POPIA

1. Introduction

1.1 Purpose

The purpose of this Protection of Personal Information Act (POPIA) Policy is to establish and maintain standards for the protection and handling of personal information within our organization. This policy aims to ensure compliance with the Protection of Personal Information Act, No. 4 of 2013, which governs the collection, use, storage, and sharing of personal information to safeguard the privacy of individuals.

1.2 Scope

This policy applies to all employees, contractors, consultants, and third-party service providers who handle personal information on behalf of our organization. It covers all forms of personal information processed by our organization, whether collected directly from individuals or obtained from other sources. The policy is designed to protect the rights of data subjects and ensure that their personal information is managed in a secure and responsible manner.

1.3 Objectives

The objectives of this policy are to:

  • Ensure that personal information is collected and processed lawfully, transparently, and for specific, legitimate purposes.
  • Implement measures to safeguard personal information against unauthorized access, loss, or damage.
  • Provide individuals with the rights to access, correct, and delete their personal information.
  • Ensure that all employees and partners are aware of their responsibilities under POPIA and are trained to handle personal information appropriately.

By adhering to this policy, our organization commits to upholding the principles of data protection and privacy, fostering trust with our clients, employees, and partners.

2. Definitions

2.1 Personal Information

  • Personal Information refers to any information that identifies or can identify an individual. This includes, but is not limited to, a person's name, contact details, identification number, email address, physical address, biometric information, personal opinions, and any other data that relates to an individual’s personal characteristics.

2.2 Processing

  • Processing encompasses any operation or set of operations performed on personal information, whether or not by automated means. This includes the collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction of personal information.

2.3 Data Subject

  • Data Subject refers to an individual whose personal information is collected, processed, or stored. The data subject is the person to whom the personal information pertains and who has rights regarding their personal information under POPIA.

2.4 Responsible Party

  • Responsible Party is the person or entity that determines the purposes and means of processing personal information. This can be an organization, company, or individual who processes personal information on behalf of another party.

2.5 Operator

  • Operator refers to a person or entity that processes personal information on behalf of the Responsible Party. The Operator acts according to the instructions provided by the Responsible Party and is not responsible for deciding the purposes or means of processing.

2.6 Consent

  • Consent means any voluntary, specific, informed, and unambiguous indication of the data subject’s wishes, by which they signify agreement to the processing of their personal information. Consent must be obtained before any processing of personal information commences.

2.7 Information Regulator

  • Information Regulator refers to the regulatory authority established under POPIA to oversee and enforce compliance with the Act. The Regulator is responsible for monitoring adherence to the provisions of POPIA and addressing complaints related to the processing of personal information.

2.8 Breach of Personal Information

  • Breach of Personal Information refers to any incident where personal information is accessed, disclosed, or otherwise processed in an unauthorized manner, or is lost or stolen, potentially leading to harm or distress to the data subject.

2.9 Confidentiality

  • Confidentiality denotes the obligation to protect personal information from unauthorized access or disclosure. It involves maintaining the secrecy and security of personal information and ensuring that it is only accessible to those authorized to view it.

2.10 Data Subject Access Request (DSAR)

  • Data Subject Access Request (DSAR) is a formal request made by a data subject to access or obtain copies of their personal information held by the Responsible Party. It also includes requests for rectification, deletion, or restriction of processing.

3. Collection of Personal Information

3.1 Collection Methods We collect personal information through various methods, including but not limited to:

  • Forms: Information provided through online or physical forms, such as registration, application, or inquiry forms.
  • Online Submissions: Data collected via our website, including contact forms, subscription services, and online transactions.
  • In-Person Interaction: Information gathered during face-to-face meetings, events, or consultations.
  • Telephone and Email: Personal information obtained during phone calls, emails, or other direct communications.

3.2 Purpose of Collection We collect personal information for the following purposes:

  • Service Delivery: To provide, manage, and improve our products and services, including processing transactions, managing accounts, and responding to customer inquiries.
  • Communication: To communicate with data subjects regarding updates, offers, or important information related to our services.
  • Compliance: To comply with legal and regulatory requirements, including record-keeping and reporting obligations.
  • Marketing and Promotions: To send promotional materials or offers that may be of interest, where consent has been provided.

3.3 Consent We ensure that personal information is collected with the explicit consent of the data subjects. The consent process includes:

  • Explicit Consent: Obtaining clear and specific consent from data subjects before collecting personal information, particularly for marketing or other purposes not directly related to the primary service.
  • Consent Withdrawal: Providing data subjects with the option to withdraw their consent at any time, and ensuring that such withdrawals are promptly acted upon.
  • Informing Data Subjects: Clearly informing data subjects about the purposes of collection, the type of information being collected, and how it will be used and protected.

3.4 Minimization and Relevance We adhere to the principle of data minimization, which means:

  • Collection Limitation: Only collecting personal information that is necessary and relevant for the intended purposes.
  • Purpose Specification: Ensuring that personal information is collected for specific, legitimate purposes and not used in ways that are incompatible with those purposes.

3.5 Accuracy We strive to keep personal information accurate and up-to-date by:

  • Verification: Implementing procedures to verify the accuracy of personal information at the time of collection.
  • Updating Information: Encouraging data subjects to update their personal information when necessary to maintain accuracy.

By adhering to these practices, we aim to respect and protect the personal information of our data subjects in accordance with the Protection of Personal Information Act (POPIA).

4. Use and Processing of Personal Information

4.1 Purpose Limitation

Creek Books commits to using personal information solely for the specific purposes for which it was collected. This includes, but is not limited to:

  • Providing and managing services and products.
  • Processing transactions and payments.
  • Communicating with data subjects about their inquiries or requests.
  • Complying with legal obligations and regulatory requirements.

Personal information will not be used for purposes beyond those explicitly stated at the time of collection, unless the data subject has given consent for additional uses.

4.2 Data Minimization

Creek Books adheres to the principle of data minimization by ensuring that personal information collected is adequate, relevant, and limited to what is necessary for the intended purposes. This means:

  • Collecting only the minimum amount of personal information required to fulfill the specified purposes.
  • Avoiding the collection of unnecessary or excessive personal information.
  • Reviewing the data collection processes regularly to ensure compliance with this principle.

4.3 Accuracy

Creek Books is committed to maintaining the accuracy and completeness of personal information. To achieve this:

  • We will implement procedures to verify the accuracy of personal information at the time of collection.
  • We will provide data subjects with opportunities to update or correct their personal information.
  • We will regularly review and update personal information to ensure it remains accurate and relevant for the purposes for which it is processed.

4.4 Data Retention

Creek Books will retain personal information only for as long as necessary to fulfill the purposes for which it was collected or as required by law. This includes:

  • Setting retention periods based on the nature of the personal information and the purpose of processing.
  • Implementing procedures for securely deleting or anonymizing personal information once it is no longer needed or when the retention period expires.
  • Ensuring compliance with legal and regulatory requirements regarding data retention and disposal.

4.5 Processing by Third Parties

When personal information is processed by third parties on behalf of Creek Books, we will:

  • Ensure that third parties adhere to data protection standards consistent with POPIA through data processing agreements or contracts.
  • Require that third parties implement appropriate measures to safeguard personal information and to process it only for the purposes specified in the agreement.
  • Regularly review and audit third-party compliance to ensure ongoing adherence to data protection requirements.

4.6 Consent and Transparency

Creek Books will obtain explicit consent from data subjects where required, particularly for processing personal information that is not necessary for the performance of a contract or compliance with legal obligations. We will:

  • Provide clear and transparent information to data subjects about the purposes of processing and their rights regarding their personal information.
  • Offer easy-to-understand consent forms and options for data subjects to withdraw their consent at any time.

4.7 Data Processing Practices

Our data processing practices are designed to ensure compliance with POPIA and include:

  • Implementing robust data protection measures to prevent unauthorized access, loss, or damage to personal information.
  • Ensuring that all employees and contractors involved in processing personal information are trained in data protection practices and understand their responsibilities.
  • Monitoring and evaluating processing activities to ensure they remain compliant with this policy and applicable regulations.

5. Storage and Security

5.1 Data Storage

  • 5.1.1 Secure Storage: All personal information must be stored securely using appropriate physical, administrative, and technical measures. Physical records containing personal information should be kept in locked, secure locations with restricted access.
  • 5.1.2 Electronic Storage: Electronic personal information should be stored in encrypted formats and protected by secure passwords and access controls. Data must be stored on secure servers that are protected by up-to-date firewall and antivirus software.
  • 5.1.3 Backup: Regular backups of personal information must be conducted to ensure data recovery in the event of loss or corruption. Backup data should be stored securely and encrypted where applicable.

5.2 Security Measures

  • 5.2.1 Access Controls: Access to personal information must be restricted to authorized personnel only. Role-based access controls should be implemented to ensure that employees have access only to the information necessary for their job functions.
  • 5.2.2 Data Encryption: Personal information must be encrypted during transmission and at rest to protect against unauthorized access and breaches.
  • 5.2.3 Physical Security: Secure all physical locations where personal information is stored. This includes implementing access control measures, surveillance, and other physical security practices.
  • 5.2.4 Administrative Controls: Implement and maintain administrative controls such as policies, procedures, and training to ensure that personal information is handled in accordance with this policy and POPIA.

5.3 Data Retention

  • 5.3.1 Retention Periods: Personal information should only be retained for as long as necessary to fulfill the purposes for which it was collected, comply with legal requirements, or as specified in contracts. Specific retention periods for different types of personal information should be established and documented.
  • 5.3.2 Secure Disposal: When personal information is no longer required or has reached the end of its retention period, it must be securely disposed of. Physical documents should be shredded or otherwise destroyed to prevent unauthorized access. Electronic data should be deleted using methods that ensure it cannot be recovered or reconstructed.
  • 5.3.3 Regular Reviews: Conduct regular reviews of stored personal information to ensure that retention periods are being adhered to and that unnecessary data is securely disposed of.

5.4 Incident Response

  • 5.4.1 Monitoring: Continuously monitor for potential security threats and vulnerabilities that could impact the security of personal information.
  • 5.4.2 Response Plan: Develop and maintain an incident response plan to address any security breaches or incidents involving personal information. Ensure that the plan includes procedures for identifying, containing, and mitigating the effects of a data breach.
  • 5.4.3 Reporting: Immediately report any suspected or actual security incidents to the designated Information Officer or data protection officer. Follow up with a detailed investigation and remediation actions as outlined in the incident response plan.

5.5 Compliance

  • 5.5.1 Regular Audits: Conduct regular audits of storage and security practices to ensure compliance with POPIA and internal policies. Address any identified gaps or deficiencies promptly.
  • 5.5.2 Policy Updates: Update storage and security practices as necessary to address changes in technology, legal requirements, or organizational needs. Ensure that all changes are documented and communicated to relevant personnel.

6. Access and Correction

6.1 Access Rights

  • 6.1.1 Data subjects have the right to access their personal information that is held by Creek Books. This includes the right to request confirmation of whether their personal information is being processed and to obtain a copy of such information.
  • 6.1.2 Requests for access to personal information must be submitted in writing to the Information Officer at [insert contact details]. The request should include sufficient detail to enable us to locate the information requested.
  • 6.1.3 Creek Books will respond to access requests within a reasonable time frame, as prescribed by POPIA, and will provide the requested information in a format that is easy to understand.

6.2 Correction and Deletion

  • 6.2.1 Data subjects have the right to request corrections or updates to their personal information if it is inaccurate, incomplete, or outdated. Such requests should be submitted in writing to the Information Officer, detailing the specific corrections required.
  • 6.2.2 Creek Books will review and verify the accuracy of the requested corrections and will update personal information accordingly. If a request for correction is denied, we will provide the reasons for the denial.
  • 6.2.3 Data subjects may also request the deletion of their personal information if it is no longer necessary for the purposes for which it was collected, or if they withdraw their consent upon which the processing is based. Requests for deletion should be submitted in writing to the Information Officer.
  • 6.2.4 Creek Books will assess deletion requests in line with legal and regulatory requirements and will take appropriate actions to remove the personal information from our records, except where retention is required for compliance with legal obligations or for the establishment, exercise, or defense of legal claims.

6.3 Verification Process

  • 6.3.1 To protect personal information and ensure it is only accessed or corrected by authorized individuals, Creek Books may require data subjects to provide proof of identity before processing access or correction requests.
  • 6.3.2 This verification process will help safeguard against unauthorized access and ensure that personal information is not altered or deleted inappropriately.

6.4 Response Time

  • 6.4.1 Creek Books is committed to processing access and correction requests promptly. We will endeavor to respond to requests within the timeframe stipulated by POPIA, typically within 30 days of receipt of a valid request.
  • 6.4.2 If additional time is required to process a request, we will inform the data subject of the reasons for the delay and provide an estimated completion date.

7. Sharing and Disclosure

7.1 Third-Party Sharing:

  • Conditions for Sharing: Personal information may be shared with third parties only if it is necessary for the purpose for which it was collected or as required by law. Such sharing will be conducted under strict conditions to ensure compliance with POPIA.
  • Due Diligence: Before sharing personal information with third parties, a thorough assessment will be conducted to ensure that the third party has appropriate measures in place to protect the personal information in accordance with POPIA.

7.2 Data Processing Agreements:

  • Requirements: Any third party that processes personal information on behalf of the organization must enter into a Data Processing Agreement (DPA) with the organization. The DPA will include provisions to ensure the third party complies with POPIA and implements adequate security measures.
  • Content of Agreements: The DPA will specify the scope, nature, and purpose of the processing, the duration of processing, and the obligations and rights of both parties, including obligations to implement security measures and to notify the organization of any data breaches.

7.3 Cross-Border Transfers:

  • Conditions for Transfers: Personal information may be transferred outside South Africa only if the recipient country provides an adequate level of protection for personal information as required by POPIA, or if appropriate safeguards are in place.
  • Safeguards: If transferring personal information to a country without adequate protection, the organization will ensure that contractual clauses or other legally acceptable safeguards are in place to protect the information in compliance with POPIA.
  • Notification: Data subjects will be informed of any cross-border transfers of their personal information and the associated risks.

7.4 Disclosure to Authorities:

  • Legal Obligations: Personal information may be disclosed to government authorities, law enforcement agencies, or regulatory bodies as required by law or to comply with legal obligations.
  • Process: Disclosures to authorities will be handled in accordance with applicable laws and regulations, and only to the extent necessary to fulfill legal or regulatory requirements.

7.5 Exceptions:

  • Emergency Situations: Personal information may be disclosed without consent in emergency situations where the life or safety of an individual is at risk, and such disclosure is necessary to protect the individual or others.
  • Preventing Harm: Disclosure may also be made where it is necessary to prevent or mitigate serious harm, including fraud or other criminal activities, in compliance with applicable legal requirements.

8. Data Subject Rights

8.1 Right to Access

  • Data subjects have the right to access their personal information that is held by our organization. They can request to review or obtain copies of their personal information. To exercise this right, data subjects must submit a formal request to the Information Officer or designated contact person, providing sufficient details to facilitate the request. We will respond to such requests within the timeframe stipulated by POPIA.

8.2 Right to Correction

  • Data subjects have the right to request the correction of their personal information if it is inaccurate, incomplete, or outdated. To request a correction, data subjects should contact the Information Officer with the relevant details and documentation supporting the need for correction. We will review the request and make necessary amendments in accordance with the data subject’s instructions.

8.3 Right to Deletion

  • Data subjects may request the deletion of their personal information where it is no longer necessary for the purposes for which it was collected, or if they withdraw their consent (where applicable). Requests for deletion should be directed to the Information Officer, who will assess the request based on legal and operational considerations. We will delete the personal information or inform the data subject of any reasons for not fulfilling the request.

8.4 Right to Object

  • Data subjects have the right to object to the processing of their personal information if they believe it is being processed unlawfully or if it is for purposes not aligned with the original collection purpose. To exercise this right, data subjects should submit an objection to the Information Officer, detailing their concerns. We will review and address the objection in a timely manner.

8.5 Right to Restrict Processing

  • Data subjects may request the restriction of processing their personal information under certain circumstances, such as when they contest the accuracy of the information or when processing is unlawful but they prefer restriction over deletion. Requests for restriction should be made to the Information Officer, who will evaluate the request and implement restrictions as appropriate.

8.6 Right to Data Portability

  • Where applicable, data subjects have the right to request the transfer of their personal information to another organization or data controller. This right allows data subjects to receive their personal information in a structured, commonly used, and machine-readable format. Requests for data portability should be directed to the Information Officer, who will facilitate the transfer in accordance with legal and technical requirements.

8.7 Exercising Data Subject Rights

  • To exercise any of the above rights, data subjects should submit a written request to the Information Officer at support@creekbooks.app. We will verify the identity of the requester before processing their request to ensure that personal information is not disclosed to unauthorized individuals.

8.8 Response Time

  • We are committed to responding to all requests concerning data subject rights within the timeframe required by POPIA, typically within 30 days of receiving the request. In cases where additional time is required, we will inform the data subject of the delay and provide an updated response timeline.

8.9 Complaints

  • If data subjects are dissatisfied with our handling of their personal information or their request, they have the right to lodge a complaint with the Information Regulator. 

9. Data Breach Management

9.1 Incident Reporting

In the event of a suspected or actual data breach involving personal information, the following steps should be taken:

  • Immediate Notification: Employees must immediately report any data breach or incident involving personal information to the designated Data Protection Officer (DPO) or Information Officer. Reports should be made as soon as the breach is identified, and no later than 24 hours after discovery.
  • Initial Report: The initial report should include details of the incident, such as the nature of the breach, the type of personal information involved, the number of affected individuals, and any known or suspected causes.

9.2 Assessment and Investigation

Upon receiving a data breach report, the following actions will be taken:

  • Assessment: The DPO or Information Officer will assess the severity and impact of the breach, including the potential harm to affected individuals and any legal or regulatory implications.
  • Investigation: A thorough investigation will be conducted to determine the cause of the breach, the scope of the affected data, and any weaknesses in existing security measures. This investigation may involve forensic analysis and consultation with external experts if necessary.

9.3 Containment and Remediation

To mitigate the impact of the breach, the following steps will be taken:

  • Containment: Immediate measures will be implemented to contain the breach and prevent further unauthorized access or dissemination of personal information. This may involve shutting down affected systems, changing passwords, or other corrective actions.
  • Remediation: Based on the findings of the investigation, appropriate remediation measures will be taken to address the vulnerabilities that led to the breach. This may include updating security protocols, enhancing staff training, and implementing new security technologies.

9.4 Notification

In compliance with POPIA and any other applicable regulations, the following notifications will be made:

  • To Affected Individuals: If the breach poses a risk to the rights and freedoms of affected individuals, they will be notified without undue delay. The notification will include information about the nature of the breach, the personal information involved, the potential consequences, and the steps individuals can take to protect themselves.
  • To the Information Regulator: If the breach is likely to result in a significant harm or impact on the affected individuals, the Information Regulator will be notified within 72 hours of becoming aware of the breach. The notification will include details of the breach, the number of affected individuals, and any measures taken to address the breach.

9.5 Documentation and Reporting

All incidents and responses will be documented as follows:

  • Incident Log: A detailed log of the breach, including the timeline of events, the individuals involved, and the actions taken, will be maintained for accountability and auditing purposes.
  • Post-Incident Report: A comprehensive report will be prepared after the breach has been managed, outlining the causes, impacts, and responses. This report will be reviewed to improve future data protection measures and will be made available to senior management.

9.6 Review and Improvement

Following a data breach, the organization will:

  • Review Policies and Procedures: Conduct a review of existing data protection policies and procedures to identify any areas for improvement.
  • Implement Changes: Make necessary changes to strengthen data protection measures and prevent future breaches. This may involve updating security technologies, revising procedures, and enhancing staff training.

10. Training and Awareness

10.1 Employee Training

To ensure that all employees are well-informed and compliant with the Protection of Personal Information Act (POPIA), the following training initiatives will be implemented:

  • 10.1.1 Mandatory POPIA Training: All employees, contractors, and third-party vendors who handle personal information must complete mandatory POPIA training upon hiring. This training will cover the principles of POPIA, the importance of data protection, and the specific responsibilities of employees in managing personal information.
  • 10.1.2 Refresher Courses: Regular refresher courses will be conducted at least annually to update employees on any changes in POPIA regulations, new data protection practices, or updates to the organization’s data protection policies.
  • 10.1.3 Specialized Training: Employees in roles with heightened responsibilities for data processing (e.g., IT, HR, compliance officers) will receive specialized training tailored to their specific functions. This training will focus on advanced data protection techniques, risk management, and incident response procedures.
  • 10.1.4 Training Records: The organization will maintain comprehensive records of all training sessions, including participant lists, training materials, and assessment results. These records will be used to track compliance and identify areas for improvement.

10.2 Awareness Programs

To foster a culture of data protection and ensure ongoing awareness among employees, the following programs will be implemented:

  • 10.2.1 Data Protection Awareness Campaigns: Regular campaigns will be conducted to reinforce the importance of personal information protection. These campaigns may include newsletters, posters, and digital communications highlighting key data protection principles and best practices.
  • 10.2.2 Interactive Workshops and Seminars: Periodic workshops and seminars will be organized to engage employees in discussions about real-world scenarios, common data protection challenges, and effective solutions. These interactive sessions will encourage active participation and knowledge sharing.
  • 10.2.3 Incident Awareness: Employees will be educated about the importance of reporting potential data breaches or security incidents promptly. Clear guidelines will be provided on how to recognize and report such incidents, and the role of each employee in mitigating data protection risks.
  • 10.2.4 Feedback Mechanisms: Employees will be encouraged to provide feedback on the effectiveness of the training and awareness programs. Feedback will be collected through surveys, suggestion boxes, and regular meetings to continuously improve the programs.

10.3 Responsibilities

  • 10.3.1 Information Officer: The designated Information Officer will oversee the development, implementation, and effectiveness of the training and awareness programs. They will ensure that training materials are up-to-date and relevant.
  • 10.3.2 Managers and Supervisors: Managers and supervisors are responsible for ensuring their teams complete required training and participate in awareness programs. They will also support and reinforce data protection practices within their departments.
  • 10.3.3 Employees: All employees are expected to actively participate in training and awareness initiatives, apply data protection principles in their daily work, and contribute to maintaining a secure and compliant work environment.

By committing to comprehensive training and awareness efforts, our organization aims to foster a culture of data protection and ensure that all individuals handling personal information are equipped with the knowledge and skills to uphold POPIA standards.

11. Compliance and Monitoring

11.1 Compliance Audits

To ensure ongoing compliance with the Protection of Personal Information Act (POPIA), our organization will conduct regular audits of our personal information management practices. These audits will:

  • 11.1.1 Frequency: Be conducted at least annually or more frequently as required by changes in legislation or business operations.
  • 11.1.2 Scope: Review adherence to the POPIA policy, evaluate the effectiveness of data protection measures, and assess the handling of personal information.
  • 11.1.3 Auditor: Be performed by the designated Compliance Officer or an external auditor specializing in data protection and privacy laws.
  • 11.1.4 Reporting: Include detailed audit reports outlining findings, recommendations for improvements, and action plans to address any identified issues.

11.2 Monitoring

Our organization will implement continuous monitoring practices to ensure compliance with POPIA and maintain high standards of personal information protection. Monitoring activities will:

  • 11.2.1 Regular Reviews: Involve ongoing reviews of personal information handling practices, including data collection, processing, storage, and sharing.
  • 11.2.2 Compliance Checks: Include periodic checks to ensure that personal information is processed according to the principles of data protection, including purpose limitation, data minimization, and accuracy.
  • 11.2.3 Incident Tracking: Track and record any incidents or breaches involving personal information to assess response effectiveness and prevent future occurrences.
  • 11.2.4 Performance Metrics: Utilize performance metrics and key performance indicators (KPIs) to evaluate the effectiveness of data protection measures and identify areas for improvement.

11.3 Reporting and Accountability

To uphold accountability and transparency, the following procedures will be followed:

  • 11.3.1 Internal Reporting: Employees are required to report any concerns or suspected breaches of the POPIA policy to their direct supervisor or the designated Compliance Officer.
  • 11.3.2 Escalation: Reports will be reviewed, and if necessary, escalated to senior management for further investigation and resolution.
  • 11.3.3 Documentation: All compliance and monitoring activities, including audit results and incident reports, will be documented and securely stored.
  • 11.3.4 Corrective Actions: Any non-compliance issues identified during audits or monitoring will be addressed through corrective actions, including updates to policies, procedures, and employee training.

11.4 Continuous Improvement

Our organization is committed to continuously improving our data protection practices. We will:

  • 11.4.1 Feedback: Gather feedback from audits, monitoring activities, and employee input to enhance our POPIA compliance efforts.
  • 11.4.2 Policy Updates: Review and update the POPIA policy and related procedures as needed to reflect changes in legislation, industry standards, and organizational practices.

By adhering to these compliance and monitoring practices, our organization aims to maintain robust data protection measures and ensure that personal information is handled in accordance with the principles of POPIA.

12. Policy Review and Updates

12.1 Review Cycle This Protection of Personal Information Act (POPIA) Policy will be reviewed annually or more frequently if necessary, to ensure its continued relevance and effectiveness. The review process will assess the policy's alignment with current legislation, industry standards, and organizational practices.

12.2 Amendments Any amendments to the policy will be made in response to changes in legal requirements, business processes, or emerging risks. Proposed changes will be evaluated by the designated Information Officer or compliance team and must be approved by senior management before implementation.

12.3 Notification of Updates All employees, contractors, and relevant third parties will be notified of significant updates to the policy. Notification will be conducted through internal communications channels, such as email or company intranet, and will include details of the changes made.

12.4 Documentation of Revisions A record of all revisions to the policy will be maintained, including the date of the update, a summary of changes, and the approving authority. This record will be available for review upon request.

12.5 Feedback and Continuous Improvement Feedback on the policy and its implementation is encouraged and can be submitted to the Information Officer. This feedback will be considered during policy reviews to promote continuous improvement and ensure that the policy effectively protects personal information.

13. Contact Information

13.1 Information Officer

For any questions, concerns, or requests related to the Protection of Personal Information Act (POPIA), please contact our designated Information Officer:

  • Name: Tebogo Magolego
  • Email: tebogo@lamasco.co.za
  • Phone Number: 0877001846
  • Office Address: Block 4, 150 Rivonia Road, Morningside, Sandton, 2196

13.2 Queries and Complaints

If you have any queries or wish to lodge a complaint regarding the processing of your personal information or our compliance with POPIA, please reach out to our Information Officer using the contact details above.

13.3 Additional Information

For further information on your rights under POPIA or to access additional resources, please visit our website at www.creekbooks.app or contact our Information Officer directly.

13.4 Data Subject Requests

Requests for access, correction, or deletion of personal information can be submitted to our Information Officer. Please include sufficient detail in your request to assist us in processing it effectively.

14. Sign-Off

14.1 Approval

This Protection of Personal Information Act (POPIA) Policy has been reviewed and approved by the Board of Directors/Executive Management of Lamasco Group as of 12 August 2024. This policy is effective from 12 August 2024..

Signature:

Name: Tebogo Magolego
Title: Managing Director

14.2 Acknowledgment

All employees, contractors, and third parties handling personal information are required to read and acknowledge this policy. By signing below, you confirm that you have read, understood, and agree to comply with the terms outlined in this POPIA Policy.