Privacy Policy
Template — South Africa

Comprehensive disclosure of the categories of personal information collected — organised by source and type. Categories include: identity information (name, ID number, date of birth, gender, nationality), contact information (physical address, email, phone numbers), financial information (bank details, payment card numbers, transaction history, credit information), technical information (IP address, browser type, device identifiers, location data collected through websites and apps), usage information (browsing history, search queries, clickstream data), employment information (for employee privacy), and special personal information under POPIA Section 26 (religious or philosophical beliefs, race, ethnic origin, trade union membership, political persuasion, health data, sexual life, biometric information, and criminal behaviour). For each category, the section identifies the source (directly from the data subject, from third parties, or automatically collected) and whether providing the information is mandatory or voluntary.

Maps every processing purpose to a specific POPIA condition for lawful processing under Section 11 — ensuring each purpose has a legitimate legal basis. Processing purposes typically include: performing a contract with the data subject (Section 11(1)(b)), complying with a legal obligation (Section 11(1)(c)), protecting the data subject's legitimate interests (Section 11(1)(d)), performing a public law duty (Section 11(1)(e)), and pursuing the legitimate interests of the responsible party (Section 11(1)(f), subject to a balancing test against the data subject's rights). Where consent is the basis (Section 11(1)(a)), the section explains how consent is obtained, that consent can be withdrawn at any time, and the consequences of withdrawal.

Identifies the categories of third parties with whom personal information is shared — including service providers (IT hosting, payment processors, marketing platforms, courier companies), professional advisors (auditors, attorneys, accountants), group companies (subsidiaries and holding companies), regulatory authorities (SARS, CIPC, the Information Regulator, sector regulators), and other parties where required by law (courts, law enforcement). For each category, the section specifies the purpose of sharing, the legal basis, and the safeguards in place. Where personal information is processed by third-party "operators" under POPIA Section 20-21, the section confirms that written operator agreements are in place specifying processing conditions, security measures, and data subject rights.

Discloses whether personal information is transferred outside South Africa — to cloud service providers, international group companies, or service providers in other jurisdictions. Under POPIA Section 72, cross-border transfers are permitted only if: the recipient country has adequate data protection laws, the transfer is necessary for the performance of a contract, the data subject consents, or the transfer is for the benefit of the data subject and it is not reasonably practicable to obtain consent. The section identifies the countries to which data is transferred, the safeguards in place (binding corporate rules, contractual clauses, consent), and the adequacy assessments conducted. For common services, this includes disclosing that data is transferred to the United States (Google, Microsoft, AWS), the European Union (various service providers), and other jurisdictions.

Specifies the retention period for each category of personal information, the legal or operational basis for each retention period, and the secure destruction procedure when retention periods expire. POPIA Section 14 requires that personal information be retained only for as long as necessary for the purpose for which it was collected, or as required by law. Typical retention periods in South Africa include: financial and tax records (5 years from submission under the Tax Administration Act 28 of 2011), employment records (3 years after termination under the Basic Conditions of Employment Act 75 of 1997), contractual records (3 years after expiry under the Prescription Act 68 of 1969), and marketing consent records (for the duration of the consent plus a reasonable period). The section also addresses the secure destruction methods used — digital sanitisation, physical shredding, and certification of destruction.

Explains each right that data subjects have under POPIA, in plain language: the right to be notified that personal information is being collected (Section 18), the right to access personal information held about them (Section 23), the right to request correction or deletion of inaccurate, misleading, or unlawfully processed information (Section 24), the right to object to the processing of personal information on reasonable grounds (Section 11(3)), the right to object to direct marketing (Section 11(3)(b), and Section 69 specifically for electronic marketing), the right not to be subject to a decision based solely on automated processing (Section 71), and the right to lodge a complaint with the Information Regulator (Section 74). For each right, the section provides the procedure for exercising it, the required information, the expected response timeline, and any applicable fees.

Describes the technical and organisational security measures implemented to protect personal information — as required by POPIA Section 19. Technical measures include: encryption of personal information in transit (TLS/SSL) and at rest (AES-256), access controls and authentication (role-based access, multi-factor authentication), network security (firewalls, intrusion detection systems), regular security assessments and penetration testing, and automated monitoring and alerting. Organisational measures include: staff privacy awareness training, confidentiality agreements for all personnel with access to personal information, documented information security policies, incident response procedures, and regular security audits by independent assessors. The section also addresses the duty under Section 19(2) to notify the Information Regulator and affected data subjects of any security compromise.

Sets out the organisation's data breach notification procedures in compliance with POPIA Section 22. Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, the responsible party must notify the Information Regulator and the affected data subjects as soon as reasonably possible. The notification must include: the nature of the breach, the personal information affected, the measures taken to address the breach, recommended steps the data subject should take to mitigate harm, and the contact details of the Information Officer. The section also explains what constitutes a notifiable breach, the investigation process, and the timeline for notifications.

Addresses the use of personal information for direct marketing — subject to POPIA Section 69 and ECTA Section 45. Under POPIA, existing customers may be contacted for direct marketing of similar products or services without prior consent (the "soft opt-in"), provided they are given a reasonable opportunity to opt out at the time of initial collection and on every subsequent communication. For prospective customers who are not existing clients, prior consent is required. ECTA Section 45 requires that unsolicited electronic communications include the sender's identity and a functional opt-out mechanism. The section explains how consent is obtained, how opt-out requests are processed, and the timeline for implementing opt-out requests.

Addresses the processing of special personal information under POPIA Sections 26-33 (religious beliefs, race, ethnic origin, trade union membership, political persuasion, health data, sexual life, biometric information, and criminal behaviour) and children's personal information under Section 35. Processing of special personal information is generally prohibited unless one of the specific exemptions in Sections 27-33 applies — such as consent, establishment of a legal claim, compliance with legislation, or processing by an insurance company. Processing of children's personal information requires the consent of a competent person (parent or guardian). The section discloses whether the organisation processes these categories, the specific exemption relied upon, and the additional safeguards in place.

Provides the contact details of the designated Information Officer (or Deputy Information Officer) — including name, position, physical address, email address, and phone number. Explains the Information Officer's role in ensuring POPIA compliance, handling data subject requests, coordinating data breach notifications, and serving as the liaison with the Information Regulator. Includes the POPIA registration reference number (once registered) and the process for submitting data subject requests or privacy complaints. This section also provides the Information Regulator's contact details for complaints that cannot be resolved directly with the organisation.

Explains how data subjects will be notified of material changes to the Privacy Policy — including the notification channels (email, website notice, in-app notification for registered users), the effective date of changes, and whether material changes require renewed consent or fresh notification under POPIA Section 18. Includes a version history or changelog for transparency, and confirms that the most current version of the policy is always available on the organisation's website.