The myth
“Any slip means a R10 million fine and prison.”
Fines and imprisonment attach to specific offences — mostly ignoring the Regulator’s notices. Enforcement has in practice started with an enforcement notice ordering you to fix things, and actual fines to date range from R100 000 to R5 million — every one for non-compliance with a notice.
“to take specified steps... or to refrain from taking such steps”
Note — That is the enforcement notice’s function — corrective steps, appealable to the High Court (s 97). Ignoring it is the offence (s 103(1)) that opens the fine.
The enforcement ladder
01Complaint or own-initiative investigation
Anyone may complain (s 74; under the amended Regulations, including any person with sufficient personal interest or acting in the public interest). The Regulator may investigate, conciliate or settle.
02Enforcement notice (s 95)
An instruction to fix it — take specified steps, refrain from steps, or stop processing. No fine yet; appealable to the High Court (s 97).
03Offence and infringement notice (ss 103, 109)
Ignoring an enforcement notice is an offence. The Regulator may issue an infringement notice with an administrative fine, set after weighing the s 109(3) factors.
04Court confirmation (s 109(5))
Unpaid fines become, on filing, the equivalent of a civil judgment — the route the Blouberg matter took.
Fines: the R10 million cap and the factors
Administrative fines are capped at R10 million (s 109(2)(c)) — a rand figure, not the GDPR’s percentage-of-turnover. The section 109(3) factors set the level: the nature of the personal information involved, the duration and extent of the contravention, the number of data subjects affected, whether the contravention was preventable, prior offences, and the like. Fines may be paid in instalments by arrangement, and in law the Regulator may fine an alleged offence directly (s 109(1)) — though in practice every fine to date has followed an ignored enforcement notice.
Criminal penalties: confined to listed offences
Section 107 attaches imprisonment to listed offences only. Up to 10 years applies to, among others, obstructing the Regulator, breaching the account-number provisions and failing to comply with an enforcement notice; lesser offences carry up to 12 months. There is no jail time for, say, an honest minimality slip — the “10 years for a photo” headlines were nonsense.
The civil claim: strict liability
“A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act as referred to in section 73, whether or not there is intent or negligence on the part of the responsible party.”
Strict liability, with defences limited to vis major, the plaintiff’s consent or fault, impracticability, and exemption (s 99(2)). For high-volume data holders this is arguably the bigger financial exposure: a breach affecting millions of records is millions of potential claimants — no fine required.
The actual track record
The five highest-profile matters, abridged — the complete, maintained record with lessons per matter lives on the POPIA enforcement tracker:
| Who | What happened | Outcome |
|---|---|---|
| Department of Justice & Constitutional Development2023 | Ransomware attack; SIEM, intrusion-detection and antivirus licences had lapsed in 2020 and were never renewed; ±1 204 files lost; enforcement notice ignored.source ↗ | R5 million fine — the first POPIA fine (under court challenge). |
| Dis-Chem Pharmacies2023 | Operator (Grapevine) brute-forced, ±3.6 million data subjects’ records; no written operator contract; data subjects not notified.source ↗ | Enforcement notice; complied; file closed — no fine. |
| South African Police Service2023 | Krugersdorp crime victims’ personal details circulated on WhatsApp and Facebook by members; the s 6(1)(c) law-enforcement exclusion held not to cover the conduct.source ↗ | Enforcement notice; public apology ordered and published; complied — no fine. |
| TransUnion2024 | 2022 hack via a weak password; inadequate breach notification under s 22.source ↗ | Enforcement notice; complied — no fine. |
| FT Rams Consulting2024–25 | Persistent marketing emails without consent and despite opt-outs; the first direct-marketing enforcement notice; notice ignored.source ↗ | R100 000 fine (unpaid; court recovery under way). |
The pattern across all of them: the road to a fine runs through ignoring the Regulator. Organisations that engaged and fixed things — Dis-Chem, SAPS, TransUnion — paid nothing.