Broad-Based Black Economic Empowerment Act (B-BBEE Act)
Act 53 of 2003
Provides the empowerment-compliance context often used in public-sector supplier evaluation.
Relevant because this is a South African public-sector procurement opportunity.
Documents available on tender detail page
Tender Type
Request for Bid(Open-Tender)
Delivery Location
2 Lower Loop Street - Foreshore - Cape Town - 8001
Organization Type
GOVERNMENT
Published
17 Jul 2026
The western cape education department (wced) is tendering for a service provider to conduct comprehensive personnel suitability checks (vetting) as part of its recruitment, selection, and appointment process for a period of five years. This tender is aimed at experienced vetting and background screening companies capable of handling a wide range of mandatory and other verification types for educational staff. The successful bidder will also be required to provide training to wced users on the relevant platform.
Date & Time
Friday, 14 August 2026 - 11:00
Venue
1 North Wharf Square, 2 Lower Loop Street, Ground Floor, Foreshore, Cape Town
Categories
Request for Bid(Open-Tender)
2 Lower Loop Street - Foreshore - Cape Town - 8001
17 Jul
2026
Tender Published
Tender was published
14 Aug
2026
Closing Date
Tender closing date
These references help suppliers understand the public-procurement framework around this opportunity. They are generated from the tender category, issuing organisation type and procurement context.
POPI ACT 4 OF 2013.pdf
Median Estimate
R 1 978 523
Range
Based on 25 comparable awarded tenders. Companies with similar profiles typically bid near the median.
* Estimates are based on historical data and do not guarantee actual award values.
Learn how to submit a winning bid with these related articles
In 2026, Western Cape’s security procurement landscape remains one of the most active in South Africa, with 176 live security tenders signaling strong demand for compliant service providers. For security contractors, PSIRA compliance is non-negotiable—failing to verify company and guard registrations before submission can lead to immediate disqualification. With government buyers prioritizing regulatory adherence, suppliers must adopt a proactive approach to ensure all certifications are current, accurate, and aligned with tender requirements.
How small security companies and BEE-certified guarding firms use Joint Ventures to compete for PSIRA-regulated government security tenders.
How security installation companies, technology integrators, and electronic security providers can win government tenders for CCTV, access control, alarm monitoring, and integrated electronic security systems in South Africa.
As Gauteng’s security tender landscape intensifies in 2026, contractors must navigate a complex compliance environment where a single oversight can disqualify an entire bid. With over 300 active security tenders in the province, regulatory adherence—particularly PSIRA registration—remains the non-negotiable foundation for participation. This guide clarifies the legal obligations, verification processes, and documentation required to ensure your submission meets the strict standards of South African procurement law.
💡 Want more tendering tips and strategies?
Explore Our BlogImportant: Attendance at this briefing session is mandatory. Bids from suppliers who do not attend may be disqualified.
Tenders in this industry often require registration with these bodies.
Recommended Certifications
Having these can improve your winning chances: SAIDSA Accreditation, ISO 18788 (Security Operations Management)
AI Document Analysis Stages
We refine every tender document through these stages so you can brief your team and prepare your bid with confidence. Anything marked as "in progress" will be upgraded automatically — no action required from you.
Review in progress
The information shown on this card is preliminary. Our procurement team is currently finalising the submission guidelines, evaluation criteria, technical specifications, financial requirements, and compliance sections so you have a clean, bid-ready summary to work from. Document being finalised: WCE 3158 - BID DOCUMENT.pdf. You don’t need to refresh — this page will pick up the updated review automatically.
Compliance Requirements
Source: WCE 3158 - BID DOCUMENT.pdf (unknown)Insufficient searchable text - AI extraction recommended
These rules commonly apply to South African public-sector procurement.
Act 53 of 2003
Provides the empowerment-compliance context often used in public-sector supplier evaluation.
Relevant because this is a South African public-sector procurement opportunity.
Act 108 of 1996 (s217)
Sets the constitutional standard for fair, equitable, transparent, competitive and cost-effective public procurement.
Relevant because this is a South African public-sector procurement opportunity.
Act 5 of 2000
Covers preferential procurement and preference-point systems used in public tenders.
Relevant because this is a South African public-sector procurement opportunity.
Act 12 of 2004
Supports anti-corruption controls and supplier integrity in procurement processes.
Relevant because this is a South African public-sector procurement opportunity.
Act 28 of 2024
Provides the national framework for public procurement across government.
Relevant because this is a South African public-sector procurement opportunity.
Act 2 of 2000
Supports access to tender records, award decisions and public-sector procurement information.
Relevant because this is a South African public-sector procurement opportunity.
Act 3 of 2000
Supports lawful, reasonable and procedurally fair administrative tender decisions.
Relevant because this is a South African public-sector procurement opportunity.
These rules are linked to the work category, industry, or regulated service area.
Act 85 of 1993
Sets health and safety duties for contractors, employers and service providers working on public-sector sites.
Relevant because this tender appears to involve guarding, access control, CCTV, surveillance, or private security services.
Act 56 of 2001
This is general procurement context, not legal advice. Always verify requirements in the official tender documents and issuing authority notices.
WCE 3158 - BID DOCUMENT.pdf
WCE 3158 - ITEMISED PRICING.xlsx
The Western Cape Education Department (WCED) is seeking a service provider to conduct comprehensive personnel suitability checks (vetting) as part of their recruitment, selection, and appointment process for a five-year period. The tender includes mandatory verification of qualifications, criminal records, credit reports, identity validation, and other background checks, along with user training.
To download these documents and access AI-powered analysis, visit the main tender page.
Organization
Western Cape - EducationContact Person
Kutala Mabuto
Phone
+27 21 467 2000
[email protected]
Website
wcedonline.westerncape.gov.za/western-cape-education-department
Address
1 North Wharf Square, 2 Lower Loop St, Cape Town City Centre, Cape Town, 8001, South Africa
Source confidence
High source confidence
Official source
eTenders.gov.za
Documents found
3
Last checked
17 Jul 2026
AI status
Enhanced
This tender has strong source evidence, including source metadata and supporting tender information synced from the government tender portal.
Tenders SA is not the issuing authority. All tenders are automatically synced from the official government tender portal. Always confirm final submission details, closing dates, briefing sessions, eligibility requirements, and documents on the official government portal before applying.
Free guidance to prepare before you bid
Not sure if your business is ready for this tender? Check CSD, CIDB, and B-BBEE requirements, run a readiness assessment, and move from opportunity to submission.
Open Supplier Readiness HubImportant Dates
Source: POPI ACT 4 OF 2013.pdf (unknown){"closingDate":"19 NOVEMBER 2013","closingTime":"13:03"}
Evaluation Criteria
Source: POPI ACT 4 OF 2013.pdf (unknown)90 Information notice
91 Parties to be informed of result of assessment
92 Matters referred to Enforcement Committee
93 Functions of Enforcement Committee
94 Parties to be informed of developments during and result of investigation
95 Enforcement notice
96 Cancellation of enforcement notice
97 Right of appeal
98 Consideration of appeal
99 Civil remedies
Chapter 11
Offences, penalties and administrative fines
100 Obstruction of Regulator
101 Breach of confidentiality
102 Obstruction of execution of warrant
103 Failure to comply with enforcement or information notices
104 Offences by witnesses
105 Unlawful acts by responsible party in connection with account number
106 Unlawful acts by third parties in connection with account number
107 Penalties
108 Magistrate's Court jurisdiction to impose penalties
109 Administrative fines
Chapter 12
General provisions
110 Amendment of laws
111 Fees
112 Regulations
113 Procedure for making regulations
114 Transitional arrangements
115 Short title and commencement
(1) The Regulator, on its own initiative, or at the request by or on behalf of the responsible party, data subject or any other
person must make an assessment in the prescribed manner of whether an instance of processing of personal information
complies with the provisions of this Act.
(2) The Regulator must make the assessment if it appears to be appropriate, unless, where the assessment is made on
request, the Regulator has not been supplied with such information as it may reasonably require in order to-
(a) satisfy itself as to the identity of the person making the request; and
(b) enable it to identify the action in question.
(3) The matters to which the Regulator may have regard in determining whether it is appropriate to make an assessment
include-
(a) the extent to which the request appears to it to raise a matter of substance;
(b) any undue delay in making the request; and
(c) whether or not the person making the request is entitled to make an application in terms of section 23 or 24 in
respect of the personal information in question.
(4) If the Regulator has received a request under this section it must notify the requester-
(a) whether it has made an assessment as a result of the request; and
(b) to the extent that it considers appropriate, having regard in particular to any exemption which has been granted by
the Regulator in terms of section 37 from section 23 or 24 applying in relation to the personal information
concerned, of any view formed or action taken as a result of the request.
90 Information notice
(1) If the Regulator-
(a) has received a request under section 89 in respect of any processing of personal information; or
(b) reasonably requires any information for the purpose of determining whether the responsible party has interfered or
is interfering with the personal information of a data subject,
the Regulator may serve the responsible party with an information notice requiring the responsible party to furnish the
Regulator, within a specified period, in a form specified in the notice, with a report indicating that the processing is taking
place in compliance with the provisions of the Act, or with such information relating to the request or to compliance with the
Act as is so specified.
(2) An information notice must contain particulars of the right of appeal conferred by section 97, and-
(a) in a case falling within subsection (1) (a), a statement that the Regulator has received a request under section 89
in relation to the specified processing; or
(b) in a case falling within subsection (1) (b), a statement that the Regulator regards the specified information as
relevant for the purpose of determining whether the responsible party has complied, or is complying, with the
conditions for the lawful processing of personal information and the reasons for regarding it as relevant for that
purpose.
(3) Subject to subsection (5), the period specified in an information notice must not expire before the end of the period
within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be
furnished pending the determination or withdrawal of the appeal.
(4) If the Regulator considers that the information is required as a matter of urgency, it may include in the notice a
statement to that effect and a statement of its reasons for reaching that conclusion, and in that event subsection (3) does
not apply.
(5) A notice in terms of subsection (4) may not require the information to be furnished before the end of a period of three
days beginning with the day on which the notice is served.
(6) An information notice may not require a responsible party to furnish the Regulator with any communication between a-
(a) professional legal adviser and his or her client in connection with the giving of legal advice on the client's
obligations, liabilities or rights under this Act; or
(b) professional legal adviser and his or her client, or between such an adviser or his or her client and any other
person, made in connection with or in contemplation of proceedings under or arising out of this Act (including
proceedings before a court) and for the purposes of such proceedings.
(7) In subsection (6) references to the client of a professional legal adviser include any person representing such a client.
(8) An information notice may not require a responsible party to furnish the Regulator with information that would, by
revealing evidence of the commission of any offence other than an offence under this Act, expose the responsible party to
criminal proceedings.
(9) The Regulator may cancel an information notice by written notice to the responsible party on whom it was served.
91 Parties to be informed of result of assessment
(1) After completing the assessment referred to in section 89 the Regulator-
(a) must report to the responsible party the results of the assessment and any recommendations that the Regulator
considers appropriate; and
(b) may, in appropriate cases, require the responsible party, within a specified time, to inform the Regulator of any
action taken or proposed to be taken to implement the recommendations contained in the report or reasons why no
such action has been or is proposed to be taken.
(2) The Regulator may make public any information relating to the personal information management practices of a
responsible party that has been the subject of an assessment under this section if the Regulator considers it in the public
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
interest to do so.
(3) A report made by the Regulator under subsection (1) is deemed to be the equivalent of an enforcement notice in terms
of section 95.
92 Matters referred to Enforcement Committee
(1) After completing the investigation of a complaint or other matter in terms of this Act, the Regulator may refer such
complaint or other matter to the Enforcement Committee for consideration, a finding in respect of the complaint or other
matter and a recommendation in respect of the proposed action to be taken by the Regulator as referred to in section 93.
(2) The Regulator may prescribe the procedure to be followed by the Enforcement Committee, including-
(a) the manner in which the responsible party and data subject may make submissions to the Enforcement Committee;
(b) the opportunity afforded to the parties who make submissions to the Enforcement Committee to make use of legal
or other representation;
(c) the period within which the Enforcement Committee must make a finding and submit its recommendation to the
Regulator in respect of the complaint or other matter; and
(d) the manner in which the Enforcement Committee may finalise urgent matters.
93 Functions of Enforcement Committee
The Enforcement Committee-
(a) must consider all matters referred to it by the Regulator in terms of section 92 or the Promotion of Access to
Information Act and make a finding in respect thereof; and
(b) may make any recommendation to the Regulator necessary or incidental to any action that should be taken
against-
(i) a responsible party in terms of this Act; or
(ii) an information officer or head of a private body, as the case may be, in terms of the Promotion of Access
to Information Act.
94 Parties to be informed of developments during and result of investigation
If an investigation is made following a complaint, and-
(a) the Regulator believes that no interference with the protection of the personal information of a data subject has
taken place and therefore does not serve an enforcement notice;
(b) the Regulator has referred the complaint to the Enforcement Committee for consideration in terms of section 92;
(c) an enforcement notice is served in terms of section 95;
(d) a served enforcement notice is cancelled in terms of section 96;
(e) an appeal is lodged against the enforcement notice for cancellation or variation of the notice in terms of section
97; or
(f) an appeal against an enforcement notice is allowed, the notice is substituted or the appeal is dismissed in terms of
section 98,
the Regulator must inform the complainant and the responsible party, as soon as reasonably practicable, in the manner
prescribed of any development mentioned in paragraphs (a) to (f) and the result of the investigation.
95 Enforcement notice
(1) If the Regulator, after having considered the recommendation of the Enforcement Committee in terms of section 93, is
satisfied that a responsible party has interfered or is interfering with the protection of the personal information of a data
subject as referred to in section 73, the Regulator may serve the responsible party with an enforcement notice requiring the
responsible party to do either or both of the following:
(a) To take specified steps within a period specified in the notice, or to refrain from taking such steps; or
(b) to stop processing personal information specified in the notice, or to stop processing personal information for a
purpose or in a manner specified in the notice within a period specified in the notice.
(2) An enforcement notice must contain-
(a) a statement indicating the nature of the interference with the protection of the personal information of the data
subject and the reasons for reaching that conclusion; and
(b) particulars of the rights of appeal conferred by section 97.
(3) Subject to subsection (4), an enforcement notice may not require any of the provisions of the notice to be complied
with before the end of the period within which an appeal may be brought against the notice and, if such an appeal is brought,
the notice need not be complied with pending the determination or withdrawal of the appeal.
(4) If the Regulator considers that an enforcement notice should be complied with as a matter of urgency it may include in
the notice a statement to that effect and a statement of its reasons for reaching that conclusion, and in that event
subsection (3) does not apply.
(5) A notice in terms of subsection (4) may not require any of the provisions of the notice to be complied with before the
end of a period of three days beginning with the day on which the notice is served.
96 Cancellation of enforcement notice
(1) A responsible party on whom an enforcement notice has been served may, at any time after the expiry of the period
during which an appeal may be brought against that notice, apply in writing to the Regulator for the cancellation or variation of
that notice on the ground that, by reason of a change of circumstances, all or any of the provisions of that notice need not
be complied with in order to ensure compliance with the conditions for the lawful processing of personal information.
(2) If the Regulator considers that all or any of the provisions of an enforcement notice need not be complied with in order
to ensure compliance with a condition for the lawful processing of personal information or conditions to which it relates, it may
cancel or vary the notice by written notice to the responsible party on whom it was served.
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
97 Right of appeal
(1) A responsible party on whom an information or enforcement notice has been served may, within 30 days of receiving the
notice, appeal to the High Court having jurisdiction for the setting aside or variation of the notice.
(2) A complainant, who has been informed of the result of the investigation in terms of section 77 (3) or 96, may, within
180 days of receiving the result, appeal to the High Court having jurisdiction against the result.
98 Consideration of appeal
(1) If in an appeal under section 97 the court considers-
(a) that the notice or decision against which the appeal is brought is not in accordance with the law; or
(b) that the notice or decision involved an exercise of discretion by the Regulator that ought to have been exercised
differently,
the court must allow the appeal and may set aside the notice or substitute such other notice or decision as should have been
served or made by the Regulator.
(2) In such an appeal, the court may review any determination of fact on which the notice in question was based.
99 Civil remedies
(1) A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court
having jurisdiction against a responsible party for breach of any provision of this Act as referred to in section 73, whether or
not there is intent or negligence on the part of the responsible party.
(2) In the event of a breach the responsible party may raise any of the following defences against an action for damages:
(a) Vis major;
(b) consent of the plaintiff;
(c) fault on the part of the plaintiff;
(d) compliance was not reasonably practicable in the circumstances of the particular case; or
(e) the Regulator has granted an exemption in terms of section 37.
(3) A court hearing proceedings in terms of subsection (1) may award an amount that is just and equitable, including-
(a) payment of damages as compensation for patrimonial and non-patrimonial loss suffered by a data subject as a
result of breach of the provisions of this Act;
(b) aggravated damages, in a sum determined in the discretion of the Court;
(c) interest; and
(d) costs of suit on such scale as may be determined by the Court.
(4) Any amount awarded to the Regulator in terms of subsection (3) must be dealt with in the following manner:
(a) The full amount must be deposited into a specifically designated trust account established by the Regulator with an
appropriate financial institution;
(b) as a first charge against the amount, the Regulator may recover all reasonable expenses incurred in bringing
proceedings at the request of a data subject in terms of subsection (1) and in administering the distributions made
to the data subject in terms of subsection (5); and
(c) the balance, if any (in this section referred to as the 'distributable balance'), must be distributed by the Regulator
to the data subject at whose request the proceedings were brought.
(5) Any amount not distributed within three years from the date of the first distribution of payments in terms of subsection
(4), accrue to the Regulator in the Regulator's official capacity.
(6) The distributable balance must be distributed on a pro rata basis to the data subject referred to in subsection (1).
(7) A Court issuing any order under this section must order it to be published in the Gazette and by such other appropriate
public media announcement as the Court considers appropriate.
(8) Any civil action instituted under this section may be withdrawn, abandoned or compromised, but any agreement or
compromise must be made an order of Court.
(9) If a civil action has not been instituted, any agreement or settlement, if any, may, on application to the Court by the
Regulator after due notice to the other party, be made an order of Court and must be published in the Gazette and by such
other public media announcement as the Court considers appropriate.
Chapter 11
OFFENCES, PENALTIES AND ADMINISTRATIVE FINES (ss 100-109)
100 Obstruction of Regulator
Any person who hinders, obstructs or unlawfully influences the Regulator or any person acting on behalf of or under the
direction of the Regulator in the performance of the Regulator's duties and functions under this Act, is guilty of an offence.
101 Breach of confidentiality
Any person who contravenes the provisions of section 54, is guilty of an offence.
102 Obstruction of execution of warrant
Any person who-
(a) intentionally obstructs a person in the execution of a warrant issued under section 82; or
(b) fails without reasonable excuse to give any person executing such a warrant such assistance as he or she may
reasonably require for the execution of the warrant,
is guilty of an offence.
103 Failure to comply with enforcement or information notices
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
Technical Specifications
Source: POPI ACT 4 OF 2013.pdf (unknown)provisions date refer to
s. 1, ss. 39 to 54 inclusive (Part A of 11 April 2014 Proc R25 in GG April
Chapter 5) and ss. 112 and 113 2014
ss. 2 to 38, 55 to 109, 111, 114 (1), 1 July 2020 Proc R21 in GG June
(2) and (3) 2020
ss. 110 and 114 (4) 30 June 2021 Proc R21 in GG June
2020
s. 58 (2) 1 February 2022 in so GN 297 in GG April 2021,
far as it
Methodology
Source: POPI ACT 4 OF 2013.pdf(1) The processing of personal information of a data subject for the purpose of direct marketing by means of any form of
electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the
data subject-
(a) has given his, her or its consent to the processing; or
(b) is, subject to subsection (3), a customer of the responsible party.
(2) (a) A responsible party may approach a data subject-
(i) whose consent is required in terms of subsection (1) (a); and
(ii) who has not previously withheld such consent,
only once in order to request the consent of that data subject.
(b) The data subject's consent must be requested in the prescribed manner and form.
(3) A responsible party may only process the personal information of a data subject who is a customer of the responsible
party in terms of subsection (1) (b)-
(a) if the responsible party has obtained the contact details of the data subject in the context of the sale of a product
or service;
(b) for the purpose of direct marketing of the responsible party's own similar products or services; and
(c) if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of
unnecessary formality, to such use of his, her or its electronic details-
(i) at the time when the information was collected; and
(ii) on the occasion of each communication with the data subject for the purpose of marketing if the data
subject has not initially refused such use.
(4) Any communication for the purpose of direct marketing must contain-
(a) details of the identity of the sender or the person on whose behalf the communication has been sent; and
(b) an address or other contact details to which the recipient may send a request that such communications cease.
(5) 'Automatic calling machine', for purposes of subsection (1), means a machine that is able to do automated calls
without human intervention.
Experience & Qualifications
Source: POPI ACT 4 OF 2013.pdf(1) (a) The Regulator consists of the following members:
(i) A Chairperson; and
(ii) four other persons, as ordinary members of the Regulator.
(b) Members of the Regulator must be appropriately qualified, fit and proper persons-
(i) at least one of whom must be appointed on account of experience as a practising advocate or attorney or a
professor of law at a university; and
(ii) the remainder of whom must be appointed on account of any other qualifications, expertise and experience relating
to the objects of the Regulator.
(c) The Chairperson of the Regulator must be appointed in a full-time capacity and may, subject to subsection (4), not
perform or undertake to perform any other remunerative work during the period in which he or she holds office as Chairperson.
(d) The ordinary members of the Regulator must be appointed as follows:
(i) Two ordinary members in a full-time capacity; and
(ii) two ordinary members in a full-time or part-time capacity.
(e) The members referred to in paragraph (d) who are appointed in a full-time capacity, may, subject to subsection (4),
not perform or undertake to perform any other remunerative work during the period in which they hold office.
(f) The Chairperson must direct the work of the Regulator and the staff of the Regulator.
(g) A person may not be appointed as a member of the Regulator if he or she-
(i) is not a citizen of the Republic;
(ii) is a public servant;
(iii) is a member of Parliament, any provincial legislature or any municipal council;
(iv) is an office-bearer or employee of any political party;
(v) is an unrehabilitated insolvent;
(vi) has been declared by a court to be mentally ill or unfit; or
(vii) has at any time been convicted, whether in the Republic or elsewhere, of any offence involving dishonesty.
(2) (a) The Chairperson and the members of the Regulator referred to in subsection (1) (a) must be appointed by the
(1) The Regulator must establish its own administration to assist it in the performance of its functions and to this end the
Regulator must appoint, or secure the secondment in terms of subsection (6) of-
(a) a suitably qualified and experienced person as chief executive officer of the Regulator for the purpose of assisting
the Regulator, subject to the Regulator's direction and supervision, in the performance of all financial and
administrative functions in terms of this Act and the Promotion of Access to Information Act, work arising from the
administration of this Act and the Promotion of Access to Information Act and to exercise any power delegated by
the Regulator to him or her; and
(b) such other member of staff as the Regulator may deem necessary to assist the Regulator and the chief executive
officer, as the case may be, with all such work as may arise through the performance of its functions.
(2) (a) The chief executive officer may appoint a senior member of staff as acting chief executive officer to perform the
functions of the chief executive officer in his or her absence.
(b) A member of the Regulator may not be appointed as acting chief executive officer.
(c) In the event that a vacancy occurs in the office of the chief executive officer the Regulator must appoint an acting
chief executive officer.
(3) The Regulator must, in the appointment of the staff of the Regulator-
(a) provide for the advancement of persons disadvantaged by unfair discrimination, with the aim that its staff, when
viewed collectively, represents a broad cross-section of the population of the Republic; and
(b) subject to paragraph (a), apply equal opportunity employment practices.
(4) The Regulator may pay to the persons in its employ such remuneration and allowances and provide them with such
pension and other employment benefits as are consistent with that paid in the public sector.
(5) In exercising its powers in terms of subsections (1) and (4), the Regulator must consult with the Minister of Finance.
(6) The Regulator may, in the performance of the functions contemplated in subsection (1), at its request, be assisted by
officials in the Public Service seconded to the service of the Regulator in terms of any law regulating such secondment:
Provided that the secondment of an official to the service of the Regulator may not exceed 12 months and that the initial
period of secondment may only be extended once for a subsequent period not exceeding 12 months.
(7) The Regulator may, in consultation with the Minister of Finance, on a temporary basis or for a particular matter which is
being investigated by it, employ any person with special knowledge of any matter relating to the work of the Regulator, or
obtain the co-operation of any body, to advise or assist the Regulator in the performance of its functions under this Act and
the Promotion of Access to Information Act, and fix the remuneration, including reimbursement for travelling, subsistence and
other expenses, of such person or body.
[Date of commencement of s. 47: 11 April 2014.]
(2) The Regulator must-
(a) in consultation with the Chief Justice and Minister, appoint a-
(i) judge of the High Court of South Africa, whether in active service or not; or
(ii) magistrate with at least 10 years' appropriate experience, whether in active service or not; or
(b) appoint an advocate or attorney with at least 10 years' appropriate experience,
as Chairperson of the Enforcement Committee.
(3) The Chairperson of the Enforcement Committee must manage the work of and preside at hearings of the Enforcement
Quality Management
Source: POPI ACT 4 OF 2013.pdf(1) If a code of conduct is issued under section 60 the Regulator must ensure that-
(a) there is published in the Gazette, as soon as reasonably practicable after the code is issued, a notice indicating-
(i) that the code has been issued; and
(ii) where copies of the code are available for inspection free of charge and for purchase; and
(b) as long as the code remains in force, copies of it are available-
(i) on the Regulator's website;
(ii) for inspection by members of the public free of charge at the Regulator's offices; and
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
(iii) for purchase or copying by members of the public at a reasonable price at the Regulator's offices.
(2) A code of conduct issued under section 60 comes into force on the 28th day after the date of its notification in the
or seizure under the warrant of any material on the ground that it-
(a) contains privileged information and refuses the inspection or removal of such article or document, the person
executing the warrant or search must, if he or she is of the opinion that the article or document contains
information that has a bearing on the investigation and that such information is necessary for the investigation,
request the Registrar of the High Court which has jurisdiction or his or her delegate, to attach and remove that
article or document for safe custody until a court of law has made a ruling on the question whether the information
concerned is privileged or not; or
(b) consists partly of matters in respect of which those powers are not exercised, he or she must, if the person
executing the warrant so requests, furnish that person with a copy of so much of the material as is not exempt
from those powers.
Compliance Requirements
Source: POPI ACT 4 OF 2013.pdf (unknown)No specific requirements found
Health & Safety
Source: POPI ACT 4 OF 2013.pdf'biometrics' means a technique of personal identification that is based on physical, physiological or behavioural
characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition;
'child' means a natural person under the age of 18 years who is not legally competent, without the assistance of a
competent person, to take any action or decision in respect of any matter concerning him- or herself;
'code of conduct' means a code of conduct issued in terms of Chapter 7;
'competent person' means any person who is legally competent to consent to any action or decision being taken in
respect of any matter concerning a child;
'consent' means any voluntary, specific and informed expression of will in terms of which permission is given for the
processing of personal information;
'Constitution' means the Constitution of the Republic of South Africa, 1996;
'data subject' means the person to whom personal information relates;
'de-identify', in relation to personal information of a data subject, means to delete any information that-
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject,
and 'de-identified' has a corresponding meaning;
'direct marketing' means to approach a data subject, either in person or by mail or electronic communication, for the
direct or indirect purpose of-
(a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
(b) requesting the data subject to make a donation of any kind for any reason;
'electronic communication' means any text, voice, sound or image message sent over an electronic communications
network which is stored in the network or in the recipient's terminal equipment until it is collected by the recipient;
'enforcement notice' means a notice issued in terms of section 95;
'filing system' means any structured set of personal information, whether centralised, decentralised or dispersed on a
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
functional or geographical basis, which is accessible according to specific criteria;
'information matching programme' means the comparison, whether manually or by means of any electronic or other
device, of any document that contains personal information about ten or more data subjects with one or more documents
that contain personal information of ten or more data subjects, for the purpose of producing or verifying information that
may be used for the purpose of taking any action in regard to an identifiable data subject;
'information officer' of, or in relation to, a-
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17;
or
(b) private body means the head of a private body as contemplated in section 1,
of the Promotion of Access to Information Act;
'Minister' 2 means the Cabinet member responsible for the administration of justice;
'operator' means a person who processes personal information for a responsible party in terms of a contract or mandate,
without coming under the direct authority of that party;
'person' means a natural person or a juristic person;
'personal information' means information relating to an identifiable, living, natural person, and where it is applicable, an
identifiable, existing juristic person, including, but not limited to-
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour,
sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture,
language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online
identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further
correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of
the name itself would reveal information about the person;
'prescribed' means prescribed by regulation or by a code of conduct;
'private body' means-
(a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity;
(b) a partnership which carries or has carried on any trade, business or profession; or
(c) any former or existing juristic person, but excludes a public body;
'processing' means any operation or activity or any set of operations, whether or not by automatic means, concerning
personal information, including-
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration,
consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
'professional legal adviser' means any legally qualified person, whether in private practice or not, who lawfully provides
a client, at his or her or its request, with independent, confidential legal advice;
'Promotion of Access to Information Act' means the Promotion of Access to Information Act, 2000 (Act );
'public body' means-
(a) any department of state or administration in the national or provincial sphere of government or any municipality in
the local sphere of government; or
(b) any other functionary or institution when-
(i) exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
(ii) exercising a public power or performing a public function in terms of any legislation;
'public record' means a record that is accessible in the public domain and which is in the possession of or under the
control of a public body, whether or not it was created by that public body;
'record' means any recorded information-
(a) regardless of form or medium, including any of the following:
(i) Writing on any material;
(ii) information produced, recorded or stored by means of any tape-recorder, computer equipment, whether
hardware or software or both, or other device, and any material subsequently derived from information so
produced, recorded or stored;
(iii) label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is
attached by any means;
(iv) book, map, plan, graph or drawing;
(v) photograph, film, negative, tape or other device in which one or more visual images are embodied so as to
be capable, with or without the aid of some other equipment, of being reproduced;
(b) in the possession or under the control of a responsible party;
(c) whether or not it was created by a responsible party; and
(d) regardless of when it came into existence;
'Regulator' means the Information Regulator established in terms of section 39;
're-identify', in relation to personal information of a data subject, means to resurrect any information that has been de-
identified, that-
(a) identifies the data subject;
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject,
and 're-identified' has a corresponding meaning;
'Republic' means the Republic of South Africa;
'responsible party' means a public or private body or any other person which, alone or in conjunction with others,
determines the purpose of and means for processing personal information;
'restriction' means to withhold from circulation, use or publication any personal information that forms part of a filing
system, but not to delete or destroy such information;
'special personal information' means personal information as referred to in section 26;
'this Act' includes any regulation or code of conduct made under this Act; and
'unique identifier' means any identifier that is assigned to a data subject and is used by a responsible party for the
purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that
responsible party.
[Date of commencement of s. 1: 11 April 2014.]
(1) This Act does not apply to the processing of personal information-
(a) in the course of a purely personal or household activity;
(b) that has been de-identified to the extent that it cannot be re-identified again;
(c) by or on behalf of a public body-
(i) which involves national security, including activities that are aimed at assisting in the identification of the
financing of terrorist and related activities, defence or public safety; or
(ii) the purpose of which is the prevention, detection, including assistance in the identification of the proceeds
of unlawful activities and the combating of money laundering activities, investigation or proof of offences,
the prosecution of offenders or the execution of sentences or security measures,
to the extent that adequate safeguards have been established in legislation for the protection of such personal
information;
(d) by the Cabinet and its committees or the Executive Council of a province; or
(e) relating to the judicial functions of a court referred to in section 166 of the Constitution.
(2) 'Terrorist and related activities', for purposes of subsection (1) (c), means those activities referred to in section 4 of
the Protection of Constitutional Democracy against Terrorist and Related Activities Act, 2004 (Act ).
(1) Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary
for achieving the purpose for which the information was collected or subsequently processed, unless-
(a) retention of the record is required or authorised by law;
(b) the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
(c) retention of the record is required by a contract between the parties thereto; or
(d) the data subject or a competent person where the data subject is a child has consented to the retention of the
record.
(2) Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for
historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records
being used for any other purposes.
(3) A responsible party that has used a record of personal information of a data subject to make a decision about the data
subject, must-
(a) retain the record for such period as may be required or prescribed by law or a code of conduct; or
(b) if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford
the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information
into account, to request access to the record.
(4) A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably
practicable after the responsible party is no longer authorised to retain the record in terms of subsection (1) or (2).
(5) The destruction or deletion of a record of personal information in terms of subsection (4) must be done in a manner that
prevents its reconstruction in an intelligible form.
(6) The responsible party must restrict processing of personal information if-
(a) its accuracy is contested by the data subject, for a period enabling the responsible party to verify the accuracy of
the information;
(b) the responsible party no longer needs the personal information for achieving the purpose for which the information
was collected or subsequently processed, but it has to be maintained for purposes of proof;
(c) the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of
its use instead; or
(d) the data subject requests to transmit the personal data into another automated processing system.
(7) Personal information referred to in subsection (6) may, with the exception of storage, only be processed for purposes of
proof, or with the data subject's consent, or with the consent of a competent person in respect of a child, or for the
protection of the rights of another natural or legal person or if such processing is in the public interest.
(8) Where processing of personal information is restricted pursuant to subsection (6), the responsible party must inform the
data subject before lifting the restriction on processing.
Condition 4
(1) Further processing of personal information must be in accordance or compatible with the purpose for which it was
collected in terms of section 13.
(2) To assess whether further processing is compatible with the purpose of collection, the responsible party must take
account of-
(a) the relationship between the purpose of the intended further processing and the purpose for which the information
has been collected;
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
(b) the nature of the information concerned;
(c) the consequences of the intended further processing for the data subject;
(d) the manner in which the information has been collected; and
(e) any contractual rights and obligations between the parties.
(3) The further processing of personal information is not incompatible with the purpose of collection if-
(a) the data subject or a competent person where the data subject is a child has consented to the further processing
of the information;
(b) the information is available in or derived from a public record or has deliberately been made public by the data
subject;
(c) further processing is necessary-
(i) to avoid prejudice to the maintenance of the law by any public body including the prevention, detection,
investigation, prosecution and punishment of offences;
(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue
as defined in section 1 of the South African Revenue Service Act, 1997 (Act );
(iii) for the conduct of proceedings in any court or tribunal that have commenced or are reasonably
contemplated; or
(iv) in the interests of national security;
(d) the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to-
(i) public health or public safety; or
(ii) the life or health of the data subject or another individual;
(e) the information is used for historical, statistical or research purposes and the responsible party ensures that the
further processing is carried out solely for such purposes and will not be published in an identifiable form; or
(f) the further processing of the information is in accordance with an exemption granted under section 37.
Condition 5
(1) A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that
the operator which processes personal information for the responsible party establishes and maintains the security measures
referred to in section 19.
(2) The operator must notify the responsible party immediately where there are reasonable grounds to believe that the
personal information of a data subject has been accessed or acquired by any unauthorised person.
(1) The prohibition on processing personal information concerning a data subject's criminal behaviour or biometric
information, as referred to in section 26, does not apply if the processing is carried out by bodies charged by law with applying
criminal law or by responsible parties who have obtained that information in accordance with the law.
(2) The processing of information concerning personnel in the service of the responsible party must take place in
accordance with the rules established in compliance with labour legislation.
(3) The prohibition on processing any of the categories of personal information referred to in section 26 does not apply if
such processing is necessary to supplement the processing of information on criminal behaviour or biometric information
permitted by this section.
(3) The members of the Regulator will be appointed for a period of not more than five years and will, at the expiration of
such period, be eligible for reappointment.
(4) The Chairperson of the Regulator or a member who has been appointed in a full-time capacity may, notwithstanding the
provisions of subsection (1) (c) or (e), only perform or undertake to perform any other remunerative work during the period
that he or she holds office as Chairperson or member with the prior written consent of the Minister.
(5) A person appointed as a member of the Regulator may, upon written notice to the President, resign from office.
(6) (a) A member may be removed from office only on-
(i) the ground of misconduct, incapacity or incompetence;
(ii) a finding to that effect by a committee of the National Assembly; and
(iii) the adoption by the National Assembly of a resolution calling for that person's removal from office.
(b) A resolution of the National Assembly concerning the removal from office of a member of the Regulator must be
adopted with a supporting vote of a majority of the members of the Assembly.
(c) The President-
(i) may suspend a member from office at any time after the start of the proceedings of a committee of the National
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
Assembly for the removal of that member; and
(ii) must remove a member from office upon adoption by the Assembly of the resolution calling for that member's
removal.
[Date of commencement of s. 41: 11 April 2014.]
(1) The Regulator may, if it considers it necessary for the proper performance of its functions establish one or more
committees, which must consist of-
(a) such members of the Regulator as the Regulator may designate; or
(b) such members of the Regulator as the Regulator may designate and other persons appointed by the Regulator, as
referred to in section 47 (7), for the period determined by the Regulator.
(2) The Regulator may at any time extend the period of an appointment referred to in subsection (1) (b) or, if in its opinion
good reasons exist therefor, revoke any such appointment.
(3) The Regulator must designate the chairperson and, if the Regulator deems it necessary, the vice-chairperson of a
committee established under subsection (1).
(4) (a) A committee referred to in subsection (1) must, subject to the directions of the Regulator, perform those functions
of the Regulator assigned to it by the Regulator.
(b) Any function so performed by a committee referred to in subsection (1) will be deemed to have been performed by
the Regulator.
(5) The Regulator may at any time dissolve any committee established by the Regulator.
(6) The provisions of sections 40 (4) and 51 will apply, with the necessary changes, to a committee of the Regulator.
[Date of commencement of s. 49: 11 April 2014.]
(1) Meetings of the Regulator must be held at the times and places determined by the Chairperson of the Regulator.
(2) Three members of the Regulator constitute a quorum for a meeting.
(3) (a) The Chairperson may regulate the proceedings at meetings as he or she may think fit and must keep minutes of the
proceedings.
(b) If the Chairperson is absent from a meeting the members present shall elect one of their number to preside at that
meeting.
(4) (a) Subject to subsection (2), a decision of the Regulator is taken by resolution agreed to by the majority of members
at any meeting of the Regulator.
(b) In the event of an equality of votes regarding any matter the Chairperson has a casting vote in addition to his or her
deliberative vote.
[Date of commencement of s. 51: 11 April 2014.]
(1) Funds of the Regulator consist of-
(a) such sums of money that Parliament appropriates annually, for the use of the Regulator as may be necessary for
the proper exercise, performance and discharge, by the Regulator, of its powers, duties and functions under this
Act and the Promotion of Access to Information Act; and
(b) fees as may be prescribed in terms of section 111 (1).
(2) The financial year of the Regulator is the period from 1 April in any year to 31 March in the following year, except that
the first financial year of the Regulator begins on the date that this Chapter comes into operation, and ends on 31 March next
following that date.
(3) The chief executive officer of the Regulator is for purposes of the Public Finance Management Act, 1999 (Act 1 of
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
1999), the accounting officer and must execute his or her duties in accordance with that Act.
(4) Within six months after the end of each financial year, the Regulator must prepare financial statements in accordance
with established accounting practice, principles and procedures, comprising-
(a) a statement reflecting, with suitable and sufficient particulars, the income and expenditure of the Regulator during
the preceding financial year; and
(b) a balance sheet showing the state of its assets, liabilities and financial position as at the end of that financial year.
(5) The Auditor-General must audit the Regulator's financial records each year.
[Date of commencement of s. 52: 11 April 2014.]
(1) A complaint to the Regulator must be made in writing.
(2) The Regulator must give such reasonable assistance as is necessary in the circumstances to enable a person, who
wishes to make a complaint to the Regulator, to put the complaint in writing.
(1) The Regulator, after investigating a complaint received in terms of section 73, may decide to take no action or, as the
case may be, require no further action in respect of the complaint if, in the Regulator's opinion-
(a) the length of time that has elapsed between the date when the subject matter of the complaint arose and the
date when the complaint was made is such that an investigation of the complaint is no longer practicable or
desirable;
(b) the subject matter of the complaint is trivial;
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
(c) the complaint is frivolous or vexatious or is not made in good faith;
(d) the complainant does not desire that action be taken or, as the case may be, continued;
(e) the complainant does not have a sufficient personal interest in the subject matter of the complaint; or
(f) in cases where the complaint relates to a matter in respect of which a code of conduct is in force and the code of
conduct makes provision for a complaints procedure, the complainant has failed to pursue, or to pursue fully, an
avenue of redress available under that complaints procedure that it would be reasonable for the complainant to
pursue.
(2) Notwithstanding anything in subsection (1), the Regulator may in its discretion decide not to take any further action on
a complaint if, in the course of the investigation of the complaint, it appears to the Regulator that, having regard to all the
circumstances of the case, any further action is unnecessary or inappropriate.
(3) In any case where the Regulator decides to take no action, or no further action, on a complaint, the Regulator must
inform the complainant of that decision and the reasons for it.
(1) If, on receiving a complaint in terms of section 74, the Regulator considers that the complaint relates, in whole or in
part, to a matter that is more properly within the jurisdiction of another regulatory body established in terms of any law, the
If it appears from a complaint, or any written response made in relation to a complaint under section 79 (b) (ii), that it may
be possible to secure-
(a) a settlement between any of the parties concerned; and
(b) if appropriate, a satisfactory assurance against the repetition of any action that is the subject matter of the
complaint or the doing of further actions of a similar kind by the person concerned,
the Regulator may, without investigating the complaint or, as the case may be, investigating the complaint further, in the
prescribed manner, use its best endeavours to secure such a settlement and assurance.
(a) summon and enforce the appearance of persons before the Regulator and compel them to give oral or written
evidence on oath and to produce any records and things that the Regulator considers necessary to investigate the
complaint, in the same manner and to the same extent as the High Court;
(b) administer oaths;
(c) receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the
Regulator sees fit, whether or not it is or would be admissible in a court of law;
(d) at any reasonable time, subject to section 81, enter and search any premises occupied by a responsible party;
(e) conduct a private interview with any person in any premises entered under section 84 subject to section 82; and
(f) otherwise carry out in those premises any inquiries that the Regulator sees fit in terms of section 82.
(1) A police officer who is assisting a person authorised to conduct an entry and search in terms of a warrant issued under
section 82 may overcome resistance to the entry and search by using such force as is reasonably necessary.
(2) A warrant issued under this section must be executed at a reasonable hour unless it appears to the person executing it
that there are reasonable grounds for suspecting that the evidence in question would not be found if it were so executed.
(3) If the person who occupies the premises in respect of which a warrant is issued under section 82 is present when the
warrant is executed, he or she must be shown the warrant and supplied with a copy of it, and if that person is not present a
copy of the warrant must be left in a prominent place on the premises.
(4) A person seizing anything in pursuance of a warrant under section 82 must give a receipt to the occupier or leave the
receipt on the premises.
(5) Anything so seized may be retained for as long as is necessary in all circumstances but the person in occupation of the
premises in question must be given a copy of any documentation that is seized if he or she so requests and the person
executing the warrant considers that it can be done without undue delay.
(6) A person authorised to conduct an entry and search in terms of section 82 must be accompanied and assisted by a
police officer.
(7) A person who enters and searches any premises under this section must conduct the entry and search with strict
regard for decency and order, and with regard to each person's right to dignity, freedom, security and privacy.
(8) A person who enters and searches premises under this section must before questioning any person-
(a) advise that person of the right to be assisted at the time by an advocate or attorney; and
(b) allow that person to exercise that right.
(9) No self-incriminating answer given or statement made to a person who conducts a search in terms of a warrant issued
under section 82 is admissible as evidence against the person who gave the answer or made the statement in criminal
proceedings, except in criminal proceedings for perjury or in which that person is tried for an offence contemplated in section
102 and then only to the extent that the answer or statement is relevant to prove the offence charged.
A warrant issued under section 82 must be returned to the court from which it was issued-
(a) after being executed; or
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
(b) if not executed within the time authorised for its execution,
and the person who has executed the warrant must make an endorsement on it stating what powers have been exercised by
him or her under the warrant.
89 Assessment
(1) The Regulator, on its own initiative, or at the request by or on behalf of the responsible party, data subject or any other
person must make an assessment in the prescribed manner of whether an instance of processing of personal information
complies with the provisions of this Act.
(2) The Regulator must make the assessment if it appears to be appropriate, unless, where the assessment is made on
request, the Regulator has not been supplied with such information as it may reasonably require in order to-
(a) satisfy itself as to the identity of the person making the request; and
(b) enable it to identify the action in question.
(3) The matters to which the Regulator may have regard in determining whether it is appropriate to make an assessment
include-
(a) the extent to which the request appears to it to raise a matter of substance;
(b) any undue delay in making the request; and
(c) whether or not the person making the request is entitled to make an application in terms of section 23 or 24 in
respect of the personal information in question.
(4) If the Regulator has received a request under this section it must notify the requester-
(a) whether it has made an assessment as a result of the request; and
(b) to the extent that it considers appropriate, having regard in particular to any exemption which has been granted by
the Regulator in terms of section 37 from section 23 or 24 applying in relation to the personal information
concerned, of any view formed or action taken as a result of the request.
(2) An information notice must contain particulars of the right of appeal conferred by section 97, and-
(a) in a case falling within subsection (1) (a), a statement that the Regulator has received a request under section 89
in relation to the specified processing; or
(b) in a case falling within subsection (1) (b), a statement that the Regulator regards the specified information as
relevant for the purpose of determining whether the responsible party has complied, or is complying, with the
conditions for the lawful processing of personal information and the reasons for regarding it as relevant for that
purpose.
(3) Subject to subsection (5), the period specified in an information notice must not expire before the end of the period
within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be
furnished pending the determination or withdrawal of the appeal.
(4) If the Regulator considers that the information is required as a matter of urgency, it may include in the notice a
statement to that effect and a statement of its reasons for reaching that conclusion, and in that event subsection (3) does
not apply.
(5) A notice in terms of subsection (4) may not require the information to be furnished before the end of a period of three
days beginning with the day on which the notice is served.
(6) An information notice may not require a responsible party to furnish the Regulator with any communication between a-
(a) professional legal adviser and his or her client in connection with the giving of legal advice on the client's
obligations, liabilities or rights under this Act; or
(b) professional legal adviser and his or her client, or between such an adviser or his or her client and any other
person, made in connection with or in contemplation of proceedings under or arising out of this Act (including
proceedings before a court) and for the purposes of such proceedings.
(7) In subsection (6) references to the client of a professional legal adviser include any person representing such a client.
(8) An information notice may not require a responsible party to furnish the Regulator with information that would, by
revealing evidence of the commission of any offence other than an offence under this Act, expose the responsible party to
criminal proceedings.
(9) The Regulator may cancel an information notice by written notice to the responsible party on whom it was served.
(a) the Regulator believes that no interference with the protection of the personal information of a data subject has
taken place and therefore does not serve an enforcement notice;
(b) the Regulator has referred the complaint to the Enforcement Committee for consideration in terms of section 92;
(c) an enforcement notice is served in terms of section 95;
(d) a served enforcement notice is cancelled in terms of section 96;
(e) an appeal is lodged against the enforcement notice for cancellation or variation of the notice in terms of section
97; or
(f) an appeal against an enforcement notice is allowed, the notice is substituted or the appeal is dismissed in terms of
section 98,
the Regulator must inform the complainant and the responsible party, as soon as reasonably practicable, in the manner
prescribed of any development mentioned in paragraphs (a) to (f) and the result of the investigation.
(1) A responsible party on whom an enforcement notice has been served may, at any time after the expiry of the period
during which an appeal may be brought against that notice, apply in writing to the Regulator for the cancellation or variation of
that notice on the ground that, by reason of a change of circumstances, all or any of the provisions of that notice need not
be complied with in order to ensure compliance with the conditions for the lawful processing of personal information.
(2) If the Regulator considers that all or any of the provisions of an enforcement notice need not be complied with in order
to ensure compliance with a condition for the lawful processing of personal information or conditions to which it relates, it may
cancel or vary the notice by written notice to the responsible party on whom it was served.
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
(1) A responsible party on whom an information or enforcement notice has been served may, within 30 days of receiving the
notice, appeal to the High Court having jurisdiction for the setting aside or variation of the notice.
(2) A complainant, who has been informed of the result of the investigation in terms of section 77 (3) or 96, may, within
180 days of receiving the result, appeal to the High Court having jurisdiction against the result.
(a) intentionally obstructs a person in the execution of a warrant issued under section 82; or
(b) fails without reasonable excuse to give any person executing such a warrant such assistance as he or she may
reasonably require for the execution of the warrant,
is guilty of an offence.
Contractual Terms
Source: POPI ACT 4 OF 2013.pdflawful processing of personal information as referred to in Chapter 3, including the right-
(a) to be notified that-
(i) personal information about him, her or it is being collected as provided for in terms of section 18; or
(ii) his, her or its personal information has been accessed or acquired by an unauthorised person as provided
for in terms of section 22;
(b) to establish whether a responsible party holds personal information of that data subject and to request access to
his, her or its personal information as provided for in terms of section 23;
(c) to request, where necessary, the correction, destruction or deletion of his, her or its personal information as
provided for in terms of section 24;
(d) to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its
personal information as provided for in terms of section 11 (3) (a);
(e) to object to the processing of his, her or its personal information-
(i) at any time for purposes of direct marketing in terms of section 11 (3) (b); or
(ii) in terms of section 69 (3) (c);
(f) not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited
electronic communications except as referred to in section 69 (1);
(g) not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated
processing of his, her or its personal information intended to provide a profile of such person as provided for in
terms of section 71;
(h) to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal
information of any data subject or to submit a complaint to the Regulator in respect of a determination of an
adjudicator as provided for in terms of section 74; and
(i) to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal
information as provided for in section 99.
(1) This Act does not apply to the processing of personal information solely for the purpose of journalistic, literary or artistic
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy
with the right to freedom of expression.
(2) Where a responsible party who processes personal information for exclusively journalistic purposes is, by virtue of office,
employment or profession, subject to a code of ethics that provides adequate safeguards for the protection of personal
information, such code will apply to the processing concerned to the exclusion of this Act and any alleged interference with
the protection of the personal information of a data subject that may arise as a result of such processing must be adjudicated
as provided for in terms of that code.
(3) In the event that a dispute may arise in respect of whether adequate safeguards have been provided for in a code as
required in terms of subsection (2) or not, regard may be had to-
(a) the special importance of the public interest in freedom of expression;
(b) domestic and international standards balancing the-
(i) public interest in allowing for the free flow of information to the public through the media in recognition of
the right of the public to be informed; and
(ii) public interest in safeguarding the protection of personal information of data subjects;
(c) the need to secure the integrity of personal information;
(d) domestic and international standards of professional integrity for journalists; and
(e) the nature and ambit of self-regulatory forms of supervision provided by the profession.
Chapter 3
CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION (ss 8-35)
conditions, are complied with at the time of the determination of the purpose and means of the processing and during the
processing itself.
Condition 2
(1) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its
control by taking appropriate, reasonable technical and organisational measures to prevent-
(a) loss of, damage to or unauthorised destruction of personal information; and
(b) unlawful access to or processing of personal information.
(2) In order to give effect to subsection (1), the responsible party must take reasonable measures to-
(a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its
control;
(b) establish and maintain appropriate safeguards against the risks identified;
(c) regularly verify that the safeguards are effectively implemented; and
(d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously
implemented safeguards.
(3) The responsible party must have due regard to generally accepted information security practices and procedures which
may apply to it generally or be required in terms of specific industry or professional rules and regulations.
(1) Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or
acquired by any unauthorised person, the responsible party must notify-
(a) the Regulator; and
(b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
(2) The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the
compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine
the scope of the compromise and to restore the integrity of the responsible party's information system.
(3) The responsible party may only delay notification of the data subject if a public body responsible for the prevention,
detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the
public body concerned.
(4) The notification to a data subject referred to in subsection (1) must be in writing and communicated to the data subject
in at least one of the following ways:
(a) Mailed to the data subject's last known physical or postal address;
(b) sent by e-mail to the data subject's last known e-mail address;
(c) placed in a prominent position on the website of the responsible party;
(d) published in the news media; or
(e) as may be directed by the Regulator.
(5) The notification referred to in subsection (1) must provide sufficient information to allow the data subject to take
protective measures against the potential consequences of the compromise, including-
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
(a) a description of the possible consequences of the security compromise;
(b) a description of the measures that the responsible party intends to take or has taken to address the security
compromise;
(c) a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse
effects of the security compromise; and
(d) if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the
personal information.
(6) The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the
integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would
protect a data subject who may be affected by the compromise.
Condition 8
(1) The prohibition on processing personal information, as referred to in section 26, does not apply if the-
(a) processing is carried out with the consent of a data subject referred to in section 26;
(b) processing is necessary for the establishment, exercise or defence of a right or obligation in law;
(c) processing is necessary to comply with an obligation of international public law;
(d) processing is for historical, statistical or research purposes to the extent that-
(i) the purpose serves a public interest and the processing is necessary for the purpose concerned; or
(ii) it appears to be impossible or would involve a disproportionate effort to ask for consent,
and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual
privacy of the data subject to a disproportionate extent;
(e) information has deliberately been made public by the data subject; or
(f) provisions of sections 28 to 33 are, as the case may be, complied with.
(2) The Regulator may, subject to subsection (3), upon application by a responsible party and by notice in the Gazette,
authorise a responsible party to process special personal information if such processing is in the public interest and appropriate
safeguards have been put in place to protect the personal information of the data subject.
(3) The Regulator may impose reasonable conditions in respect of any authorisation granted under subsection (2).
(1) The prohibition on processing personal information concerning a data subject's health or sex life, as referred to in
section 26, does not apply to the processing by-
(a) medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the
proper treatment and care of the data subject, or for the administration of the institution or professional practice
concerned;
(b) insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if
such processing is necessary for-
(i) assessing the risk to be insured by the insurance company or covered by the medical scheme and the data
subject has not objected to the processing;
(ii) the performance of an insurance or medical scheme agreement; or
(iii) the enforcement of any contractual rights and obligations;
(c) schools, if such processing is necessary to provide special support for pupils or making special arrangements in
connection with their health or sex life;
(d) any public or private body managing the care of a child if such processing is necessary for the performance of their
lawful duties;
(e) any public body, if such processing is necessary in connection with the implementation of prison sentences or
detention measures; or
(f) administrative bodies, pension funds, employers or institutions working for them, if such processing is necessary for-
(i) the implementation of the provisions of laws, pension regulations or collective agreements which create
rights dependent on the health or sex life of the data subject; or
(ii) the reintegration of or support for workers or persons entitled to benefit in connection with sickness or
work incapacity.
(2) In the cases referred to under subsection (1), the information may only be processed by responsible parties subject to
an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written
agreement between the responsible party and the data subject.
(3) A responsible party that is permitted to process information concerning a data subject's health or sex life in terms of this
section and is not subject to an obligation of confidentiality by virtue of office, profession or legal provision, must treat the
information as confidential, unless the responsible party is required by law or in connection with their duties to communicate
the information to other parties who are authorised to process such information in accordance with subsection (1).
(4) The prohibition on processing any of the categories of personal information referred to in section 26, does not apply if it
is necessary to supplement the processing of personal information concerning a data subject's health, as referred to under
subsection (1) (a), with a view to the proper treatment or care of the data subject.
(5) Personal information concerning inherited characteristics may not be processed in respect of a data subject from whom
the information concerned has been obtained, unless-
(a) a serious medical interest prevails; or
(b) the processing is necessary for historical, statistical or research activity.
(6) More detailed rules may be prescribed concerning the application of subsection (1) (b) and (f).
(1) The prohibition on processing personal information of children, as referred to in section 34, does not apply if the
processing is-
(a) carried out with the prior consent of a competent person;
(b) necessary for the establishment, exercise or defence of a right or obligation in law;
(c) necessary to comply with an obligation of international public law;
(d) for historical, statistical or research purposes to the extent that-
(i) the purpose serves a public interest and the processing is necessary for the purpose concerned; or
(ii) it appears to be impossible or would involve a disproportionate effort to ask for consent,
and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual
privacy of the child to a disproportionate extent; or
(e) of personal information which has deliberately been made public by the child with the consent of a competent
person.
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
(2) The Regulator may, notwithstanding the prohibition referred to in section 34, but subject to subsection (3), upon
application by a responsible party and by notice in the Gazette, authorise a responsible party to process the personal
information of children if the processing is in the public interest and appropriate safeguards have been put in place to protect
the personal information of the child.
(3) The Regulator may impose reasonable conditions in respect of any authorisation granted under subsection (2), including
conditions with regard to how a responsible party must-
(a) upon request of a competent person provide a reasonable means for that person to-
(i) review the personal information processed; and
(ii) refuse to permit its further processing;
(b) provide notice-
(i) regarding the nature of the personal information of children that is processed;
(ii) how such information is processed; and
(iii) regarding any further processing practices;
(c) refrain from any action that is intended to encourage or persuade a child to disclose more personal information
about him- or herself than is reasonably necessary given the purpose for which it is intended; and
(d) establish and maintain reasonable procedures to protect the integrity and confidentiality of the personal information
collected from children.
Chapter 4
EXEMPTION FROM CONDITIONS FOR PROCESSING OF PERSONAL INFORMATION (ss 36-38)
(1) The Regulator may, by notice in the Gazette, grant an exemption to a responsible party to process personal information,
even if that processing is in breach of a condition for the processing of such information, or any measure that gives effect to
such condition, if the Regulator is satisfied that, in the circumstances of the case-
(a) the public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the
data subject that could result from such processing; or
(b) the processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree,
any interference with the privacy of the data subject or third party that could result from such processing.
(2) The public interest referred to in subsection (1) includes-
(a) the interests of national security;
(b) the prevention, detection and prosecution of offences;
(c) important economic and financial interests of a public body;
(d) fostering compliance with legal provisions established in the interests referred to under paragraphs (b) and (c);
(e) historical, statistical or research activity; or
(f) the special importance of the interest in freedom of expression.
(3) The Regulator may impose reasonable conditions in respect of any exemption granted under subsection (1).
(1) Personal information processed for the purpose of discharging a relevant function is exempt from sections 11 (3) and
(4), 12, 15 and 18 in any case to the extent to which the application of those provisions to the personal information would be
likely to prejudice the proper discharge of that function.
(2) 'Relevant function' for purposes of subsection (1), means any function-
(a) of a public body; or
(b) conferred on any person in terms of the law,
which is performed with the view to protecting members of the public against-
(i) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or
incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services
or in the management of bodies corporate; or
(ii) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons
authorised to carry on any profession or other activity.
Chapter 5
SUPERVISION (ss 39-56)
(1) The powers, duties and functions of the Regulator in terms of this Act are-
(a) to provide education by-
(i) promoting an understanding and acceptance of the conditions for the lawful processing of personal
information and of the objects of those conditions;
(ii) undertaking educational programmes, for the purpose of promoting the protection of personal information,
on the Regulator's own behalf or in co-operation with other persons or authorities acting on behalf of the
Regulator;
(iii) making public statements in relation to any matter affecting the protection of the personal information of a
data subject or of any class of data subjects;
(iv) giving advice to data subjects in the exercise of their rights; and
(v) providing advice, upon request or on its own initiative, to a Minister or a public or private body on their
obligations under the provisions, and generally on any matter relevant to the operation, of this Act;
(b) to monitor and enforce compliance by-
(i) public and private bodies with the provisions of this Act;
(ii) undertaking research into, and monitoring developments in, information processing and computer
technology to ensure that any adverse effects of such developments on the protection of the personal
information of data subjects are minimised, and reporting to the Minister the results of such research and
monitoring;
(iii) examining any proposed legislation, including subordinate legislation, or proposed policy of the Government
that the Regulator considers may affect the protection of the personal information of data subjects, and
reporting to the Minister the results of that examination;
(iv) reporting upon request or on its own accord, to Parliament from time to time on any policy matter affecting
the protection of the personal information of a data subject, including the need for, or desirability of,
taking legislative, administrative, or other action to give protection or better protection to the personal
information of a data subject;
(v) submitting a report to Parliament, within five months of the end of its financial year, on all its activities in
terms of this Act during that financial year;
(vi) conducting an assessment, on its own initiative or when requested to do so, of a public or private body, in
respect of the processing of personal information by that body for the purpose of ascertaining whether or
not the information is processed according to the conditions for the lawful processing of personal
information;
(vii) monitoring the use of unique identifiers of data subjects, and reporting to Parliament from time to time on
the results of that monitoring, including any recommendation relating to the need of, or desirability of
taking, legislative, administrative, or other action to give protection, or better protection, to the personal
information of a data subject;
(viii) maintaining, publishing and making available and providing copies of such registers as are prescribed in this
Act; and
(ix) examining any proposed legislation that makes provision for the-
(aa) collection of personal information by any public or private body; or
(bb) disclosure of personal information by one public or private body to any other public or private body,
or both, to have particular regard, in the course of that examination, to the matters set out in
section 44 (2), in any case where the Regulator considers that the information might be used for the
purposes of an information matching programme,
and reporting to the Minister and Parliament the results of that examination;
(c) to consult with interested parties by-
(i) receiving and inviting representations from members of the public on any matter affecting the personal
information of a data subject;
(ii) co-operating on a national and international basis with other persons and bodies concerned with the
protection of personal information; and
(iii) acting as mediator between opposing parties on any matter that concerns the need for, or the desirability
of, action by a responsible party in the interests of the protection of the personal information of a data
subject;
(d) to handle complaints by-
(i) receiving and investigating complaints about alleged violations of the protection of personal information of
data subjects and reporting to complainants in respect of such complaints;
(ii) gathering such information as in the Regulator's opinion will assist the Regulator in discharging the duties
and carrying out the Regulator's functions under this Act;
(iii) attempting to resolve complaints by means of dispute resolution mechanisms such as mediation and
conciliation; and
(iv) serving any notices in terms of this Act and further promoting the resolution of disputes in accordance
with the prescripts of this Act;
(e) to conduct research and to report to Parliament-
(i) from time to time on the desirability of the acceptance, by South Africa, of any international instrument
relating to the protection of the personal information of a data subject; and
(ii) on any other matter, including necessary legislative amendments, relating to protection of personal
information that, in the Regulator's opinion, should be drawn to Parliament's attention;
(f) in respect of codes of conduct to-
(i) issue, from time to time, codes of conduct, amend codes and to revoke codes of conduct;
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
(ii) make guidelines to assist bodies to develop codes of conduct or to apply codes of conduct; and
(iii) consider afresh, upon application, determinations by adjudicators under approved codes of conduct;
(g) to facilitate cross-border cooperation in the enforcement of privacy laws by participating in any initiative that is
aimed at such cooperation; and
(h) in general to-
(i) do anything incidental or conducive to the performance of any of the preceding functions;
(ii) exercise and perform such other functions, powers, and duties as are conferred or imposed on the
Regulator by or under this Act or any other legislation;
(iii) require the responsible party to disclose to any person affected by a compromise to the integrity or
confidentiality of personal information, such compromise in accordance with section 22; and
(iv) exercise the powers conferred upon the Regulator by this Act in matters relating to the access of
information as provided by the Promotion of Access to Information Act.
(2) The Regulator may, from time to time, in the public interest or in the legitimate interests of any person or body of
persons, publish reports relating generally to the exercise of the Regulator's functions under this Act or to any case or cases
investigated by the Regulator, whether or not the matters to be dealt with in any such report have been the subject of a
report to the Minister.
(3) The provisions of sections 3 and 4 of the Commissions Act, 1947 (Act ), will apply, with the necessary
changes, to the Regulator.
(4) The powers and duties of the Regulator in terms of the Promotion of Access to Information Act are set out in Parts 4
and 5 of that Act.
[Date of commencement of s. 40: 11 April 2014.]
(1) A code of conduct may prescribe procedures for making and dealing with complaints alleging a breach of the code, but
no such provision may limit or restrict any provision of Chapter 10.
(2) If the code sets out procedures for making and dealing with complaints, the Regulator must be satisfied that-
(a) the procedures meet the-
(i) prescribed standards; and
(ii) guidelines issued by the Regulator in terms of section 65,
relating to the making of and dealing with complaints;
(b) the code provides for the appointment of an independent adjudicator to whom complaints may be made;
(c) the code provides that, in exercising his or her powers and performing his or her functions, under the code, an
adjudicator for the code must have due regard to the matters listed in section 44;
(d) the code requires the adjudicator to prepare and submit a report, in a form satisfactory to the Regulator, to the
financial year; and
(e) the code requires the report prepared for each year to specify the number and nature of complaints made to an
adjudicator under the code during the relevant financial year.
(3) A responsible party or data subject who is aggrieved by a determination, including any declaration, order or direction
that is included in the determination, made by an adjudicator after having investigated a complaint relating to the protection
of personal information under an approved code of conduct, may submit a complaint in terms of section 74 (2) with the
(4) The adjudicator's determination continues to have effect unless and until the Regulator makes a determination under
Chapter 10 relating to the complaint or unless the Regulator determines otherwise.
If a code issued under section 60 is in force, failure to comply with the code is deemed to be a breach of the conditions for
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
the lawful processing of personal information referred to in Chapter 3 and is dealt with in terms of Chapter 10.
Chapter 8
(1) Subject to subsection (2), a data subject may not be subject to a decision which results in legal consequences for him,
her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated
processing of personal information intended to provide a profile of such person including his or her performance at work, or his,
her or its credit worthiness, reliability, location, health, personal preferences or conduct.
(2) The provisions of subsection (1) do not apply if the decision-
(a) has been taken in connection with the conclusion or execution of a contract, and-
(i) the request of the data subject in terms of the contract has been met; or
(ii) appropriate measures have been taken to protect the data subject's legitimate interests; or
(b) is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate
interests of data subjects.
(3) The appropriate measures, referred to in subsection (2) (a) (ii), must-
(a) provide an opportunity for a data subject to make representations about a decision referred to in subsection (1);
and
(b) require a responsible party to provide a data subject with sufficient information about the underlying logic of the
automated processing of the information relating to him or her to enable him or her to make representations in
terms of paragraph (a).
© 2025 Juta and Company (Pty) Ltd. Downloaded: T hu May 29 2025 13:03:02 GMT +0200 (South Africa Standard T ime)
Chapter 9
TRANSBORDER INFORMATION FLOWS (s 72)
relation to that data subject, of-
(a) any breach of the conditions for the lawful processing of personal information as referred to in Chapter 3;
(b) non-compliance with section 22, 54, 69, 70, 71 or 72; or
(c) a breach of the provisions of a code of conduct issued in terms of section 60.
(1) Any person may submit a complaint to the Regulator in the prescribed manner and form alleging interference with the
protection of the personal information of a data subject.
(2) A responsible party or data subject may, in terms of section 63 (3), submit a complaint to the Regulator in the
prescribed manner and form if he, she or it is aggrieved by the determination of an adjudicator.
(1) If the Regulator, after having considered the recommendation of the Enforcement Committee in terms of section 93, is
satisfied that a responsible party has interfered or is interfering with the protection of the personal information of a data
subject as referred to in section 73, the Regulator may serve the responsible party with an enforcement notice requiring the
responsible party to do either or both of the following:
(a) To take specified steps within a period specified in the notice, or to refrain from taking such steps; or
(b) to stop processing personal information specified in the notice, or to stop processing personal information for a
purpose or in a manner specified in the notice within a period specified in the notice.
(2) An enforcement notice must contain-
(a) a statement indicating the nature of the interference with the protection of the personal information of the data
subject and the reasons for reaching that conclusion; and
(b) particulars of the rights of appeal conferred by section 97.
(3) Subject to subsection (4), an enforcement notice may not require any of the provisions of the notice to be complied
with before the end of the period within which an appeal may be brought against the notice and, if such an appeal is brought,
the notice need not be complied with pending the determination or withdrawal of the appeal.
(4) If the Regulator considers that an enforcement notice should be complied with as a matter of urgency it may include in
the notice a statement to that effect and a statement of its reasons for reaching that conclusion, and in that event
subsection (3) does not apply.
(5) A notice in terms of subsection (4) may not require any of the provisions of the notice to be complied with before the
end of a period of three days beginning with the day on which the notice is served.
(1) If in an appeal under section 97 the court considers-
(a) that the notice or decision against which the appeal is brought is not in accordance with the law; or
(b) that the notice or decision involved an exercise of discretion by the Regulator that ought to have been exercised
differently,
the court must allow the appeal and may set aside the notice or substitute such other notice or decision as should have been
served or made by the Regulator.
(2) In such an appeal, the court may review any determination of fact on which the notice in question was based.
(1) A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court
having jurisdiction against a responsible party for breach of any provision of this Act as referred to in section 73, whether or
not there is intent or negligence on the part of the responsible party.
(2) In the event of a breach the responsible party may raise any of the following defences against an action for damages:
(a) Vis major;
(b) consent of the plaintiff;
(c) fault on the part of the plaintiff;
(d) compliance was not reasonably practicable in the circumstances of the particular case; or
(e) the Regulator has granted an exemption in terms of section 37.
(3) A court hearing proceedings in terms of subsection (1) may award an amount that is just and equitable, including-
(a) payment of damages as compensation for patrimonial and non-patrimonial loss suffered by a data subject as a
result of breach of the provisions of this Act;
(b) aggravated damages, in a sum determined in the discretion of the Court;
(c) interest; and
(d) costs of suit on such scale as may be determined by the Court.
(4) Any amount awarded to the Regulator in terms of subsection (3) must be dealt with in the following manner:
(a) The full amount must be deposited into a specifically designated trust account established by the Regulator with an
appropriate financial institution;
(b) as a first charge against the amount, the Regulator may recover all reasonable expenses incurred in bringing
proceedings at the request of a data subject in terms of subsection (1) and in administering the distributions made
to the data subject in terms of subsection (5); and
(c) the balance, if any (in this section referred to as the 'distributable balance'), must be distributed by the Regulator
to the data subject at whose request the proceedings were brought.
(5) Any amount not distributed within three years from the date of the first distribution of payments in terms of subsection
(4), accrue to the Regulator in the Regulator's official capacity.
(6) The distributable balance must be distributed on a pro rata basis to the data subject referred to in subsection (1).
(7) A Court issuing any order under this section must order it to be published in the Gazette and by such other appropriate
public media announcement as the Court considers appropriate.
(8) Any civil action instituted under this section may be withdrawn, abandoned or compromised, but any agreement or
compromise must be made an order of Court.
(9) If a civil action has not been instituted, any agreement or settlement, if any, may, on application to the Court by the
Description
Source: WCE 3158 - ITEMISED PRICING.xlsxThis is an itemised pricing schedule (Annexure B) for the tender: Appointment of a Service Provider to Conduct Personnel Suitability Checks (Vetting) for the Western Cape Education Department (WCED) for a five-year period.
Evaluation Criteria
Source: WCE 3158 - ITEMISED PRICING.xlsx (unknown)Based on the pricing schedule document, key eligibility criteria include: ability to provide firm pricing for all five years, capability to perform all specified verification types, experience with AFIS platform for criminal checks, capacity to train users across multiple locations, and compliance with SAQA accreditation requirements for qualification verification.
Technical Specifications
Source: WCE 3158 - ITEMISED PRICING.xlsx (unknown)The tender requires a service provider to conduct personnel suitability checks (vetting) for the Western Cape Education Department (WCED) for a five-year period. The scope includes:
Financial Requirements
Source: WCE 3158 - ITEMISED PRICING.xlsx (unknown)The pricing schedule requires firm prices for a five-year period.
Relevant where security providers, guards, access control or private security services are required.
Relevant because this tender appears to involve guarding, access control, CCTV, surveillance, or private security services.
Data conflicts
None detected
1 North Wharf Square, 2 Lower Loop St, Cape Town City Centre, Cape Town, 8001, South Africa
Get deep intelligence on Security and investigation activities. Unlock full pricing strategies, bid frequency, and historical win rates.