Consequences of non-compliance

POPI provides for a unique and possibly effective way of dealing with contraventions.

Should there be interference with a data subject’s protection of personal information, the aggrieved party may lodge a complaint with the Information Regulator. A negotiated settlement is one of the possible outcomes of the complaints procedure. The Regulator does not require a court order to institute a fine for negligence or non-compliance in favour of the aggrieved party in terms of POPI.

POPI further provides for civil remedies where the court may award amounts that, in its discretion, are just and equitable. Such amounts include:

  • Payment for damages as compensation for losses suffered by a data subject as a result of a breach of a provision of POPI;
  • Aggravated damages;
  • Interest; and
  • Costs on a scale as determined by the court.

There are dire consequences for any party being convicted of an offence in terms of POPI. A maximum period of imprisonment of 10 years, or an undisclosed maximum fine (each fine to be determined by the relevant court on a case-by-case basis) can be levied. Furthermore, the Regulator may institute administrative fines up to an amount of R10 million.