How to Make a POPI Act Complaint in South Africa

What POPIA Gives You the Right to Do

The Protection of Personal Information Act (POPIA, or POPI Act) came into full effect in South Africa on 1 July 2021. It gives South African citizens and residents meaningful rights over how organisations collect, store, use, and share their personal information. If a company or individual has violated those rights, you can lodge a formal complaint with the Information Regulator — the independent body established under POPIA to enforce the Act.

This is not just a theoretical right. The Information Regulator has the power to investigate complaints, issue enforcement notices, and impose fines of up to R10 million on organisations that breach the Act. In serious cases, responsible persons can face criminal prosecution. This guide explains when you have grounds to complain, how to do it, and what to expect.

What Counts as a POPIA Violation?

POPIA applies to any organisation or person (called a "responsible party") that processes personal information about identifiable individuals. Processing includes collecting, storing, using, sharing, deleting, and destroying personal information.

Common violations that give grounds for a complaint include:

• Receiving unsolicited direct marketing (spam emails, SMS marketing, telemarketing calls) after you have not consented or have opted out
• A company sharing your personal information with third parties without your knowledge or consent
• A data breach in which your personal information was exposed, and the company either failed to notify you or failed to take reasonable security measures
• An organisation refusing to give you access to the personal information they hold about you, or refusing to delete it when you have requested this
• The collection of more personal information than is necessary for the stated purpose
• A company using your information for a purpose different from what it was collected for
• The processing of sensitive personal information (health records, financial information, biometric data, political or religious views) without your explicit consent

Step 1 — Raise the Matter Directly With the Organisation First

Before approaching the Information Regulator, attempt to resolve the matter directly with the responsible party. Contact their Information Officer (every organisation subject to POPIA must have a registered Information Officer) and put your complaint in writing. State clearly what personal information is involved, what you believe the violation was, and what you are requesting as a remedy — whether that is deletion of your data, cessation of marketing, or an explanation of a data breach.

Give the organisation a reasonable time to respond — typically 10 to 15 business days. Keep a copy of your communication and any response.

This step is not legally required before lodging a complaint with the Information Regulator, but it demonstrates good faith and can resolve simpler issues without the need for a formal process. It also documents that you attempted to resolve the matter, which strengthens your complaint if you do proceed formally.

Step 2 — Gather Your Evidence

Before lodging a formal complaint, document everything you have:

• The name and contact details of the organisation involved
• What personal information was processed (your name, ID number, contact details, financial data, etc.)
• What the organisation did or failed to do — be specific and factual
• When the violation occurred or when you became aware of it
• Any relevant correspondence: emails, SMS messages, letters, opt-out confirmations
• The response (or non-response) from the organisation when you raised it directly

The Information Regulator will assess your complaint based on the information you provide. Clear, factual, specific documentation is more effective than vague descriptions of general dissatisfaction.

Step 3 — Lodge Your Complaint With the Information Regulator

Complaints to the Information Regulator must be submitted in writing. You can do this by:

• Completing the official POPIA complaint form (Form 5) available on the Information Regulator's website at inforegulator.org.za
• Emailing the completed form and supporting documents to complaints.IR@justice.gov.za
• Submitting a written complaint by hand or by post to the Information Regulator's offices in Pretoria

The complaint must include: your full name and contact details, the name and contact details of the responsible party, a description of the alleged violation, and what outcome you are seeking. Attach all supporting evidence.

There is no fee to lodge a complaint with the Information Regulator.

Step 4 — The Investigation Process

Once your complaint is received, the Information Regulator will assess whether it falls within their jurisdiction and whether there is sufficient basis to investigate. Not every complaint results in a full investigation — complaints that are outside POPIA's scope, or that are clearly frivolous, will be dismissed at this stage.

If the complaint is accepted, the Regulator will notify the responsible party and give them an opportunity to respond. An investigation follows, which may involve requesting additional information from both parties, interviewing relevant individuals, or inspecting the responsible party's systems and processes.

The timeline for resolution varies. Straightforward cases may be resolved in a few months; complex investigations can take considerably longer. The Regulator's office has been resource-constrained since its establishment, and backlogs are a reality.

Possible Outcomes

If the Information Regulator finds in your favour, they can:

• Issue an enforcement notice ordering the responsible party to comply with POPIA — to stop processing, delete data, implement security measures, or notify affected parties
• Refer the matter for prosecution in serious cases — this can result in fines and in some circumstances imprisonment
• Issue an infringement notice imposing an administrative fine of up to R10 million

The Information Regulator does not award financial compensation to complainants — POPIA is not a mechanism for claiming damages from an organisation. If you have suffered actual financial loss as a result of a POPIA violation, a separate civil claim against the responsible party is the appropriate route, and an attorney can advise on the prospects of such a claim.

Special Case — Unsolicited Marketing

Unsolicited direct marketing is the most common POPIA complaint. If you receive marketing communications you did not consent to, or if an organisation continues to contact you after you have opted out, you can:

• Send a written opt-out request directly to the sender — POPIA requires them to stop immediately upon receiving this
• Register your number on the Direct Marketing Association of South Africa's opt-out registry
• Lodge a complaint with the Information Regulator if the organisation continues to contact you after a written opt-out

When to Involve an Attorney

For most POPIA complaints, the process is accessible without legal assistance. However, if the violation is serious — a large-scale data breach that has exposed your financial or medical information, or processing that has caused you concrete harm — consulting an attorney before lodging a complaint is worthwhile. An attorney can help you frame the complaint correctly, advise on whether a parallel civil claim is viable, and manage the process on your behalf if the matter becomes complex.