Enforcement & reference

POPIA enforcement tracker: every notice and fine

A maintained record of South African POPIA enforcement — who, what, outcome, and the lesson — updated as the Regulator acts.

Published Last reviewed 8 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Since POPIA became enforceable on 1 July 2021, the Information Regulator has issued enforcement notices against the Department of Justice, Dis-Chem, SAPS, TransUnion, FT Rams Consulting, the IEC, the Department of Basic Education, Lancet Laboratories, Blouberg Municipality and Central Johannesburg TVET College, with administrative fines ranging from R100 000 to R5 million. Every fine to date followed non-compliance with an enforcement notice — and the courts have overturned the Regulator where its reading overreached.

On this page

The full record

Last updated 2026-06-12

Every matter links its primary source — the Regulator’s own enforcement notice or media statement — and each row carries an anchor, so individual matters can be cited directly. This table is maintained: new notices and fines are added as the Regulator acts.

South African POPIA enforcement actions: who, what happened, and the outcome
WhoWhat happenedOutcomeThe lesson
Department of Justice & Constitutional Development2023Ransomware attack; SIEM, intrusion-detection and antivirus licences had lapsed in 2020 and were never renewed; ±1 204 files lost; enforcement notice ignored.source ↗R5 million fine — the first POPIA fine (under court challenge).Keep the security basics running (s 19) — and never ignore an enforcement notice.
Dis-Chem Pharmacies2023Operator (Grapevine) brute-forced, ±3.6 million data subjects’ records; no written operator contract; data subjects not notified.source ↗Enforcement notice; complied; file closed — no fine.Section 21 operator contracts are not paperwork — their absence was central to the finding.
South African Police Service2023Krugersdorp crime victims’ personal details circulated on WhatsApp and Facebook by members; the s 6(1)(c) law-enforcement exclusion held not to cover the conduct.source ↗Enforcement notice; public apology ordered and published; complied — no fine.The crime-prevention exclusion is narrower than public bodies assume.
TransUnion20242022 hack via a weak password; inadequate breach notification under s 22.source ↗Enforcement notice; complied — no fine.Breach notification failures feature in nearly every enforcement notice.
FT Rams Consulting2024–25Persistent marketing emails without consent and despite opt-outs; the first direct-marketing enforcement notice; notice ignored.source ↗R100 000 fine (unpaid; court recovery under way).Section 69 is the one place POPIA genuinely demands consent — and the Regulator’s “leniency … is going to be a thing of the past”.
Electoral Commission (IEC)2024Election candidate lists leaked; inadequate measures and notification; enforcement notice not complied with in time.source ↗R100 000 fine.Even a short delay in complying with a notice can convert a slip into a fine.
Department of Basic Education2024–26Ordered not to publish matric results in newspapers; published in January 2025 after the Regulator’s urgent interdict failed; fined.source ↗R5 million fine — but the High Court ruled against the Regulator’s interpretation (full bench, 12 December 2025), and leave to appeal was refused (3 June 2026, as reported).The courts pushed back on the consent-maximalist reading: results published by examination number, without names, were held not to violate POPIA.
Lancet Laboratories2024–25Repeated security compromises not reported under s 22.source ↗Enforcement notice, then R100 000 fine — paid.There is no materiality threshold: all security compromises must be reported.
Blouberg Local Municipality2024–26Former employee’s personal information published online; notices ignored; fine unpaid.source ↗R500 000 fine; on court confirmation under s 109(5), reduced to R250 000 — the first publicly reported court confirmation of a POPIA fine.Unpaid fines become civil judgments (s 109(5)) — the Regulator does go to court.
Central Johannesburg TVET College2026Enforcement notice (22 May 2026) including a straightforward failure to register the Information Officer with the Regulator.source ↗Enforcement notice.Information-officer registration (s 55(2)) is a compliance item the Regulator actively checks.

Three lessons from the record

  1. The road to a fine runs through ignoring the Regulator

    Every fine so far punished non-compliance with an enforcement notice, not the original slip. Organisations that engaged and fixed things — Dis-Chem, SAPS, TransUnion — paid nothing.

  2. Security and breach notification dominate

    Most actions concern section 19 failures and section 22 notification — not processing without consent. Where consent does feature (FT Rams’s spam), it is in the one area the Act genuinely demands it: unsolicited electronic marketing.

  3. The courts have pushed back on consent-maximalism

    The matric-results saga (below) shows even the Regulator can over-read POPIA towards consent — and lose. The corrective reading this hub presents is the one the courts have endorsed.

The matric-results saga: the Regulator overturned

The Regulator ordered the Department of Basic Education not to publish the 2024 matric results in newspapers, sought an urgent interdict (which failed), and fined the Department R5 million after publication in January 2025. The High Court then held that publication of results by examination number, without names, does not violate POPIA — information that identifies nobody is not personal information (see the definitions page). A full bench upheld the Department’s appeal on 12 December 2025, setting aside both notices with costs, and the Regulator’s application for leave to appeal was refused on 3 June 2026, as reported. The episode is the strongest authority yet against the consent-maximalist reading of POPIA — exactly the reading this hub’s myth pages correct.

Frequently asked questions

What is the biggest POPIA fine so far?

R5 million — imposed twice: on the Department of Justice (2023, ransomware after lapsed security licences; under court challenge) and on the Department of Basic Education (matric results; later set aside by a full bench of the High Court).

Has any private company been fined under POPIA?

Yes. FT Rams Consulting received a R100 000 fine for spam marketing emails after ignoring the first direct-marketing enforcement notice, and Lancet Laboratories paid a R100 000 fine arising from repeated unreported security compromises.

Do complaints to the Information Regulator actually lead anywhere?

The record says yes: the FT Rams direct-marketing matter began with complaints, and breach-notification failures raised by affected people feature in most notices. The ladder usually ends at compliance, not a fine — which is the system working.

Can an enforcement notice be challenged?

Yes — section 97 provides an appeal to the High Court. The Department of Basic Education’s appeal succeeded: a full bench set aside both the enforcement and infringement notices in December 2025, and the Regulator’s application for leave to appeal was refused in June 2026.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Enforcement & reference

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub