consideration, a finding in respect of the complaint or other matter and a recommendation in respect of the proposed action to be taken by the Regulator as referred to in section 93.
The Regulator may prescribe the procedure to be followed by the Enforcement Committee, including—the manner in which the responsible party and data subject may make submissions to the Enforcement Committee;
the opportunity afforded to the parties who make submissions to the Enforcement Committee to make use of legal or other representation;
the period within which the Enforcement Committee must make a finding and submit its recommendation to the Regulator in respect of the complaint or other matter; and
the manner in which the Enforcement Committee may finalise urgent matters.
The Enforcement Committee—must consider all matters referred to it by the Regulator in terms of section 92 or the Promotion of Access to Information Act and make a finding in respect thereof; and
may make any recommendation to the Regulator necessary or incidental to any action that should be taken against—a responsible party in terms of this Act; or
an information officer or head of a private body, as the case may be, in terms of the Promotion of Access to Information Act.
If an investigation is made following a complaint, and—the Regulator believes that no interference with the protection of the personal information of a data subject has taken place and therefore does not serve an enforcement notice;
the Regulator has referred the complaint to the Enforcement Committee for consideration in terms of section 92;
an enforcement notice is served in terms of section 95;
a served enforcement notice is cancelled in terms of section 96;
an appeal is lodged against the enforcement notice for cancellation or variation of the notice in terms of section 97; or
an appeal against an enforcement notice is allowed, the notice is substituted or the appeal is dismissed in terms of section 98,
the Regulator must inform the complainant and the responsible party, as soon as reasonably practicable, in the manner prescribed of any development mentioned in paragraphs (a) to (f) and the result of the investigation.
If the Regulator, after having considered the recommendation of the Enforcement Committee in terms of section 93, is satisfied that a responsible party has interfered or is interfering with the protection of the personal information of a data subject as referred to in section 73, the Regulator may serve the responsible party with an enforcement notice requiring the responsible party to do either or both of the following:to take specified steps within a period specified in the notice, or to refrain from taking such steps; or
to stop processing personal information specified in the notice, or to stop processing personal information for a purpose or in a manner specified in the notice within a period specified in the notice.
An enforcement notice must contain—a statement indicating the nature of the interference with the protection of the personal information of the data subject and the reasons for reaching that conclusion; and
particulars of the rights of appeal conferred by section 97.
Subject to subsection (4), an enforcement notice may not require any of the provisions of the notice to be complied with before the end of the period within which an appeal may be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.
If the Regulator considers that an enforcement notice should be complied with as a matter of urgency it may include in the notice a statement to that effect and a statement of its reasons for reaching that conclusion, and in that event subsection (3) does not apply.
A notice in terms of subsection (4) may not require any of the provisions of the notice to be complied with before the end of a period of three days beginning with the day on which the notice is served.
A responsible party on whom an enforcement notice has been served may, at any time after the expiry of the period during which an appeal may be brought against that notice, apply in writing to the Regulator for the cancellation or variation of that notice on the ground that, by reason of a change of circumstances, all or any of the provisions of that notice need not be complied with in order to ensure compliance with the conditions for the lawful processing of personal information.
If the Regulator considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with a condition for the lawful processing of personal information or conditions to which it relates, it may cancel or vary the notice by written notice to the responsible party on whom it was served.
A responsible party on whom an information or enforcement notice has been served may, within 30 days of receiving the notice, appeal to the High Court having jurisdiction for the setting aside or variation of the notice.
A complainant, who has been informed of the result of the investigation in terms of section 77(3) or 96, may, within 180 days of receiving the result, appeal to the High Court having jurisdiction against the result.
If in an appeal under section 97 the court considers—that the notice or decision against which the appeal is brought is not in accordance with the law; or
that the notice or decision involved an exercise of discretion by the Regulator that ought to have been exercised differently,
the court must allow the appeal and may set aside the notice or substitute such other notice or decision as should have been served or made by the Regulator.
In such an appeal, the court may review any determination of fact on which the notice in question was based.
A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act as referred to in section 73, whether or not there is intent or negligence on the part of the responsible party.
In the event of a breach the responsible party may raise any of the following defences against an action for damages:vis major;
consent of the plaintiff;
fault on the part of the plaintiff;
compliance was not reasonably practicable in the circumstances of the particular case; or
the Regulator has granted an exemption in terms of section 37.
A court hearing proceedings in terms of subsection (1) may award an amount that is just and equitable, including—payment of damages as compensation for patrimonial and non-patrimonial loss suffered by a data subject as a result of breach of the provisions of this Act;
aggravated damages, in a sum determined in the discretion of the Court;
interest; and
costs of suit on such scale as may be determined by the Court.
Any amount awarded to the Regulator in terms of subsection (3) must be dealt with in the following manner:the full amount must be deposited into a specifically designated trust account established by the Regulator with an appropriate financial institution;
as a first charge against the amount, the Regulator may recover all reasonable expenses incurred in bringing proceedings at the request of a data subject in terms of subsection (1) and in administering the distributions made to the data subject in terms of subsection (5); and
the balance, if any (in this section referred to as the ‘‘distributable balance’’), must be distributed by the Regulator to the data subject at whose request the proceedings were brought.
Any amount not distributed within three years from the date of the first distribution of payments in terms of subsection (4), accrue to the Regulator in the Regulator’s official capacity.
The distributable balance must be distributed on a pro rata basis to the data subject referred to in subsection (1).
A Court issuing any order under this section must order it to be published in the Gazette and by such other appropriate public media announcement as the Court considers appropriate.
Any civil action instituted under this section may be withdrawn, abandoned or compromised, but any agreement or compromise must be made an order of Court.
If a civil action has not been instituted, any agreement or settlement, if any, may, on application to the Court by the Regulator after due notice to the other party, be made an order of Court and must be published in the Gazette and by such other public media announcement as the Court considers appropriate.