This enforcement notice concerns data protection and privacy law compliance under POPIA, not payments regulation or payment service provider oversight.
While the entity may handle personal information in a payments context, the enforcement action is fundamentally about POPIA data protection breaches, not payments-specific violations.
Specialism
The enforcement notice mandates corrective actions including data breach notification, security safeguards implementation, and compliance framework development—all core data protection obligations under POPIA.
The regulator issued a formal enforcement notice with mandatory remedial actions (officer registration, training, disciplinary measures), representing enforcement-level regulatory action.
2026-05-29 08:01:10·rghosh@vixio.com
Meta Id
3194467
Content ID
3202949
GUID
de152a023e1ed03967baea793e61779b
Pipeline Progress
🔄 Pipeline Journey
⏱
21s
total
✓
Queued08:00:48
+0s
✓
Metadata08:00:48
+0s
✓
S3 Content08:00:48
+10s
✓
Extracted08:00:58
+6s
✓
LLM Gen08:01:04
+5s
✓
Stored08:01:09
TITLE: South Africa's Information Regulator Issues Enforcement Notice for Protection of Personal Information Act Breaches
BODY:
On May 22, 2026, South Africa's Information Regulator issued an enforcement notice against a responsible party for multiple breaches of the Protection of Personal Information Act 4 of 2013 (POPIA).
The regulator found that the responsible party breached four key conditions for lawful personal information processing. First, it failed to register an Information Officer with the regulator and designate deputy information officers as required under section 8 (accountability). Second, it violated section 15 (further processing limitation) by sharing Personal Credential Verification Reports containing employees' criminal records and academic qualifications with unauthorised staff members via email on September 6, 2022. Although the administrator recalled the email on September 8, 2022, the regulator determined this sharing was incompatible with the original collection purpose and lacked required consent. Third, the responsible party breached section 19 (security safeguards) by failing to maintain separate files for sensitive personal information and lacking organisational measures to prevent unlawful access. Fourth, it violated section 22 by failing to notify the regulator and affected data subjects of the security compromise, despite internal communications acknowledging the error.
The Information Regulator ordered the responsible party to take corrective actions within specified timeframes. These include registering the Information Officer and deputy officers within 31 days; notifying the regulator and data subjects of the security compromise within 31 days; issuing a written apology to complainants and publishing it to all employees within 31 days; taking disciplinary action against the employee responsible within 60 days; submitting a POPIA Compliance Framework within 31 days (or developing one within 120 days if not yet created); and conducting mandatory POPIA training for all employees with proof of completion within 90 days. Non-compliance with this enforcement notice constitutes an offence punishable by fine, imprisonment up to ten years, or both. The responsible party may appeal within 31 days of receipt.
B. REASONS FOR THE FINDINGS 1. The Responsible Party has breached the following conditions for the lawful processing of personal information: 1.1 Condition 1: Accountability - section 8 of the Protection of Personal Information Act 4 of 2013 (“POPIA”) 1.1.1. The Responsible Party must ensure that the conditions for the lawful processing of personal information set out in Chapter 3 POPIA and all the measures that give effect to such conditions are complied with and must demonstrate compliance with such conditions. 1.1.2. The Responsible Party does not comply with the condition of accountability by failing to register the Information Officer with the Regulator and to designate deputy information officer(s) and register them with the Regulator. The Information Officer is responsible for ensuring compliance with POPIA. The Responsible Party has failed to comply with some of the conditions for the lawful processing of personal information as illustrated hereunder. 1.2. Condition 4: Further Processing limitation- section 15 of POPIA. 1.2.1. Section 15 (1) of POPIA provides that further processing of personal information must be compatible with the purpose for which personal information was collected in terms of section 13. Section 15 (2) details the factors that must be considered to assess whether further processing of personal information is compatible with the purpose for which the information was collected. 1.2.2. According to the Responsible Party, it processed personal information of the complainants, in the context of the employer- employee relationship to restore good governance after it had come to its attention that a sizeable number of employees had failed to declare their criminal records and possible conflict of interest such as doing business with the employer. As a result, the responsible party was placed under administration to investigate and address these problems. 3 1.2.3. The terms of reference of the Administrator included the restoration of good governance and ensuring that all employees declared their previous criminal records and interests. He also had to review and develop policies where there was a gap. The Acting Chief Financial Officer was tasked with the responsibility of reviewing, developing and implementing Finance Policies. 1.2.4. The personal information of the complainants was collected for the purpose of the verification of their academic qualifications and criminal records. This was done through the issuing of the Personal Credential Verification Report (Verification Report) by a company called the 1.2.5. By his own admission, the Administrator of the Responsible Party confirmed that in the course of communicating with her team the urgent need to implement the policies, the Acting Chief Financial Officer had erroneously included the Verification Reports of the complainants in the folder that contained finance policies and this information was sent by email to various employees by email. 1.2.6. The complainants learnt about the email containing their personal information when it was sent to some staff members on 6 September 2022. This email was recalled by the Administrator on 8 September 2022 with an explanation that the document was erroneously distributed and was not intended for staff use. He even took corrective action against those who had erroneously sent the document to other staff members. 1.2.7. The sharing of the Verification Reports of the complainants with other staff of the responsible party constitutes further processing. In terms of section 15 (1) of POPIA, further processing (sharing) of personal information, in this instance the Verification Report of the complainants, must be in accordance or compatible with the purpose for which the personal information was collected. The Verification Reports were collected for the purpose of strengthening governance within the institution. 1.2.8. The sharing of these reports with other employees who were not involved in the strengthening of governance of the institution, albeit by mistake, was incompatible with the purpose for which the personal information in the Verification Reports was collected. The 4 contention of the Responsible Party that the complainants were not part of the recipients of the email communication mistakenly issued by the Acting CFO and that their possession of the email contravened the Electronic Communication Policy and Transmission Policy of the institution is not relevant and cannot be used as a justification for non-compliance with POPIA. 1.2.9. Section 15 (3) of POPIA provides for the legal bases for further processing of personal information. One of these bases is consent. The Responsible Party did not obtain the consent of the complainants for the further processing of their personal information. In addition to this, none of the other legal bases for further processing provided for in section 15 (3) of POPIA are applicable. 1.2.10. The Regulator finds that the Responsible Party has contravened section 15 (1) of POPIA. The Regulator disagrees with the Enforcement Committee’s finding that the CJC “has not contravened section 15 (1) by further processing the personal information of the data subjects, in that further processing of personal information is compatible with the purpose of collection, in that the personal information was processed for a legitimate purpose and is in the public interest”. Section 15 (3) of POPIA provides instances in which further processing is compatible with the purpose of collection. “Legitimate purpose and public interest” are not mentioned in section 15 (3). 1.3. Condition 7: Security Safeguards - Sections 19 and 22 of POPIA 1.3.1. Section 19 (1) (b) of POPIA provides that the Responsible Party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent unlawful access to or processing of personal information. 1.3.2. Although there is no evidence that documents such as personal information policies, procedures and frameworks, security safeguards to control access to personal information, evidence of the training of staff in POPIA were requested during the investigation, failure by the Responsible Party to keep separate files for the complainant’s Verification Reports containing their personal information and the financial policies, coupled with failure to register the 5 Information Officer with the Regulator, points to the absence of organisational measures to prevent unlawful access or processing of personal information, leading to the personal information of complainants being shared and eventually unlawfully accessed by unauthorised parties. The Regulator finds that the Responsible Party violated section 19 (1) of POPIA. 1.3.3. Section 22 of POPIA sets out the duties and obligation of the Responsible Party where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person. In such a case, the Responsible Party must inform the Regulator and the data subject affected of the security compromise. 1.3.4. It is common cause that the personal information of the complainants contained in the Verification Report was shared with other employees of the Responsible Party who were not authorised to access this information. This constituted a security compromise, which triggered the obligation of the Responsible Party to inform the Regulator and the complainant of the security compromise. Neither the Regulator nor the complainants were informed of the security compromise. 1.3.5. Although, an email was issued to all employees to alert them to the fact that personal information of the complainants was shared by mistake, that an investigation was launched to understand the circumstances under which the error occurred and that corrective action was taken, this did not absolve the Responsible Party from its obligation to inform the Regulator and the complainant of the security compromise. In the premise, the Regulator finds that the responsible party has violated section 22 (1) of POPIA. 6 3.3. The Regulator concurs with the Enforcement Committee that the MIE Report of did not contain any special personal information and therefore the responsible party did not violate section 26 (b) of POPIA. C. RECOMMENDATIONS 4. Based on the above-mentioned Findings, the Regulator orders the Responsible Party to take the following actions – 4.1 The Responsible Party must provide confirmation to the Regulator that: 4.1.1 It has registered the Information Officer with the Regulator as stipulated in section 55 (2) of POPIA and provide the Regulator with proof of registration within 31 days of the date of receipt of this Enforcement Notice. 4.1.2 It has designated deputy information officer(s) and registered them with the Regulator and provide proof the Regulator with proof of this within 31 days of the date of receipt of this Enforcement Notice. 4.2 The Responsible Party must notify the Regulator and the data subjects of the security compromise of their personal information in compliance with section 22 of POPIA and provide proof thereof within 31 days of the date of receipt of this Enforcement Notice. 4.3 The Responsible Party must submit a written apology to the complainants for processing their personal information in a manner that breached the conditions for the processing of personal information stipulated in this Enforcement Notice. The apology must also be sent by email to all the employees of the responsible party and must be published through all other communication channels used by the Responsible Party. The apology must not contain the personal information of the complainants, other than their names and surnames. Proof of the written apology and the publication thereof as directed above must be submitted to the Regulator within 31 days of the date of receipt of this Enforcement Notice. 8 4.4 The Responsible Party must take appropriate action against the employee who had unlawfully processed (shared) personal information of the complainants and submit proof thereof to the Regulator within 60 days of the date of receipt of this Enforcement Notice. 4.5 The Responsible Party must submit its POPIA Compliance Framework to the Regulator within 31 days of the date of receipt of this Enforcement Notice. The Framework should include the following: the Privacy Policy, the Retention Policy and Schedule, the Incident Response Policy and the Information Privacy and Security Policy. 4.6 In the event that the Compliance Framework has not been developed, the Responsible Party must develop same and submit a copy thereof to the Regulator within 120 days of receipt of this Enforcement Notice. 4.7 The Responsible Party must conduct internal public awareness and training programmes on POPIA for all the employees of the Responsible Party. Copies of these programmes and proof that they have been conducted (e.g. attendance register of the participants) must be submitted to the Regulator within 90 days of the date of receipt of this Enforcement Notice. 9 D. RIGHT OF APPEAL The Responsible Party may appeal against this Enforcement Notice within 31 days of the date of receipt of this Enforcement Notice as provided for in section 97(1) of POPIA. E. CONSEQUENCES FOR NON-COMPLIANCE WITH ENFORCEMENT NOTICE Please note that the Responsible Party which fails to comply with this Enforcement Notice is guilty of an offence and liable upon conviction to fine or to imprisonment for a period not exceeding 10 years or to both a fine and imprisonment. DATED at JOHANNESBURG on 22 May 2026 ……………………………………………. ADV. PANSY TLAKULA CHAIRPERSON OF THE INFORMATION REGULATOR 10