POPIA Compliance Policy
PURPOSE
The purpose of this policy is to outline how nVisionIT Group Companies comply with the Protection of Personal Information Act, 4 of 2013 (POPIA), including how personal information is collected, processed, stored, safeguarded, and disposed of.
Our organisation has long valued the confidentiality of all personal information and voluntarily implemented POPIA-aligned controls prior to the Act's enforcement date.
SCOPE
This policy applies to:
nVisionIT adheres to the eight conditions for lawful processing of personal information:
Accountability
nVisionIT accepts full responsibility for ensuring POPIA compliance across all business processes, systems, and engagements.
Processing Limitation
Personal information is processed:
Information is collected for legitimate business, operational, contractual, or legal purposes only.
Further Processing Limitation
Information is not used for purposes incompatible with the original purpose of collection.
Information Quality
We take reasonable steps to ensure information is accurate, complete, relevant, and up to date.
Openness
Data subjects are informed of:
nVisionIT maintains appropriate organisational and technical security measures to protect personal information, including:
Data subjects may request:
Depending on context, we may process:
SECURITY OF PERSONAL INFORMATION
Security controls include:
Personal information may only be shared with:
CROSS-BORDER TRANSFER OF INFORMATION
Cross-border transfers occur only where:
Personal information is retained only for the period necessary to fulfil the purpose for which it was collected or as required by law. Retention and disposal are governed by nVisionIT's Control of Records standards referenced internally.
DATA SUBJECT RIGHTS
Data subjects have the right to:
WEBSITE PRIVACY AND POPIA NOTICES
The nVisionIT website includes a POPIA-aligned privacy notice and links to this policy as required by internal communication guidance.
BREACH NOTIFICATION
Any suspected or actual data breach must be reported immediately. If personal information is compromised, nVisionIT will notify:
ROLES AND RESPONSIBILITIES
Governance
This policy is reviewed annually or when regulatory, organisational, or operational changes require updates.
The purpose of this policy is to outline how nVisionIT Group Companies comply with the Protection of Personal Information Act, 4 of 2013 (POPIA), including how personal information is collected, processed, stored, safeguarded, and disposed of.
Our organisation has long valued the confidentiality of all personal information and voluntarily implemented POPIA-aligned controls prior to the Act's enforcement date.
SCOPE
This policy applies to:
- All nVisionIT Group Companies (South Africa and Mauritius)
- All employees, contractors, interns, and temporary staff
- All client, supplier, partner, and employee information processed by nVisionIT
- All systems, platforms, websites, and digital tools where personal information is processed
- Website Privacy Statement
- AI Usage & Security Policies
- Records Management / Control of Records
- Data Protection Notices
- Contracts, SLAs, and NDAs
nVisionIT adheres to the eight conditions for lawful processing of personal information:
Accountability
nVisionIT accepts full responsibility for ensuring POPIA compliance across all business processes, systems, and engagements.
Processing Limitation
Personal information is processed:
- Lawfully
- Minimally
- Only for defined, explicit purposes
- With the consent of data subjects where required
Information is collected for legitimate business, operational, contractual, or legal purposes only.
Further Processing Limitation
Information is not used for purposes incompatible with the original purpose of collection.
Information Quality
We take reasonable steps to ensure information is accurate, complete, relevant, and up to date.
Openness
Data subjects are informed of:
- What information is collected
- Why it is collected
- How it will be used
- With whom it may be shared
nVisionIT maintains appropriate organisational and technical security measures to protect personal information, including:
- Access controls
- Encryption
- Secure tenant-bound environments (Microsoft 365, Azure)
- No unauthorised disclosure or transfer of personal information to AI tools or external systems
Data subjects may request:
- Access to their personal information
- Correction or deletion
- Withdrawal of consent (where applicable)
Depending on context, we may process:
- Identity information
- Contact information
- Employment information
- Client data contained within systems we manage
- Supplier information
- Website and digital interaction data
SECURITY OF PERSONAL INFORMATION
Security controls include:
- Secure Microsoft 365 tenant and Azure environments
- Controlled access to systems and project assets
- Internal data protection and record control procedures
- Encryption in transit and at rest
- No use of public, unapproved AI tools for any personal or client data
- Logging and monitoring of system access
- Incident response protocols
Personal information may only be shared with:
- Authorised employees
- Service providers under contract with POPIA clauses
- Legal or regulatory authorities where required
CROSS-BORDER TRANSFER OF INFORMATION
Cross-border transfers occur only where:
- Such transfer is necessary for service delivery
- Equivalent data protection measures exist
- Contracts include cross-border POPIA clauses
- Explicit consent is obtained where required
Personal information is retained only for the period necessary to fulfil the purpose for which it was collected or as required by law. Retention and disposal are governed by nVisionIT's Control of Records standards referenced internally.
DATA SUBJECT RIGHTS
Data subjects have the right to:
- Request access to their personal data
- Request correction or deletion
- Object to processing
- Withdraw consent
- Submit a complaint to the Information Regulator
WEBSITE PRIVACY AND POPIA NOTICES
The nVisionIT website includes a POPIA-aligned privacy notice and links to this policy as required by internal communication guidance.
BREACH NOTIFICATION
Any suspected or actual data breach must be reported immediately. If personal information is compromised, nVisionIT will notify:
- The affected data subjects
- The Information Regulator
ROLES AND RESPONSIBILITIES
Governance
- Oversees POPIA compliance
- Maintains policies, notices, and procedures
- Enforce technical safeguards
- Manage access control and secure environments
- Must follow this policy and all related security controls
- Must not expose personal or client data to unauthorised systems
- Must report suspected breaches immediately
This policy is reviewed annually or when regulatory, organisational, or operational changes require updates.