POPI Regulations

POPI Regulations:

This first version of the Regulations was published on 8 September 2017 , with comment invited by 7 November 2017.

 

GOVERNMENT NOTICE
INFORMATION REGULATOR
No. R. 2017
PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013):
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
The Information Regulator has under section 112(2) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013), made the regulations in the Schedule.
SCHEDULE
Definitions
1. In these regulations any word or expression to which a meaning has been assigned in the Act has the meaning so assigned to it and, unless the context otherwise indicates—
“submit” means submit by—
(a) registered post;
(b) electronic mail;
(c) facsimile; or
(d) personal delivery; and
“the Act” means the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).
Manner of objection to the processing of personal information
2. (1) A data subject may object in writing on a form which corresponds substantially with Form 1 to the Annexure to the processing of personal information as contemplated in section 11(3)(a) of the Act, and submit such objection to the responsible party.
(2) The responsible party, or a person designated for that purpose by the responsible party, must assist, to the best of its or his or her ability any data subject who requires assistance with the completion of Form 1 to the Annexure.
Request for correction or deletion of personal information or destroying or deletion of record of personal information
3. (1) A data subject who wishes to request a responsible party in terms of section 24(1) of the Act to—
(a) correct or delete the personal information about him or her which is in the possession or under the control of the responsible party as contemplated in section 24(1)(a) of the Act; or
(b) destroy or delete a record of personal information which the responsible party is no longer authorised to retain as contemplated in section 24(1)(b) of the Act, must make the request in writing on a form which corresponds substantially with Form 2 to the Annexure and submit the request to the responsible party.
(2) The responsible party, or a person designated for that purpose by the responsible party, must assist, to the best of his or her ability, any person who requires assistance with the completion of Form 2 to the Annexure.
Duties and responsibilities of information officers
4. (1) Subject to the provisions of section 55 of the Act, an information officer must ensure that—
(a) a compliance framework is developed, implemented and monitored;
(b) adequate measures and standards exists in order to comply with the conditions for the lawful processing of personal information;
(c) preliminary assessments are conducted;
(d) a manual for the purpose of the Promotion of Access to Information Act and the Act is developed detailing—
(i) the purpose of the processing;
(ii) a description of the categories of data subjects and of the information or categories of information relating thereto;
(iii) the recipients or categories of recipients to whom the personal information may be supplied;
(iv) the planned trans-border or cross border flows of personal information; and
(v) a general description allowing preliminary assessment of the suitability of information security measures to be implemented and monitored by the responsible party;
(e) the manual referred to in paragraph (d) is available—
(i) on the website, of the responsible party; and
(ii) at the office or offices of the responsible party for public inspection during normal business hours of that responsible party;
(f) internal measures are developed together with adequate systems to process requests for information or access thereto; and
(g) awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.
(2) The information officer, or a person designated by him or her, can upon request of any person provide copies of the manual, to that person upon payment of a fee determined by the responsible party which may not be more than R3.50 per page.
Application to issue a code of conduct
5. A private or public body which is, in the opinion of the Regulator, sufficiently representative of any class of bodies, or of any industry, profession, or vocation may apply to the Regulator for the issue of a code of conduct, on a form which corresponds substantially with Form 3 to the Annexure and must be submitted to the Regulator.
Request for data subject’s consent for processing of personal information for the purpose of direct marketing by means of unsolicited electronic communications
6. A responsible party may request a data subject’s consent in writing on a form which corresponds substantially with Form 4 to the Annexure for the processing of personal information of that data subject for the purpose of direct marketing as contemplated in section 69(2) of the Act.
Submission of complaint or grievance
7. (1) A complaint contemplated in section 74(1) of the Act must be submitted to the Regulator in writing on a form which corresponds substantially with Part I of Form 5 to the Annexure.
(2) A complaint contemplated in section 74(2) of the Act must be submitted to the Regulator in writing on a form which corresponds substantially with Part II of Form 5 to the Annexure.
(3) The Regulator must assist, to the best of its ability, any person who requires assistance with the completion of Part I or Part II of Form 5 to the Annexure.
Regulator acting as conciliator during an investigation
8. (1) The Regulator may decide to act as conciliator at any time during the investigation in relation to any interference with the protection of the personal information of a data subject, as contemplated in section 76(1)(b) of the Act, and may wish to endeavour to obtain a settlement as contemplated in section 80 of the Act.
(2) The Regulator must obtain all the relevant documentation relating to the matter from the data subject and the responsible party.
(3) The Regulator may join two or more complaints, which are alleged to relate to the same interference with the protection of personal information by the same responsible party in order to deal with the complaints in the same conciliation.
(4) On receipt of the documentation contemplated in sub regulation (2) the Regulator must, as soon as it practically possible, in writing inform the data subject and the responsible party implicated in the complaint on a form which corresponds substantially with Form 6 to the Annexure of the Regulator’s decision to act as conciliator in the matter by—
(a) setting the time and place of the conciliation meeting; and
(b) taking steps to ensure that all persons entitled to attend the conciliation meeting are notified within a reasonable time, of the date, time and place of the meeting.
(5) Where a conciliation meeting fails to take place, the Regulator must arrange for an alternative date and notify the persons entitled to attend the conciliation meeting accordingly.
(6) (a) The Regulator must confer with the parties and endeavour to obtain an agreement or settlement in respect of the matter.
(b) The Regulator may confer with the parties in person, by remote or local electronic communication means, or by any other means as is deemed appropriate.
(7) The Regulator must issue a conciliation certificate in writing on a form which corresponds substantially with Form 7 to the Annexure within 10 working days after the conclusion of the meeting.
(8) The conciliation certificate must be published on the website of the Regulator.
(9) If no agreement or settlement is reached or the parties did not wish to attend a conciliation meeting, the Regulator must proceed with the matter as provided for in terms of section 76 of the Act.
Pre-investigation proceedings of Regulator
9. (1) The Regulator must inform the complainant, the data subject to whom the investigation relates (if not the complainant) and any person alleged to be aggrieved (if not the complainant), in writing on a form which corresponds substantially with Part A of Form 8 to the Annexure of the Regulator’s intention to conduct an investigation, and submit the form to the complainant, the data subject to whom the investigation relates (if not the complainant) and any person alleged to be aggrieved (if not the complainant).
(2) The Regulator must inform the responsible party to whom the investigation relates in writing on a form which corresponds substantially with Part B of Form 8 to the Annexure of the complaint or the subject matter of the investigation and must request a written response to the complaint or the subject matter of the investigation, if the responsible party so wishes, and submit the form to the responsible party.
Notifications
10. (1) A data subject and a responsible partiy will be kept informed of developments during an investigation and will be informed of the result of an investigation at their designated addresses within 10 days of a decision being made or an action being taken as may be applicable.
(2) Notices will be served in writing to notify the data subject, the complainant and the responsible party that—
(a) an enforcement notice will not be issued in terms of section 94(a) of the Act on a form which corresponds substantially with Form 9;
(b) the complaint has been referred to the Enforcement Committee in terms of section 92 of the Act on a form which corresponds substantially with Form 10;
(c) an enforcement notice has been served in terms of section 95 of the Act on a form which corresponds substantially with Form 11;
(d) an enforcement notice had been cancelled in terms of section 96 of the Act on a form which corresponds substantially with Form 12;
(e) an appeal has been lodged against an enforcement notice for cancellation or variation of the notice in terms of section 96 of the Act on a form which corresponds substantially with Form 13;
(f) an appeal against an enforcement notice has been allowed and that an enforcement notice has been substituted in terms of section 98 of the Act on a form which corresponds substantially with Form 14; or
(g) an appeal has been dismissed in terms of section 98 of the Act on a form which corresponds substantially with Form 15,
to the Annexure.
Assessments
11. (1) A request for an assessment must be submitted to the Regulator in writing on a form which corresponds substantially with Form 16 to the Annexure.
(2) The Regulator must inform the responsible party, on a form that corresponds substantially with Part II of Form 16 to the Annexure, if it has decided to conduct an assessment on—
(a) its own initiative; or
(b) request by any person as contemplated in sub-regulation (1),
within 10 working days of that decision being taken.
(3) The Regulator must notify the person who requested an assessment, whether it has made an assessment or not and of any view formed or action taken if an assessment was conducted, on a form which corresponds substantially with Form 17 to the Annexure, within 10 working days of a decision being made or an assessment being conducted as the case may be.
Short title
12. These regulations are called the Regulations relating to the Protection of Personal Information, 2017.
ANNEXURE
FORM 1
OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION IN TERMS OF SECTION 11(3) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 2(1)]
Note:
1. Affidavits or other documentary evidence in support of the objection must be attached.
2. If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each page.
Reference Number….
A DETAILS OF DATA SUBJECT Name and surname of data subject:
Residential, postal or business address:
Code ( ) Contact number(s):
Fax number:
E-mail address:
B DETAILS OF RESPONSIBLE PARTY Name and surname of responsible party(if the responsible party is a natural):
Residential, postal or business address:
Code ( ) Contact number(s): Fax number:
E-mail address:
Name of public or private body(if the responsible party is not a natural person):
Business address:
Code ( ) Contact number(s):
Fax number:
E-mail address:
C REASONS FOR OBJECTION (Please provide detailed reasons for the objection)
Signed at …………………………………… this …………………. day of ………………………20…………
…………………………………………………………………
Signature of data subject (applicant)
FORM 2
REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION OR DESTROYING OR DELETION OF RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 24(1) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 3(2)]
Note:
1. Affidavits or other documentary evidence in support of the request must be attached.
2. If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each page.
Reference Number….
Mark the appropriate box with an “x”.
Request for:
Correction or deletion of the personal information about the data subject which is in possession or under the control of the responsible party.
Destroying or deletion of a record of personal information about the data subject which is in possession or under the control of the responsible party and who is no longer authorised to retain the record of information.
A DETAILS OF THE DATA SUBJECT Surname:
Full names:
Identity number:
Residential, postal or business address:
Code ( ) Contact number(s): Fax number:
E-mail address:
B DETAILS OF RESPONSIBLE PARTY Name and surname of responsible party(if the responsible party is a natural person):
Residential, postal or business address:
Code ( ) Contact number(s):
Fax number:
E-mail address:
Name of public or private body (if the responsible party is not a natural person):
Business address:
Code ( ) Contact number(s):
Fax number:
E-mail address:
C REASONS FOR *CORRECTION OR DELETION OF THE PERSONAL INFORMATION ABOUT THE DATA SUBJECT/*DESTRUCTION OR DELETION OF A RECORD OF PERSONAL INFORMATION ABOUT THE DATA SUBJECT WHICH IS IN POSSESSION OR UNDER THE CONTROL OF THE RESPONSIBLE PARTY. (Please provide detailed reasons for the request)
* Delete whichever is not applicable
Signed at …………………………………… this …………………. day of ………………………20…………
…………………………………………………………………
Signature of Data subject
FORM 3
APPLICATION FOR THE ISSUE OF A CODE OF CONDUCT IN TERMS OF SECTION 61(1)(b) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 5]
A DETAILS OF PRIVATE OR PUBLIC BODY (APPLICANT)
Indicate whether applicant is a private or a public body:
List class of bodies, or of any industry, profession, or vocation, you represent: (Attach proof of representation)
Business address:
Code ( ) Contact number(s): Fax number:
E-mail address
B DETAILS OF PERSON WHO COMPLETES THIS FORM Full names of person completing this Form:
Capacity in body:
Does the person completing this Form have the authorisation of the body he/she represents to lodge this application? (Attach authorisation)
Business address (if different from body’s address):
Code ( ) Contact number(s):
Fax number:
E-mail address:
C REASONS FOR APPLICATION FOR INFORMATION REGULATOR TO ISSUE A CODE OF CONDUCT (Please provide detailed reasons for the request)
Signed at …………………………………… this …………………. day of ………………………20…………
…………………………………………………………………
Signature of person completing form
FORM 4
APPLICATION FOR THE CONSENT OF A DATA SUBJECT FOR THE PROCESSING OF PERSONAL INFORMATION FOR THE PURPOSE OF DIRECT MARKETING IN TERMS OF SECTION 69(2) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 6]
TO: __________________________________________
__________________________________________
__________________________________________
__________________________________________
(Name and address of data subject)
FROM: __________________________________________
__________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Fax number: __________________________________________
E-mail address: __________________________________________
(Name, address and contact details of responsible party)
Dear *Mr/Ms/Dr/Adv/Prof ___________________________
PART A
1. In terms of section 69 of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013), the processing of personal information of a data subject (the person to whom personal information relates) for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless written consent to the processing is given by the data subject. You may only be approached once for your consent by this responsible party. After you have indicated your wishes in Part B, you are kindly requested to submit this Form either by post, facsimile or e-mail to the address, facsimile number or e-mail address as stated above.
2. “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information.
3. “Personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
__________________________________________
(Signature of person authorised by responsible party)
Full names and designation of person signing on behalf of responsible party:
Date:______________________________________
PART B
I, __________________________________________(full names) hereby:
Consent to goods and services to be marketed by means of unsolicited electronic communication.

SPECIFY GOODS AND SERVICES:
SPECIFY METHOD OF COMMUNICATION: FAX :
E – MAIL :
SMS :
OTHERS – SPECIFY:
Give my consent.
Do not give my consent.
Signed at …………………………………… this …………………. day of ………………………20…………
…………………………………………………………………
Signature of data subject
FORM 5
COMPLAINT REGARDING INTERFERENCE WITH THE PROTECTION OF PERSONAL INFORMATION/COMPLAINT REGARDING DETERMINATION OF AN ADJUDICATOR IN TERMS OF SECTION 74 OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 7]
Note:
1. Affidavits or other documentary evidence in support of the request must be attached.
2. If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each page.
Reference Number:…….
Mark the appropriate box with an “x”.
Complaint regarding:
Alleged interference with the protection of personal information
Determination of an adjudicator.
PART I ALLEGED INTERFERENCE WITH THE PROTECTION OF THE PERSONAL INFORMATION (Section 74(1) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) A PARTICULARS OF COMPLAINANT
Surname of complainant:
Full names of complainant:
Identity number of complainant:
Residential, postal or business address:
Code ( ) Contact number(s):
Fax number:
E-mail address:
B PARTICULARS OF BODY/RESPONSIBLE PARTY INTERFERING WITH PERSONAL INFORMATION Full names and surname of person interfering with personal information (if the person is a natural person)
Name of public or private body (if not a natural person):
Residential address (if applicable,,: postal address or business address:
(Code ) Contact number(s): Fax number:
E-mail address:
C REASONS FOR COMPLAINT(Please provide detailed reasons for the complaint) PART II GRIEVANCE REGARDING DETERMINATION OF ADJUDICATOR (Section 74(2) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) A PARTICULARS OF COMPLAINANT
Surname of complainant:
Full names of complainant:
Identity number of complainant:
Residential, postal or business address:
Code ( ) Contact number(s):
Fax number:
E-mail address:
B PARTICULARS OF ADJUDICATOR Full names and surname of adjudicator
Name and surname of responsible party (if it is a public or private body):
Name of responsible party (if it is a public or private body)):
Residential, postal or business address:
(Code………) Contact number(s):
Fax number:
E-mail address:
C REASONS FOR COMPLAINT (Please provide detailed reasons for the grievance)
Signed at …………………………………… this …………………. day of ………………………20…………
…………………………………………………………………
Signature of complainant/person aggrieved
FORM 6
NOTICE TO PARTIES: CONCILIATION REGARDING INTERFERENCE WITH THE PROTECTION OF PERSONAL INFORMATION IN TERMS OF SECTION 76 OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 8 (4)]
Reference Number……
TO: __________________________________________
__________________________________________
__________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Name, address and contact details of party involved)
FROM: __________________________________________
__________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Address and contact details of Regulator)
YOU ARE HEREBY INVITED:
To attend a conciliation meeting at ……………………………………….on the …………….. day of ……………………………. at ……………………………. (time) and on any subsequent day that may be required, regarding the following matter:
_______________________________________________________________________________________________________________________________________________________
Kindly confirm your attendance to the meeting on/before ______________________________.
Dated at …………………………………… this …………………. day of ………………..20……
…………………………………………………………………….
Regulator
FORM 7
NOTICE TO PARTIES: CONCILIATION REGARDING INTERFERENCE WITH THE PROTECTION OF PERSONAL INFORMATION IN TERMS OF SECTION 76 OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 8(8)]
CONCILIATION CERTIFICATE
Reference Number:……
IN THE MATTER BETWEEN
,Full names of complainant(s)(if not the data subject):
___________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Full names of data subject:
___________________________________________________________________________________________________________________________________________________________________________________________________________________________________
AND
,Full names of responsible party(s):
___________________________________________________________________________________________________________________________________________________________________________________________________________________________________
CERTIFICATE OF COMPLETED CONCILIATION
The complaint number: ___________________________________________________
The nature of the complaint:
THIS IS TO CERTIFY THAT
____________________________________________________________________________
(Full names of conciliator)
 has concluded a settlement in this matter
has not concluded a settlement in this matter
REMEDIAL ACTION TO BE TAKEN:
The nature of the remedial action:
The period within which the remedial action must be taken:
The reporting process:
Other compliance matters:
Dated at …………………………………… this …………………. day of ………………..20……
…………………………………………………………………….
Conciliator
FORM 8
NOTICE TO PARTIES OF INTENTION OF REGULATOR TO INVESTIGATE COMPLAINT IN TERMS OF SECTION 79 OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 9]
Reference Number……
TO: __________________________________________
Residential, postal or business address:
__________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Name, address and contact details of complainant/responsible party)
FROM: __________________________________________
Residential, postal or business address __________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Address and contact details of Regulator)
PART A NOTICE TO DATA SUBJECT TO WHOM THE INVESTIGATION RELATES (if not the complainant) AND ANY PERSON ALLEGED TO BE AGGRIEVED (if not the complainant)
YOU ARE HEREBY INFORMED THAT:
The Regulator intends to investigate the following matter:
___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
Dated at …………………………………… this …………………. day of ………………..20……
…………………………………………………………………….
Regulator
PART B NOTICE TO RESPONSIBLE PARTY
YOU ARE HEREBY INFORMED THAT:
The Regulator received a complaint and intends to investigate the following matter:
___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
(Details of complaint or subject matter of the investigation)
Kindly note that you have the right to submit to the Regulator, on/before…………………………….(date), a written response in relation to the *complaint/ subject-matter of the investigation.
Dated at …………………………………… this …………………. day of ………………..20……
…………………………………………………………………….
Regulator
FORM 9
NOTICE TO PARTIES IN TERMS OF SECTION 94 OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 10 (2)(a)]
FOR DEPARTMENTAL USE
Reference number:_____
TO: __________________________________________
Residential, postal or business address: __________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Name, address and contact details of data subject/complainant)
TO: __________________________________________
Residential, postal or business address:
_________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Address and contact details of responsible party)
An investigation has been completed in terms of the Protection of Personal Information Act of 2013. Parties are hereby notified that an enforcement notice will not be issued as no interference with the protection of personal information of a data subject has taken place in terms of section 94(a)
Dated at …………………………………… this …………………. day of ………………..20……
…………………………………………………………………….
Regulator
FORM 10
REFERRAL TO ENFORCEMENT COMMITTEE IN TERMS OF
SECTION 92 OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 10(2)(b)]
FOR DEPARTMENTAL USE
Reference number: _____
TO: __________________________________________
Residential, postal or business address: __________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Name, address and contact details of data subject/complainant)
TO: __________________________________________
Residential, postal or business address:
_________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Address and contact details of responsible party)
Complaint received from:
_____________________________________________________________________________________________________________________________________________________________________
(Full names and surname)
Date received:
_________________________________________________________________________________
Responsible party:
__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
(Full names)
An investigation has been completed in terms of the Protection of Personal Information Act of 2013. Parties are hereby notified that:
A finding of
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
Other matter:
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..
was referred to the Enforcement Committee in terms of section 92 on the … day of ……………… 20…
______________________________
Regulator
FORM 11
ENFORCEMENT NOTICE IN TERMS OF SECTION 95 OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 10 (2) (c)]
FOR DEPARTMENTAL USE
Reference number:_____
TO: __________________________________________
Residential, postal or business address: __________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Name, address and contact details of data subject/complainant)
TO: __________________________________________
Residential, postal or business address:
_________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Address and contact details of responsible party)
Complaint received by:
_____________________________________________________________________________________________________________________________________________________________________
(Full names and surname)
Date received:
_________________________________________________________________________________
Responsible party:
__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________
(Full names)
A. The Enforcement Committee has concluded that the protection of the personal information of the data subject has been interfered with as follows:
A breach of the conditions for the lawful processing of personal information (Chapter 3)
Non-compliance with the duty to notify security compromises (section 22 of the Protection of Personal Information Act of 2013)
Non-compliance with the duty of confidentiality (section 54 of the Protection of Personal Information Act of 2013)
Non-compliance with obligations for direct marketing by means of unsolicited electronic communications (section 69 of the Protection of Personal Information Act of 2013)
Non-compliance with obligations regarding the inclusion of personal information in directories (section 70 of the Protection of Personal Information Act of 2013)
Non-compliance with obligations regarding automated decision making (section 71 of the Protection of Personal Information Act of 2013)
Breach of the provisions of a code of the following code of conduct issued in terms of section 60: Code of Conduct … of (Reference…….)
B. The reasons for reaching this conclusion are:
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..

C. The responsible party is hereby ordered to:
Take the following specified steps:
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
To refrain from taking the following specified steps:
…………………………………………………………………………………………………………………………..…………………………………………………………………………………………………………………………..…………………………………………………………………………………………………………………………………………..
To stop the processing, the following specified personal information:
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
…………………………………………………………………………………………………………………………..
To stop the processing of personal information for the following purpose:
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..
To stop the processing of personal information in the following manner:
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..
D. Urgency
The Regulator directs that this notice should be complied with as a matter of urgency for the following reasons:
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..
E. Time periods
The responsible party must comply with this Enforcement Notice and the directives under C after 30 (thirty) days from receiving this notice.
The responsible party must comply with this Enforcement Notice and the directives under C after 4 (four) days from receiving this notice
F. Appeal

The responsible party may appeal against this Enforcement Notice within 30 (thirty) days of receiving this notice.
______________________________
Regulator
FORM 12
CANCELLATION OF ENFORCEMENT NOTICE
SECTION 96 OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 10 (2)(d)]
FOR DEPARTMENTAL USE
Reference number: ___________
TO: __________________________________________
Residential, postal or business address: __________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Name, address and contact details of data subject/complainant)
TO: __________________________________________
Residential, postal or business address:
_________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Address and contact details of responsible party)
Complaint received by _______________________________________ (state name and surname on ___________________________date__________.
Responsible party:
The application by the responsible party to cancel or vary the Enforcement Notice …./…… (reference) issued on the … day of ……………… 20… has been considered.
This notice replaces the
C. The responsible party is hereby ordered to:
take the following specified steps:
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………

to refrain from taking the following specified steps:
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
to stop the processing, the following specified personal information:
………………………………………………………………………………………………….……………………………………………………………………………………………………………………………………………….…………………………………………………………………………………………………………………………….
to stop the processing of personal information for the following purpose:
…………………………………………………………………………………………………………………………..
…………………………………………………………………………………………………………………………..…………………………………………………………………………………………………………………………..
to stop the processing of personal information in the following manner:
…………………………………………………………………………………………………………………………..
………………………………………………………………………………………………………………………….…………………………………………………………………………………………………………………………..
Appeal
The complainant may appeal against the variation of the Enforcement Notice within 180 (one hundred and eighty) days of receiving this notice.
………………………………………………….
Regulator
FORM 13
NOTICE OF APPEAL
SECTION 97 OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 10 (2)(e)]
FOR DEPARTMENTAL USE
Reference number: ____________________
TO: __________________________________________
Residential, postal or business address: __________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Name, address and contact details of data subject/complainant)
TO: __________________________________________
Residential, postal or business address:
_________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Address and contact details of responsible party)
Complaint received by _______________________________________ (name and surname) on___day of __________ 20…
Responsible party:
Kindly take note that an APPEAL HAS BEEN LODGED to the High Court against the variation/ cancellation of an Enforcement Notice … /… issued on ……… day of ……………………………… 20..
______________________________
Regulator
FORM 14
SUBSTITUTION OF ENFORCEMENT
SECTION 98 OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation (10) (2)(f)]
FOR DEPARTMENTAL USE
Reference number: ___________
TO: __________________________________________
Residential, postal or business address: __________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Name, address and contact details of data subject/complainant)
TO: __________________________________________
Residential, postal or business address:
_________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Address and contact details of responsible party)
Complaint received by _______________________________________ (state name and surname on ______day of_____________ 20…
Responsible party:
The High Court of ……………………. Considered the appeal lodged in terms of notice ……………………………… The court has held that Enforcement Notice …./…… (reference) issued on the … day of ……………… 20… is to be varied in the following manner:
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
______________________________
Regulator
FORM 15
NOTICE OF DISMISSAL OF APPEAL
SECTION 97 OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 10 (2)(g)]
FOR DEPARTMENTAL USE
Reference number: ______________
TO: __________________________________________
Residential, postal or business address: __________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Name, address and contact details of data subject/complainant)
TO: __________________________________________
Residential, postal or business address:
_________________________________________
__________________________________________
__________________________________________
Contact number(s): __________________________________________
Facsimile number: __________________________________________
E-mail address: __________________________________________
(Address and contact details of responsible party)
Complaint received by _______________________________________ (name and surname) on___day of __________ 20…
Responsible party:
Kindly take note that an APPEAL HAS BEEN DISMISSED in the High Court against the variation/ cancellation of an Enforcement Notice … /… issued on ……… day of ……………………………… 20..
______________________________
Regulator
FORM 16
REQUEST FOR AN ASSESSMENT
SECTION 89 OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation 11(1)]
FOR DEPARTMENTAL USE
Reference number: _____________
PART I REQUEST FOR AN ASSESSMENT (Section 89(1) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013)
A request is hereby made in terms of section 89 of the Protection of Personal Information Act 4 of 2013 that the Information Regulator must assess whether the processing of information complies with the provisions of the Act:
1. CONTACT DETAILS
REQUESTER:
Name: …………………………………………………………………
Address: ………………………………………………………………
………………………………………………………………………….
…………………………………………………………………………
Contact number/s: ……………………………………………….
E-mail address: ………………………………………………………
RESPONSIBLE PARTY:
Name: …………………………………………………………………
Address: ………………………………………………………………
………………………………………………………………………….
…………………………………………………………………………
Contact number/s: ……………………………………………….
E-mail address: ………………………………………………………
2. INFORMATION PROCESSING TO BE ASSESSED
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
3. PERSONS AFFECTED BY THE RELEVANT INFORMATION PROCESSING PRACTICE/S
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
4. THE REASON WHY AN ASSESSMENT IS REQUESTED
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
5. SPECIFIC ASPECTS OF THE PROCESSING OF INFORMATION THAT THE ASSESSMENT SHOULD ADDRESS
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
6. TIME
I first become aware that the processing of information should be assessed on:
….. day of …………………………………………….. 20..
Explain the reasons for the delay (if any) in requesting the assessment:
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
7. DATA SUBJECT PARTICIPATION:
Does the requester:
Have the right to access personal information held by the responsible party in terms of section 23 of the Protection of Personal Information Act 4 of 2013:
Yes No Not applicable
Have to right to request the responsible party to correct personal information in terms of section 24 of the Protection of Personal Information Act 4 of 2013:
Yes No Not applicable
Signed on this ___day of_____________ 20…

___________________________
Requester
PART II NOTICE OF A DECISION TO CONDUCT AN ASSESSMENT (Section 89(1) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013)
1. NOTICE OF A DECISION TO CONDUCT AN ASSESSMENT
The Regulator has decided to conduct an assessment in terms of section 89(1) of the Protection of Personal Information Act 4 of 2013 on its own initiative.
2. INFORMATION PROCESSING TO BE ASSESSED
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
3. PERSONS AFFECTED BY THE RELEVANT INFORMATION PROCESSING PRACTICE/S
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
4. THE REASON WHY AN ASSESSMENT IS TO BE CONDUCTED
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
5. SPECIFIC ASPECTS OF THE PROCESSING OF INFORMATION THAT THE ASSESSMENT SHOULD ADDRESS
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
Signed on this ___day of_____________ 20…
___________________________
Regulator
FORM 17
NOTIFICATION
SECTION 89 OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
[Regulation (11) (2)]
FOR DEPARTMENTAL USE Reference number: _________________
A request was made in terms of section 89 of the Protection of Personal Information Act 4 of 2013 that the Information Regulator must assess whether the processing of information complies with the provisions of the Act:
Name of Requester: ……………………………………………………………
Name of Responsible party: ………………………………………………….
Date of request: …………………………………..
Kindly take note that the Information Regulator has:
made an assessment
not made an assessment
The Information Regulator hereby wishes to confirm that it formed the following views:
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
The Information Regulator hereby wishes to confirm that it wishes to take no further action in this regard.
The Information Regulator hereby wishes to confirm that it wishes to take the following action in this regard:
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
_____________________________
Regulator