Information Regulator
Also known as: Regulator, IR.
What is Information Regulator?
The Information Regulator is the independent statutory body established under section 39 of POPIA to regulate the protection of personal information and access to information in South Africa. It has investigatory, enforcement and rule-making powers under POPIA and PAIA, including issuing enforcement notices and imposing administrative fines of up to R10 million.
Drafted and reviewed by
Attorney & Founder, My-Contracts.co.za · Legal Practice Council of South Africa (LPC F17333)
Definition and context
Section 39 of the Protection of Personal Information Act 4 of 2013 establishes the Information Regulator as a juristic person accountable to the National Assembly. The Regulator is independent, subject only to the Constitution and the law. Its functions under sections 40 and 110 include monitoring and enforcing compliance with POPIA and PAIA, handling complaints and conducting investigations, issuing codes of conduct, advising Parliament on matters affecting privacy, facilitating cross-border cooperation, and maintaining a register of information officers.
Enforcement tools are set out in sections 89 to 99. The Regulator may conduct an assessment, investigate a complaint, refer matters to conciliation, conduct a hearing, and issue an enforcement notice under section 95 requiring the responsible party to take specific steps within a timeline. Failure to comply with an enforcement notice is a criminal offence under section 103, and the Regulator may impose an administrative fine of up to R10 million under section 109 read with section 109(2). The Regulator has actively issued enforcement notices since 2022 — high-profile examples include the Department of Justice (2023), TransUnion (2023) and WhatsApp/Meta (2023).
The Information Regulator\'s operational guidance carries significant weight. Its Guidance Notes on Information Officers, Operators, Direct Marketing, and the PAIA Annual Reporting Tool are authoritative. Contract drafting for POPIA compliance — operator agreements, privacy notices, consent forms, DPA templates — should align with the Regulator\'s current guidance, not only with the statutory text.
Where this term lives in law
Protection of Personal Information Act 4 of 2013
Sections: 1, 39, 40, 89, 90, 95, 103, 109, 110
Regulates the processing of personal information by public and private bodies in South Africa.
Frequently asked questions
What does the Information Regulator do?
It is South Africa's independent regulator for POPIA and PAIA. It monitors compliance, investigates complaints, issues enforcement notices, publishes codes of conduct, registers information officers, and imposes administrative fines of up to R10 million for POPIA breaches.
Who can complain to the Information Regulator?
Any data subject who believes a responsible party has interfered with the protection of their personal information may lodge a complaint under section 74. Third parties with a direct interest may also complain. The Regulator receives complaints through its online portal at inforegulator.org.za.
What is an enforcement notice?
An enforcement notice under section 95 of POPIA is a formal directive requiring the responsible party to take specified action — cease processing, rectify data, notify subjects, or implement security measures — within a stated timeline. Non-compliance is a criminal offence under section 103.
What is the maximum POPIA fine?
Section 109(2) allows administrative fines of up to R10 million. Criminal sanctions under sections 100 to 107 range up to 10 years imprisonment for the most serious offences such as obstructing the Regulator or unlawfully disclosing account numbers.
Contract templates using this term
2 templates reference Information Regulator.