Contact

Part 2: Unpacking the Data Protection (Complaints Handling and Enforcement Procedures) Regulations of 2021

Back to top

Part 2: Unpacking the Data Protection (Complaints Handling and Enforcement Procedures) Regulations of 2021

The Complaints Handling and Enforcement Procedures Regulations (the Complaints and Enforcement Regulations) set out the procedure for lodging complaints with the Data Commissioner and for the issuance and management of enforcement, as well as penalty notices under the Data Protection Act, 2019 (the DPA).

7 Feb 2022 5 min read Technology, Media & Telecommunications Alert Article

At a glance

  • The Complaints Handling and Enforcement Procedures Regulations establish the process for filing complaints with the Data Commissioner and for enforcing penalties under the Data Protection Act, 2019.
  • Complaints can be lodged by data subjects or other aggrieved individuals, either orally or through electronic means, and can be made free of charge and anonymously.
  • The Data Commissioner is responsible for investigating complaints, including issuing summonses, conducting examinations, requesting documents or information, and conducting searches. The Commissioner must make a preliminary finding on the admissibility of a complaint and may refuse to admit complaints without valid issues under the DPA. Dispute resolution may involve mediation, conciliation, negotiation, or other mechanisms. Parties may be joined in the proceedings, and complaints can be discontinued or withdrawn. Remedies for complaints include enforcement notices, penalty notices, and potential compensation.

Background

The Complaints and Enforcement Regulations set out the procedure for lodging complaints with the Data Commissioner and for the issuance and management of enforcement, as well as penalty notices under the Data Protection Act, 2019 (the DPA). 

The main objectives of the Complaints and Enforcement Regulations is to facilitate a fair, impartial, just, expeditious, proportionate, and affordable determination of complaints lodged with the Commissioner, as well as to provide a means through which enforcement notices and penalty notices can be issued.

Lodging a Complaint

Regulation 4 (1) of the Complaints and Enforcement Regulations state that, a data subject or any other person aggrieved on any matter under the DPA, may lodge a complaint with the Data Commissioner. Complaints may be made orally or through electronic or other means.

Regulation 4 (3) of the Complaints and Enforcement Regulations highlights that any person can lodge a complaint free of charge, including a person acting on behalf of the complainant or a person authorized by law to act on behalf of a complainant/data subject. Complaints may also be lodged anonymously. The Data Commissioner is mandated to keep an up-to-date register of all complaints lodged.

Under these Regulations, every complaint notice will clearly state that there are options available to resolve a complaint including determining the complaint through alternative dispute resolution mechanisms specified in the DPA and these Regulations.

Investigation of a complaint

The Data Commissioner is mandated to make an inquiry into complaints and to thoroughly investigate the same. In investigating a complaint, section 57 of the DPA notes that the Data Commissioner may:

  • issue summons in Form DPC 4 set out in the Schedule requiring the attendance of any person at a specified date, time and place for examination;
  • examine any person in relation to a complaint;
  • administer an oath or affirmation on any person during the proceedings;
  • require any person to produce any document or information from a person or institution; and
  • on obtaining warrants from the court, enter into any establishment or premises and conduct a search and may seize any material relevant to the investigation.

The Data Commissioner is mandated to issue an investigation report and to conduct the investigative process in accordance with the Fair Administrative Action Act, 2015.

It should be noted however that not every complaint that is lodged with the Data Commissioner will be admitted and investigated. Regulation 6 of the Complaint and Enforcement Regulations states, upon receipt of a complaint, the Data Commissioner will make a preliminary finding on the admissibility of the complaint and whether the same lies within their jurisdiction. In certain cases, the OPDC may advise the complainant that the matter lies for determination before another body or institution. The ODPC may also refuse to admit a complaint where it does not raise any valid issues that are ripe for determination under the DPA. 

Dispute resolution

Section 9 (1)(c) of the DPA highlights that the Data Commissioner has a duty to facilitate mediation, conciliation, or negotiation in accordance with the DPA, and to use “any other mechanisms” to resolve complaints. Where a complaint is declined, the complaint may be re-admitted within six months from the date of refusal/decline, where the complainant raises new issues for determination under the DPA. This particular provision is however unclear on what “any other mechanisms” would mean in the context of the resolution of a complaint.

Notification of complaints to respondents

Upon the admission of a complaint, the Data Commissioner is mandated to inform the respondent(s) of the complaint lodged against them in the prescribed form. The respondent must respond to the complaint within 21 days with a detailed reply setting out relevant evidence where necessary. If the Respondent does not take any action, the Data Commissioner has discretion to determine the complaint in accordance with the DPA and issue the enforcement notices or penalties where applicable.

Joinder of parties

If it becomes clear in the course of resolving a complaint that it is necessary that another party is enjoined in the same complaint the Data Commissioner has powers to issue orders for joinder of any such party.

Any person who has sufficient interest in the outcome of a complaint, may also apply to the Data Commissioner for leave to be enjoined as a party in the proceedings. The Complaints and Enforcement Regulations, however, do not provide for a test for what would constitute “sufficient interest” when parties seek or apply to be enjoined in proceedings. This provision could therefore be open to abuse by vexatious litigants. 

Discontinuation and withdrawal of a complaint

Under Regulation 8 of the Complaints and Enforcement Regulations the Data Commissioner may discontinue an existing complaint where the complaint does not warrant further consideration or where a complainant refuses, fails or neglects to communicate without justifiable cause. A complaint may be withdrawn at any stage during its consideration but before a determination is made by the Data Commissioner. If a party wishes to re-lodge such a complaint, they may do so within six months from the date of withdrawal of such complaint after which the re-submitted complaint will be processed accordingly.

Complaints may be consolidated and jointly heard and determined with the parties’ consent. This process will apply to complaints procedures where two or more complaints are lodged in which similar issues are raised against the same respondent. If such an instance arises, the ODPC may consolidate the complaints and make a determination or treat one complaint as a “test” complaint and stay further action on the other complaints pending the resolution of the “test” complaint. The ODPC is at liberty to thereafter apply the determination made in the “test” complaint, to the rest of the stayed complaints.

Remedies for Complaints under the Regulations

Enforcement notice and penalty notices may be issued by the DPA as remedies following the determination of a complaint in the complainant’s favour. Penalties under a penalty notice are capped off at 5 million Kenya Shillings or 1% of annual turnover of the previous financial year whichever is lower. The penalty notice may also take the form of a daily fine of not more than 10,000 Kenya Shillings for each breach identified until the breach(es) is/are rectified. A party on whom an enforcement notice is served, may apply for review of the notice in the prescribed form or may appeal against the enforcement notice before the lapse of 30 days from the date of service of the notice. This appeal would be made before the High Court. A data subject/complainant may also be awarded compensation. 

A complaint may however also be dismissed where it lacks merit or approved to proceed to prosecution where it is legally sound and meritorious. All decisions made by the Data Commissioner under the Complaints and Enforcement Regulations are final and binding and enforceable as orders of the court. Furthermore, the Complaints and Enforcement Regulations provide that any outcomes of negotiation, mediation or conciliation shall be deemed to be a determination of the Data Commissioner and shall be enforceable as such.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

16 Oct 2023

by Taryn York and Mapaseka Nketu

Revised critical skills list

The Immigration Act 13 of 2002 empowers the Director-General of the Department of Home Affairs to issue a critical skills visa to an individual who is in possession of “ such skills or qualifications determined to be critical for the Republic from time to time ”, subject to meeting all the other requirements for the issuing of the visa. The skills and qualifications determined to be critical are published in a critical skills list issued by the Minister of the Department of Home Affairs (Minister) from time to time. A critical skills visa is issued based on compliance with the critical skills list and allows the holder to work in South Africa within a specific occupation listed on the critical skills list.

Immigration

2 min read

9 Apr 2024

by Lydia Owuor

Note to lenders: Strengthen your securities by transitioning GLA titles

Consider a situation where a lender is processing a financial facility secured by two properties within the Government Lands Act (GLA) land regime. On one hand, they receive a converted GLA title, while on the other hand, they encounter a Form LRA 33 transfer instrument as the title document. The lender is suddenly faced with a dilemma: how do they reconcile the deferring formats and ensure that both titles are equally credible and secure? This underscores the important question about consistency, reliability and legal interpretation addressed in our previous article on transitioning GLAtitles. 

Real Estate Law

3 min read

31 May 2023

by Susan Meyer and Ntobeko Rapuleng

”Yes, I can tell you watt to do”: Competition Tribunal confirms jurisdiction over electricity supply excessive pricing complaints

Cape Gate (Pty) (Ltd) (Cape Gate) lodged a complaint with the Competition Commission of South Africa (Commission) against the Emfuleni Local Municipality (ELM), the National Energy Regulator of South Africa (NERSA) and the Gauteng Provincial Government.

Competition Law

3 min read

17 Oct 2023

by Corné Lewis

The SCA reconfirms the restrictions of a court where a substitution order is sought in administrative decisions

In The Municipal Manager: The City of Johannesburg Metropolitan Municipality and Others v San Ridge Heights Rental Property (Pty) Ltd (517/2022) ZASCA 109 the Supreme Court of Appeal (SCA) was confronted with a case in which the owner of a property exhausted all internal remedies before launching a review application; the review application was launched timeously; and even after the launch of an internal appeal, the City of Johannesburg (Municipality) had failed to file reasons for its decisions. In this article, we will explore the principles established by the SCA and their broader implications.

Dispute Resolution

2 min read

21 Feb 2024

by Jacques Erasmus and Howmera Parak

Navigating assessed losses: Where do we stand?

The assessed loss provisions contained in sections 20 and 20A of the ITA have been a focal point over the years for both individuals and companies seeking to reduce their taxable income. Originally introduced to alleviate the tax burden imposed on businesses that require high amounts of capital expenditure to start up, the assessed loss provisions have in certain circumstances been used as a tax tool to alleviate the payment of tax on the taxable income of a company or individual conducting a business.

Tax & Exchange Control

2 min read

17 Jan 2024

by Ismail Makda, Akhona Mdunge, Jocelyn Lawrence-Kganane, David Pinnock and Yaniv Kleitman

Rogue directors counting the grains in the hourglass

There are many famous quotes about the passage of time, and miscreant directors may well be pondering a number of these in light of recent developments regarding the time-barring of claims based on breach of duty.

Corporate & Commercial Law

5 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline