Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

South Africa: Regulator issues enforcement notice to Dis-Chem for POPIA violations following vendor's data breach

The Information Regulator (the Regulator) announced, on September 1, 2023, that it had issued, on August 31, 2023, an enforcement notice to Dis-Chem Pharmacies Ltd for violations of the Protection of Personal Information Act (POPIA).

Background to the decision

The Regulator explained that Dis-Chem's third-party service provider, Grapevine, suffered a data breach. Once becoming aware of the data breach, Dis-Chem notified the Regulator in writing of the same. Subsequently, the Regulator conducted its own initiative assessment into the data breach following Dis-Chem's failure to notify data subjects, as required by Section 22 of POPIA.

Findings of the Regulator

Following its assessment, the Regulator determined that Dis-Chem had interfered with the protection of personal information of data subjects, and thus breached the conditions for the lawful processing of personal information. Specifically, the Regulator's assessment found that Dis-Chem failed to, among other things, put in place adequate measures to monitor and detect unlawful access to its environment, enter into an operator agreement with Grapevine, and ensure that Grapevine has adequate security measures in place to secure personal information in its possession.


The Regulator issued an enforcement notice which orders Dis-Chem to, among others:

  • conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with lawful data processing as required by Regulation 4(1)(b) of POPIA;
  • implement an adequate incident response plan;
  • ensure that it concludes written contracts with all operators who process personal information on its behalf, and such contracts compel the operator(s) to establish and maintain the same or better security measures referred to in Section 19 of POPIA; and
  • develop, implement, monitor, and maintain a compliance framework, in terms of Regulation 4(1)(a) of POPIA.

Furthermore, Dis-Chem must provide a report to the Regulator on the implementation of the actions ordered in the enforcement notice within 31 days. Should Dis-Chem fail to abide by the enforcement notice within the stipulated timeframe, the Regulator confirmed that Dis-Chem would be guilty of an offense, and it may impose an administrative fine of an amount not exceeding ZAR 10 million (approx. $520,132) or be liable upon conviction to imprisonment, or both.

You can read the announcement here.