POPIA Compliance

Protection of Personal Information Act (South Africa)

Our Commitment to POPIA Compliance

VUNA Exchange Ltd (Company No. 16840719), incorporated in England and Wales, is committed to full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) and its regulations. As a platform facilitating business relationships with South African BPO providers and processing personal information of South African data subjects, we recognize our responsibilities as a responsible party under POPIA.

This document outlines our POPIA compliance framework, the rights of data subjects under South African law, and our commitment to the lawful processing of personal information in accordance with the eight conditions for lawful processing.

1. The Eight Conditions for Lawful Processing

Condition 1: Accountability

We ensure responsible processing by:

  • Appointing an Information Officer responsible for POPIA compliance
  • Maintaining comprehensive processing records and documentation
  • Conducting regular compliance audits and assessments
  • Implementing privacy governance frameworks
  • Training staff on POPIA obligations and best practices

Condition 2: Processing Limitation

Personal information is processed lawfully and in a reasonable manner that does not infringe privacy rights. We process information only:

  • With Consent: Where you have provided voluntary, specific, and informed consent
  • For Contract Performance: Necessary for entering into or performing under our Services agreement
  • Legal Obligation: Required for compliance with South African and international laws
  • Legitimate Interests: Pursuing our legitimate interests (fraud prevention, security) that do not override your fundamental rights
  • Public Interest: Performing functions in the public interest

Condition 3: Purpose Specification

Personal information is collected for specific, explicitly defined, and lawful purposes:

  • Account creation and identity verification
  • Business matchmaking and partner recommendations
  • Facilitating secure communications between parties
  • Compliance verification and due diligence
  • Platform security and fraud prevention
  • Legal and regulatory compliance
  • Service improvement and analytics (anonymized)

We do not process information for secondary purposes incompatible with original purposes unless new consent is obtained.

Condition 4: Further Processing Limitation

Further processing must be compatible with the original purpose. We assess compatibility by considering the relationship between purposes, the nature of information, consequences for data subjects, and the manner of further processing. Incompatible further processing requires new consent or legal justification.

Condition 5: Information Quality

We ensure personal information is:

  • Complete: Adequate for the intended purpose
  • Accurate: Correct and up to date
  • Not Misleading: Truthful and not deceptive
  • Updated: Regularly reviewed and corrected when necessary

Users can update their information through account settings. We verify critical information through documentation and third-party sources.

Condition 6: Openness

We maintain transparent documentation of processing activities, including:

  • Identity and contact details of the responsible party and Information Officer
  • Types of personal information held and categories of data subjects
  • Purposes of processing
  • Description of recipients and cross-border transfers
  • Security measures to protect information
  • Data subject rights and how to exercise them

This information is freely available through our Privacy Policy and on request.

Condition 7: Security Safeguards

We implement appropriate technical and organizational measures to secure personal information:

  • Prevent Loss: Regular backups, redundant systems, disaster recovery
  • Damage Protection: Physical and digital security measures
  • Unauthorized Access: Access controls, authentication, authorization protocols
  • Interference Prevention: Intrusion detection, monitoring, incident response
  • Encryption: TLS/SSL for transmission, AES-256 for storage
  • Monitoring: 24/7 security monitoring and threat detection

Condition 8: Data Subject Participation

Data subjects have the right to:

  • Request confirmation of whether we hold their personal information
  • Request access to their personal information
  • Request correction, destruction, or deletion of personal information
  • Object to processing in certain circumstances
  • Lodge complaints with the Information Regulator

We respond to requests within reasonable timeframes, generally within 30 days, and provide reasons for any refusal.

2. Data Subject Rights Under POPIA

Right to be Notified

You have the right to be notified when your personal information is collected, including the purpose, intended recipients, whether provision is voluntary or mandatory, and consequences of refusal.

Right of Access

You may request confirmation of what personal information we hold, access to that information, and information about third parties who have accessed it. A prescribed fee may apply for access requests.

Right to Correction and Deletion

You may request correction of inaccurate, irrelevant, excessive, outdated, incomplete, misleading, or unlawfully obtained information. You may also request deletion where we are no longer authorized to retain it.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right to Lodge Complaints

You have the right to lodge complaints with us or directly with the Information Regulator of South Africa regarding alleged infringements of POPIA.

3. Special Personal Information

POPIA recognizes certain categories as "special personal information" requiring heightened protection:

Categories of Special Personal Information

  • Religious or philosophical beliefs
  • Race or ethnic origin
  • Trade union membership
  • Political persuasion
  • Health or sex life
  • Biometric information
  • Criminal behavior

VUNA Exchange does not typically collect special personal information. If collection becomes necessary for specific purposes, we will:

  • Obtain explicit consent
  • Clearly communicate the purpose and necessity
  • Implement enhanced security measures
  • Limit access to authorized personnel only
  • Process only to the extent necessary

4. Children's Personal Information

POPIA provides special protections for children's personal information. VUNA Exchange is a B2B platform not directed at children under 18. We do not knowingly collect personal information from children.

If we become aware of collection from a child without appropriate parental/guardian consent, we will take steps to delete such information promptly.

5. Cross-Border Information Transfers

POPIA Section 72 regulates transborder information flows. We transfer personal information outside South Africa only when:

  • Adequate Protection: Recipient is subject to laws providing substantially similar protection (e.g., UK GDPR-compliant countries)
  • Binding Instruments: Binding corporate rules or contractual arrangements approved by the Information Regulator
  • Consent: You have consented to the transfer after being informed of potential risks
  • Legal Requirements: Transfer necessary for contract performance, legal proceedings, or public interest

For transfers to the United Kingdom and European Economic Area, we rely on adequacy determinations and standard contractual clauses ensuring equivalent protection.

6. Security Compromise Notification

In accordance with Section 22 of POPIA, if we have reasonable grounds to believe that personal information has been accessed or acquired by unauthorized persons, we will:

6.1 Notify the Information Regulator

Report the compromise to the Information Regulator as soon as reasonably possible after discovery.

6.2 Notify Affected Data Subjects

Inform affected individuals unless the Information Regulator directs otherwise, providing:

  • Description of the compromise and information involved
  • Potential consequences and harm
  • Measures taken to address the compromise
  • Recommendations for mitigating harm
  • Contact details for further information

6.3 Public Notification

Where direct notification is not feasible or the Information Regulator determines public interest requires broader awareness, we will make public announcements through appropriate channels.

7. Direct Marketing

We comply with Section 69 regarding direct marketing:

  • Marketing communications sent only with consent or to existing business relationships
  • Clear identification of sender and contact details
  • Easy opt-out mechanisms in every communication
  • Opt-out requests honored within reasonable timeframe (typically 48 hours)
  • Compliance with ECTA and Consumer Protection Act regarding electronic communications

8. Operator Requirements

When engaging third-party operators (processors) to process personal information on our behalf, we ensure:

  • Written agreements establishing obligations and responsibilities
  • Processing only on our documented instructions
  • Appropriate security measures implemented
  • Confidentiality obligations for personnel
  • Assistance with data subject rights requests
  • Notification of security compromises
  • Return or destruction of information upon termination

9. Retention and Destruction

Personal information is retained only as long as necessary for the purpose collected or required by law:

Retention Periods

  • Active Accounts: Duration of relationship plus 12 months
  • Financial Records: 7 years (tax and financial compliance)
  • Communications: 3 years from last interaction
  • Compliance Documents: 7 years post-relationship
  • Marketing Consent: Until consent withdrawn or 3 years of inactivity

Secure Destruction

When no longer required, personal information is destroyed or de-identified using secure methods preventing reconstruction or identification. Destruction methods include secure deletion, shredding of physical documents, and cryptographic erasure.

10. Exercising Your Rights

To exercise your POPIA rights or make inquiries:

Contact Our Information Officer

Email: informationofficer@vunaexchange.com

Email: privacy@vunaexchange.com

When submitting requests, please provide:

  • Sufficient detail for us to identify you and locate your information
  • Proof of identity (to prevent unauthorized disclosure)
  • Clear description of your request
  • Preferred method of communication

We will respond within a reasonable period, generally within 30 days. Access requests may be subject to prescribed fees to cover administrative costs.

11. Information Regulator Contact

If you believe we have not complied with POPIA, you may lodge a complaint with:

Information Regulator of South Africa

Website: www.justice.gov.za/inforeg

Email: inforeg@justice.gov.za

Physical Address:
JD House, 27 Stiemens Street
Braamfontein, Johannesburg, 2001

Postal Address:
P.O. Box 31533
Braamfontein, Johannesburg, 2017

We encourage you to contact us first so we can address your concerns directly before escalating to the regulator.

We value your privacy

Vuna Exchange uses essential cookies to operate securely. With your consent, we also use analytics cookies to improve the platform during beta testing. Cookie Policy