The Protection of Personal Information Act No. 3 of 2013 (“the Act”) defines in its Chapter 11 and Section’s 100 – 106 items that qualify as being POPIA non-compliant namely - 

• The Obstruction of the Regulator (Section 100)
• Breach of confidentiality (Section 101)
• Obstruction of execution of warrant (Section 102)
• Failure to comply with enforcement or information notices (Section 103)
• Offences by witnesses (Section 104)
• Unlawful acts by responsible party in connection with account number (Section 105)
• Unlawful acts by third party in connection to account number (Section 106)

Consequences of non-compliance

Section 107 of the Act subsequently deals with the consequences if a company is found to be non-compliant.  In summary if the business is found to have had a severe breach this amounts to a serious offence.

Serious Offences

A serious offence listed in the Act relates to the obstruction of the regulator; failure to comply with enforcement or information; contravention to provisions listed in section 8 relating to an account number; and a person knowingly obtains or discloses without consent of an account number or sells an account number obtained without consent.  

The Penalty for a serious offence is a fine of up to R10 million, 10 years of imprisonment, or a combination of a lesser amount of both a fine and imprisonment.

Less Serious Offences

Less serious offences such as a breach in terms of Section 59 (failure to notify processing subject prior authorisation); Section 101 (breach of confidentiality); Section 102 (obstruction of execution of warrant); Section 103(2) (failure to comply with enforcement or information notices); or Section 104(1) (offences by witnesses), shall bear the consequences of imprisonment not exceeding 12 months or a reduced fine.

It’s critical that businesses know or realize that the Regulator does not require a court order to institute a fine on their organization for non-compliance or negligence. The Act provides that any Magistrates Court will have jurisdiction to award damages that are just and equitable in regards to payment for compensation of losses resulting from the data breach, the interests and the costs of the suit, on the scale determinable by the courts.

An administrative fine, as defined in Section 109 of the Act, may be handed to someone for breach of the Act by way of an infringement notice. Taking into consideration the nature of the personal information; the extent and duration; number of subjects affected; public importance; likelihood of substantial damages; preventability of the contravention; and if the party has committed a previous offence.

The infringer may choose to have the infringement charge tried in court.  The offence is then handed over to the South African Police Force. From there, it will be investigated in the Public Sphere and the consequences if found guilty may be recorded as a criminal offence and may result in greater consequences than those capped in the Act.

If the administrative fine is paid, into the National Revenue Fund, no prosecution may be instituted against the responsible party and does not amount to a previous conviction.

Bailey Haynes Inc – Your Attorneys in Cape Town

The consequences of the failure to comply with the POPI Act to a company are therefore applied based on the nature of the breach and range from low to significant consequences for companies who fail to comply. 

Contact our attorneys for more information about the POPI Act and how to make sure your business is 100% compliant.