SureDox|Blog
Back to Home
Back to Blog

Three POPIA Enforcement Notices Every South African Business Should Study

22 February 2026SureDox14 min readPOPIA Compliance
#POPIA#Enforcement#Compliance#Data Protection#Regulatory

Three POPIA Enforcement Notices Every South African Business Should Study

The Information Regulator is no longer just issuing warnings. Here's what happened to a global tech giant, a national pharmacy chain, and a small training company — and what it means for your organisation.

South Africa's Information Regulator has moved from cautious newcomer to active enforcer. Since the Protection of Personal Information Act (POPIA) took full effect in July 2021, the Regulator has issued enforcement notices to organisations of every size, from WhatsApp LLC to a small training consultancy. The message is unmistakable: compliance is not optional, and the Regulator will pursue you regardless of how large or small your operation is.

Three enforcement notices in particular tell the story of where POPIA enforcement is heading and what South African organisations need to pay attention to right now. Each targets a different kind of failure. Together, they paint a clear picture of the Regulator's priorities and the consequences of getting it wrong.

1. WhatsApp: Two Sets of Rules, One Standard

Enforcement Notice issued: 10 September 2024 Reference: T Boikanyo // J Jansen Breach type: Lawful processing conditions (Sections 8, 9, 11, 13, 15, 17, 19) Compliance deadline: 60 days

Of the three enforcement notices, the WhatsApp case is the most far-reaching. The Information Regulator found that WhatsApp maintains different privacy policies for European users and South African users — offering stronger protections to those covered by the EU's General Data Protection Regulation (GDPR) while giving South African users a weaker version, despite POPIA and GDPR sharing similar standards and protections.

The Regulator's investigation, which began in 2021 after WhatsApp's controversial privacy policy update, uncovered a pattern of non-compliance that touched almost every condition for lawful processing under POPIA.

What the Regulator found:

WhatsApp's South African privacy policy failed to demonstrate lawful processing under Section 8 of POPIA. The policy's broad, vague descriptions of data processing gave South African users no real ability to understand what was being done with their personal information or to determine whether processing was compliant with POPIA's requirements.

On the question of consent under Section 11, the Regulator was blunt: WhatsApp required users to accept its Revised Privacy Policy or lose access to the platform entirely. The Regulator determined this was coercion, not consent. Under POPIA, consent must be a voluntary, specific, and informed expression of will. A take-it-or-leave-it approach does not qualify.

WhatsApp also fell short on purpose specification under Section 13. The Revised Privacy Policy did not adequately explain what personal information was being collected, why it was being processed, or how the various categories of data — device operation information, usage and log information, device connection information — related to specific, lawful purposes.

Perhaps most damaging was the finding on further processing under Section 15. WhatsApp shares personal information of its South African users with other Meta companies and third parties. The Regulator concluded this constituted further processing that was incompatible with the original purpose of collection, placing WhatsApp in direct contravention of POPIA.

On security safeguards under Section 19, the Regulator found that WhatsApp failed to demonstrate it had documented enterprise information security policies or specific security procedures, and essentially asked the Regulator to take its word that adequate safeguards were in place. The Regulator rejected this position outright.

WhatsApp also argued that the Promotion of Access to Information Act (PAIA) does not apply to it because it is not domiciled in South Africa. The Regulator dismissed this argument, maintaining that any company providing services in South Africa must comply with South African legislation.

What the Regulator ordered:

The enforcement notice directed WhatsApp to demonstrate full compliance across all seven breached POPIA conditions, submit a revised privacy policy to the Regulator, conduct a detailed Personal Information Impact Assessment, update multiple FAQ documents for transparency, and provide a compliance report within 60 days. Non-compliance could result in a fine of up to R10 million, imprisonment for up to 10 years, or both.

The takeaway for your organisation:

This case establishes that the Information Regulator will hold international companies to the same POPIA standards as local ones. It also makes clear that forced consent — where users must accept terms to use a service with no meaningful alternative — is not lawful consent under POPIA. And critically, if your privacy policy uses broad language that does not link specific data collection to specific, lawful purposes, you are vulnerable.

2. Dis-Chem: When Your Supplier Becomes Your Problem

Enforcement Notice issued: 31 August 2023 Reference: SC 30/2022 Breach type: Security safeguards (Section 19), operator agreements (Section 21), breach notification (Section 22) Compliance deadline: 31 days

The Dis-Chem case is a cautionary tale about third-party risk. In April 2022, an unauthorised party launched a brute force attack against Grapevine, a third-party service provider that managed Dis-Chem's e-Statement Service database. The attack succeeded because of weak passwords, and approximately 3.6 million data subjects' records were accessed. The compromised records included names, surnames, email addresses, and cellphone numbers.

Dis-Chem became aware of the breach on 1 May 2022 when employees started receiving suspicious SMS messages. To its credit, Dis-Chem notified the Information Regulator in writing within four days. But it did not notify the 3.6 million affected data subjects — a critical failure that triggered the Regulator's own-initiative assessment.

What the Regulator found:

The enforcement notice methodically details failures across three subsections of Section 19 of POPIA.

Under Section 19(1), Dis-Chem failed to prevent unlawful access to personal information by allowing weak passwords to persist in its environment. The Regulator specifically noted that Dis-Chem did not put adequate measures in place to monitor and detect unlawful access, and did not ensure that Grapevine — as its operator — had adequate security measures to protect the personal information it processed on Dis-Chem's behalf.

Under Section 19(2), Dis-Chem failed to identify the reasonably foreseeable risk of weak passwords, failed to establish safeguards against that risk, failed to verify those safeguards were implemented, and failed to update safeguards in response to new risks. The Regulator specifically noted the absence of an operator agreement with Grapevine as contemplated in Section 21 of POPIA.

Under Section 19(3), Dis-Chem failed to have due regard to generally accepted information security practices, specifically the Payment Card Industry Data Security Standards (PCI DSS). The environment affected by the brute force attack was not covered by the security measures Dis-Chem had implemented elsewhere.

The Section 21 finding is especially significant. Dis-Chem had no written contract with Grapevine setting out security obligations. Had such a contract existed, it would have documented Grapevine's responsibility to maintain security measures equivalent to Section 19 standards and to notify Dis-Chem promptly of any security compromise.

On Section 22 — breach notification — the Regulator found that while Dis-Chem notified the Regulator, it failed to notify the affected data subjects as required by Section 22(1)(b). Dis-Chem disputed this, stating it published a notice on its website and issued a national media statement, but the Regulator did not consider this sufficient.

What the Regulator ordered:

Dis-Chem was ordered to conduct a Personal Information Impact Assessment, implement security measures including a comprehensive Incident Response Plan, implement PCI DSS standards, conclude written contracts with all operators processing personal information on its behalf, and develop a compliance framework covering Section 22 reporting obligations. All of this had to be completed within just 31 days. The Regulator later confirmed that Dis-Chem complied with the enforcement notice and closed its file on the matter.

The takeaway for your organisation:

You are responsible for the security of personal information even when a third party processes it on your behalf. Under POPIA, the responsible party cannot outsource accountability. If your operator suffers a breach because of weak passwords, that is your failure. And if you do not have a written operator agreement in place under Section 21, you have no contractual mechanism to enforce security standards or require timely breach notification. Every organisation that uses external service providers to process personal information — email platforms, cloud storage, payroll processors, marketing agencies — needs a Section 21 compliant operator agreement.

3. FT Rams Consulting: No Business Is Too Small

Enforcement Notice issued: 21 February 2024 Reference: CDR 464-21 Breach type: Unlawful direct marketing (Section 69), collection directly from data subject (Section 12), notification (Section 18) Compliance deadline: 90 days Fine for non-compliance: R100,000 (administrative fine after ignoring the enforcement notice)

The FT Rams case may seem minor compared to WhatsApp and Dis-Chem, but it carries an outsized lesson: the Information Regulator will pursue individual complaints from single data subjects, and it expects the same level of compliance from a small training company as from a multinational corporation.

FT Rams Consulting, a training institution that offered courses and webinars, sent persistent direct marketing emails to a data subject. The data subject attempted to opt out multiple times and requested to be removed from FT Rams' mailing list. FT Rams ignored these requests and continued sending marketing messages. The data subject lodged a complaint with the Information Regulator.

This was the Regulator's first enforcement notice specifically concerning direct marketing.

What the Regulator found:

FT Rams contravened Section 69(1) and (2) of POPIA by sending direct marketing emails without first obtaining the data subject's consent. Under Section 69, the processing of personal information for direct marketing by electronic communication is prohibited unless the data subject has given consent. A responsible party may approach a data subject whose consent is required only once to request that consent — and only if the data subject has not previously withheld it.

The Regulator made clear that including an "opt out" or "unsubscribe" link in marketing emails does not remedy non-compliance with Section 69(1). The opt-out option could only be included in the initial consent-seeking communication. By the time FT Rams was sending marketing emails with an opt-out button, it had already broken the law — because it never obtained consent in the first place.

FT Rams also failed to use the prescribed Form 4, which the Regulator has published under Regulation 6 for obtaining written consent for direct marketing. This form requires the data subject to specify which types of marketing they consent to and their preferred method of communication.

The Regulator additionally found that FT Rams contravened Section 12(1) by not collecting the data subject's personal information directly from them. The fact that FT Rams used five different possible email domains to contact the data subject suggested the email addresses were obtained from a third-party source without the data subject's knowledge or consent.

Under Section 18, FT Rams failed to take reasonable steps to ensure the data subject knew their personal information was being collected, the source of that information, and the purpose for which it was being collected.

What the Regulator ordered:

FT Rams was ordered to immediately stop all unsolicited direct marketing, ensure the first communication to any data subject is a consent request using Form 4, compile and maintain a database of data subjects who have withheld or not given consent, adopt a privacy policy, conduct a Personal Information Impact Assessment, develop a POPIA compliance framework, create a POPIA training manual including a chapter on direct marketing, train all staff on POPIA, and appoint and register an information officer — all within 90 days.

FT Rams did not comply with the enforcement notice. The Regulator issued an infringement notice with an administrative fine of R100,000. As of November 2025, FT Rams had not paid the fine, and the Regulator initiated court proceedings to recover the amount.

The takeaway for your organisation:

If you send marketing emails, SMS messages, or make marketing calls, you need consent first — not after. An "unsubscribe" link is not a substitute for obtaining proper consent upfront. You need to use the Regulator's prescribed Form 4 for written consent, and you need to maintain a database of people who have opted out or never consented. The Regulator will investigate complaints from individual data subjects, and it will follow through with fines and court action if you ignore enforcement notices.

The Pattern: What These Three Cases Tell Us

Across these three enforcement notices, several themes emerge that every South African organisation should internalise.

The Regulator is sector-agnostic. Global tech companies, national retail chains, and small training firms all face the same scrutiny. Size and resources are not considered mitigating factors.

Ignoring the Regulator escalates consequences. WhatsApp failed to respond within prescribed timelines. FT Rams ignored the enforcement notice entirely. In both cases, the Regulator escalated. For FT Rams, that meant a R100,000 fine and court proceedings. For any organisation, ignoring an enforcement notice is itself a criminal offence under POPIA, carrying penalties of up to R10 million or 10 years imprisonment.

Operator relationships are a compliance risk. The Dis-Chem case makes clear that you cannot outsource accountability. If you engage third parties to process personal information, you need written operator agreements under Section 21, and you need to verify that their security measures are adequate.

Consent means consent. Both the WhatsApp and FT Rams cases centred on invalid or absent consent. Forced acceptance of terms is not consent. Sending marketing emails with an unsubscribe link is not consent. Under POPIA, consent must be voluntary, specific, and informed — and the burden of proving consent was obtained falls on the responsible party.

Privacy policies matter. WhatsApp's failure was partly a documentation problem — its privacy policy was too vague, too broad, and did not meet POPIA's transparency requirements. Having a privacy policy is not enough. It needs to be specific, accurate, and compliant with South African law.

Protecting Your Organisation

The common thread across all three enforcement notices is personal information that was either inadequately protected, processed without proper legal basis, or both. Whether that information lives in your own systems, in a third-party database, or in your email marketing platform, POPIA requires you to protect it.

For organisations that handle documents containing personal information — contracts, HR files, medical records, financial statements — one of the most effective risk-reduction strategies is proper redaction before sharing or storing documents for secondary purposes. De-identification is explicitly authorised by Section 14(4) of POPIA as an alternative to destruction, allowing you to retain documents for research, training, auditing, or quality assurance while removing the personal information that creates compliance risk.

SureDox helps South African organisations redact documents in line with POPIA's specific personal information categories. Using AI-powered detection, the platform identifies personal information across all nine POPIA categories, performs true content removal (not visual-only masking), and provides a verified audit trail — giving you documented proof that redaction was performed correctly.

Get started at suredox.com

SureDox is operated by Boone and Boo (Pty) Ltd as an "Operator" under POPIA. For more information about how we process your documents, see our Privacy Policy and Terms of Service.

References

  1. Information Regulator (South Africa), "Enforcement Notice — WhatsApp LLC," Form 15, Reference T Boikanyo // J Jansen, 10 September 2024. Available from the Information Regulator: inforegulator.org.za

  2. Information Regulator (South Africa), "Enforcement Notice — Dis-Chem Pharmacies Limited," Form 15, Reference SC 30/2022, 31 August 2023. Available from the Information Regulator: inforegulator.org.za

  3. Information Regulator (South Africa), "Enforcement Notice — FT Rams Consulting," Form 15, Reference CDR 464-21, 21 February 2024. Available from the Information Regulator: inforegulator.org.za

  4. ITWeb, "WhatsApp privacy policy fails POPIA compliance, says watchdog," 11 September 2024. itweb.co.za

  5. Michalsons, "Dis-Chem enforcement notice | data breach," updated February 2024. Analysis of the enforcement notice, remedial actions ordered, and compliance outcomes. michalsons.com

  6. Michalsons, "FT Rams Consulting enforcement notice | email direct marketing," updated December 2024. Analysis of the first direct marketing enforcement notice under POPIA. michalsons.com

  7. ITWeb, "InfoReg exposes POPIA violators as data breaches mount," 13 November 2025. Update on FT Rams R100,000 fine, Lancet R100,000 fine, and 2,374 breaches reported in 2024/25. itweb.co.za

  8. Moonstone, "Regulator seeks court test to settle whether telemarketing falls under POPIA," November 2025. Update confirming WhatsApp settled, FT Rams court proceedings initiated. moonstone.co.za

  9. TechCentral, "Information Regulator pursues Dis-Chem over data breach," 1 September 2023. Reporting on the Dis-Chem enforcement notice and Dis-Chem's response disputing certain findings. techcentral.co.za

  10. Central News South Africa, "WhatsApp Ordered to Comply with South Africa's POPIA," 27 April 2025. Detailed breakdown of the seven POPIA sections breached by WhatsApp. centralnews.co.za