The Information Regulator is the national, independent body that is empowered by POPIA to encourage, monitor and enforce compliance by Responsible Parties with the provisions of POPIA and PAIA. Before the Information Regulator came into being, the SA Human Rights Commission was tasked with upholding PAIA , but was severely hampered in its enforcement powers. This changes dramatically from 1 July, when the Information Regulator takes up its full position and powers.When a complaint is submitted to, or initiated by, the Information Regulator, it can decide to investigate, conciliate, take no further action (s77), or refer to the Enforcement Committee – an independent judicial tribunal established to adjudicate POPIA matters (a bit like the CCMA for labour disputes). Side note: I have been advised that complaints initiated at the SAHRC cannot be transferred to the Regulator – the Regulator starts its work on 1 July “de novo”.
The Responsible Party (GDPR “controller”) is the person or company that determines the decision-making (“purpose and means”) for processing personal information, and is responsible and liable for compliance with POPIA and PAIA. Whatever the size of your company, or whatever the size of your data processing operations, POPIA applies. No specific categories of responsible parties have been excluded / Read more about exemptions here
The Information Officer is responsible for (ongoing) compliance by the Responsible Party with POPIA and PAIA. His or her duties include the encouragement of compliance with POPIA and managing requests from data subjects and the Regulator. Section 1 of POPIA and PAIA define the “head of a private body” as the Information Officer by default, and state that this should be either the CEO, an equivalent officer of the company or any other duly authorised person. However, the Regulator has slightly diverted from the Act’s definition in its authoritative interpretations in the Regulations of 2018 and the Guidance Note of 2021:-
An Operator (GDPR “processor”) is an independent contractor that processes personal information on behalf of the Responsible Party. Section 20 and 21 of POPIA state that an operator may only act with the (written) knowledge or authorisation of the Responsible Party, and must treat personal information confidentially.
A Data Subject is the person the “personal information” relates to. Put differently, the person that may be ‘identified’ by the personal information. In South Africa (unlike in Europe) a data subject can be a person or a company.