Privacy & POPIA Compliance
How nVisionIT Group Companies collect, process, safeguard and dispose of personal information under POPIA.
Purpose
This policy outlines how nVisionIT Group Companies comply with the Protection of Personal Information Act, 4 of 2013 (POPIA), including how personal information is collected, processed, stored, safeguarded and disposed of. Our organisation has long valued the confidentiality of personal information and voluntarily implemented POPIA-aligned controls prior to the Act’s enforcement date.
Scope
This policy applies to all nVisionIT Group Companies (South Africa and Mauritius); all employees, contractors, interns and temporary staff; all client, supplier, partner and employee information processed by nVisionIT; and all systems, platforms, websites and digital tools where personal information is processed. It complements other governance documents including the Website Privacy Statement, AI Usage & Security Policies, Records Management, Data Protection Notices, and contracts, SLAs and NDAs.
POPIA principles
nVisionIT adheres to the eight conditions for lawful processing of personal information:
- Accountability: we accept full responsibility for POPIA compliance across all business processes, systems and engagements.
- Processing limitation: information is processed lawfully, minimally, only for defined explicit purposes, and with consent where required.
- Purpose specification: information is collected for legitimate business, operational, contractual or legal purposes only.
- Further processing limitation: information is not used for purposes incompatible with the original purpose of collection.
- Information quality: we take reasonable steps to ensure information is accurate, complete, relevant and up to date.
- Openness: data subjects are informed of what is collected, why, how it will be used and with whom it may be shared.
- Security safeguards: appropriate organisational and technical measures protect personal information, including access controls, encryption and secure tenant-bound environments (Microsoft 365, Azure), with no unauthorised disclosure or transfer to AI tools or external systems.
- Data-subject participation: data subjects may request access, correction or deletion, and may withdraw consent where applicable.
Lawful basis & security of processing
Depending on context we may process identity, contact and employment information, client data within systems we manage, supplier information and website interaction data, applying data minimisation throughout. Security controls include secure Microsoft 365 and Azure environments, controlled access to systems and project assets, internal data-protection and record-control procedures, encryption in transit and at rest, no use of public or unapproved AI tools for personal or client data, logging and monitoring of system access, and incident-response protocols.
Sharing & cross-border transfer
Personal information may only be shared with authorised employees, service providers under contract with POPIA clauses, and legal or regulatory authorities where required. nVisionIT does not sell or share personal information with external parties for marketing purposes. Cross-border transfers occur only where necessary for service delivery, where equivalent data-protection measures exist, where contracts include cross-border POPIA clauses, and where explicit consent is obtained where required.
Retention, disposal & data-subject rights
Personal information is retained only for the period necessary to fulfil the purpose for which it was collected or as required by law, governed by nVisionIT’s Control of Records standards. Data subjects have the right to request access, correction or deletion, to object to processing, to withdraw consent, and to submit a complaint to the Information Regulator. Requests may be submitted via the nVisionIT website or through a designated Account Manager.
Breach notification
Any suspected or actual data breach must be reported immediately. If personal information is compromised, nVisionIT will notify the affected data subjects and the Information Regulator within the timelines and formats required by POPIA.
Roles & responsibilities
Governance oversees POPIA compliance and maintains policies, notices and procedures; IT & Security teams enforce technical safeguards and manage access control and secure environments; employees and contractors must follow this policy and all related controls, must not expose personal or client data to unauthorised systems, and must report suspected breaches immediately.
Questions about how we handle your data?
Our team can walk you through our data-protection approach, hosting options and data-subject request process.