VIOLATIONS OF THE POPIA ACT
In the digital age, where personal information is a valuable commodity, safeguarding privacy has become paramount. South Africa recognised this need by enacting the Protection of Personal Information Act (POPIA) in 2013, with enforcement beginning in July 2021. POPIA aims to regulate the processing of personal information, ensuring that individuals’ privacy rights are respected and protected. However, despite its provisions, violations of these rights can still occur. In such cases, it’s crucial for individuals to understand how to apply their rights under POPIA.
Understanding the POPI Act:
POPIA outlines principles and conditions that entities must adhere to when processing personal information. These principles include accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, data subject participation, and transparency. It applies to both public and private entities and covers various aspects of personal information processing, including collection, use, dissemination, and destruction.
Recognising Violations:
Violations of the Act can take various forms, such as unauthorised access to personal data, data breaches, inadequate security measures leading to data leaks, unlawful processing of personal information, and failure to obtain consent for processing. If individuals suspect that their rights under POPIA have been violated, they have the right to take action to protect their privacy and seek recourse.
Steps to Apply When Rights Are Violated:
1. Who may lodge a complaint?
- Any Data subjects whose personal information has been compromised in accordance with the provisions outlined in section 73 of the Act.
- Individuals acting on behalf of affected data subjects.
- Persons with a significant personal interest in the complaint.
- Dissatisfied responsible parties or data subjects.
- Individuals acting in the public interest.
2. Manner of lodging a complaint
To submit a complaint to the Regulator, it must be presented in writing, either by completing the online complaint form accessible on the Regulator’s website, or by utilising the complaints form, Form 5 as stipulated in the Regulations, which will be obtainable at the Regulator’s offices during official working hours and at any other office designated by the Regulator.
3. Submission of a complaint
A complaint can be lodged at the Regulator’s offices during official working hours, preferably in the vicinity where the incident or behavior being complained about occurred, or at any other office specifically designated by the Regulator for lodging complaints. Additionally, complaints may be submitted to the Regulator through various means: via facsimile, postal mail, courier service addressed to the Regulator’s physical address, or via email to a designated email address. Upon receiving a complaint, the Regulator is obliged to acknowledge its receipt and assign a reference number to the complaint within fourteen (14) days.
4. Information required when lodging a complaint.
Complaints under section 74(1) and (2) of the Act require specific personal details, including the Complainant’s name, unique identity number/company registration number, address, telephone/facsimile numbers, and email (if available). The complaint should state reasons and provide details of the responsible party.
For adjudicator determination, include the adjudicator’s name and relevant identifying information. Authorisation proof is needed if lodging on behalf of others. Additional details like incident date/location, Information Officer particulars, witness names/addresses, and relevant documents may be included. Complaints with information protected under the Protected Disclosures Act No. 26 of 2000 (PDA) are safeguarded, and anonymity requests are evaluated by the Regulator, with assistance provided free of charge to ensure compliance.
Importance of POPIA Compliance:
It is paramount for businesses to prioritise compliance with POPIA to uphold the privacy rights of individuals and maintain trust within their customer base. Failure to comply with the Act can result in severe consequences, including hefty fines, legal actions, damage to reputation, and loss of customer trust. Moreover, non-compliance may lead to data breaches, exposing sensitive information and causing financial and reputational damage to both the business and affected individuals. Therefore, businesses must invest in robust data protection measures, staff training, and compliance strategies to ensure adherence to the Act, safeguard personal information, and mitigate risks associated with non-compliance.
Conclusion:
POPIA serves as a crucial tool for protecting individuals’ privacy rights in South Africa. However, violations of these rights can still occur, requiring affected individuals to take action. By understanding the provisions of POPIA and following the necessary steps to apply when rights are violated, individuals can assert their privacy rights and seek recourse against unlawful processing of their personal information. Through effective enforcement and compliance, the POPIA plays a vital role in fostering a culture of data protection and privacy in the digital age.
For guidance and support on violations of the Act, POPIA compliance or creating POPIA manuals for your business, reach out to our office on 021 871 1200 or contact@faurefaure.co.za. We’re here to assist you.
Article written by Faure & Faure Inc lawyer Zane Meyer and candidate attorney Alette Du Toit.
For more information, contact 021 871 1200 or email contact@faurefaure.co.za.
Faure & Faure Inc. – Your partner in Law in the Paarl and Boland Area.