POPIA Compliance

1. PURPOSE

  • This POPIA Compliance Policy sets out how Creative Tech Worx (Pty) Ltd ensures compliance with the Protection of Personal Information Act 4 of 2013 (POPIA).

  • This policy is to be read in conjunction with the Company’s PAIA Manual, which outlines the procedures available to Data Subjects to request access to, correction of, or deletion of records held by the Company in accordance with applicable law.

2. SCOPE

Applies to:

  • Website operations

  • SaaS platforms

  • Mobile applications

  • Employees, contractors, and third-party operators

  • All personal and special personal information processed by the Company

3. RESPONSIBLE PARTY & INFORMATION OFFICER

  • Creative Tech Worx (Pty) Ltd is the Responsible Party as defined in POPIA.

The Company has appointed an Information Officer (IO) who is registered with the Information Regulator of South Africa. The Information Officer is responsible for:

  • Maintaining the Company’s POPIA Compliance Framework

  • Conducting Personal Information Impact Assessments (PIIAs) for new systems, products, and app features

  • Handling data subject requests and regulatory engagement

  • Contact: Legal Department

4. CONDITIONS FOR LAWFUL PROCESSING

4.1 Accountability

  • The Company takes responsibility for POPIA compliance across all systems and services.

4.2 Processing Limitation

Personal information is:

  • Processed lawfully and minimally

  • Collected for a specific, explicit purpose

  • Not retained longer than necessary

4.3 Purpose Specification

Data is collected only for:

  • Service delivery

  • Security and authentication

  • Legal and contractual obligations

5. SPECIAL PERSONAL INFORMATION

Where special personal information is processed (health, minors, life data):

  • Explicit consent is required

  • Enhanced access controls apply

  • Mandatory 2FA is enforced where risk exists

  • Where the personal information of minors is processed, the Company implements reasonable verification measures (including identity verification, parental confirmation workflows, or equivalent safeguards) to ensure that consent is provided by a Competent Person as required under Section 35 of POPIA.

6. INFORMATION QUALITY

Reasonable steps are taken to ensure data is:

  • Accurate

  • Complete

  • Updated where required

7. SECURITY SAFEGUARDS (POPIA SECTION 19)

  • Creative Tech Worx (Pty) Ltd implements appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction, and unlawful access to personal information.

These measures include, but are not limited to:

7.1 Data Protection by Design

  • Security is embedded into systems at design and development stage

  • Least-privilege access principles are enforced

  • Segregation between environments (production, staging, development)

7.2 Encryption & Key Management

  • Data at rest is encrypted using industry-standard encryption mechanisms

  • Sensitive fields may be encrypted at application level

  • Where required by client or risk profile, encryption keys may be externally controlled

7.3 Authentication & Access Control

  • Mandatory Multi-Factor Authentication (MFA / 2FA) for high-risk systems

  • Role-based access control (RBAC)

  • Session-based access enforcement

7.4 Monitoring & Audit Logging

  • User actions are logged and monitored

  • Logs are retained in accordance with legal and contractual requirements

  • Logs are protected against tampering

8. OPERATOR OBLIGATIONS (POPIA SECTION 20)

  • Where Creative Tech Worx (Pty) Ltd processes personal information on behalf of another Responsible Party, it acts as an Operator as defined by POPIA.

In such cases, the Company commits to:

  • Processing personal information only on documented instructions of the Responsible Party

  • Ensuring all personnel with access are bound by confidentiality obligations

  • Implementing safeguards no less protective than those required by POPIA

  • Ensuring subcontractors (if any) are subject to equivalent protections

9. SUB-PROCESSING & THIRD-PARTY OPERATORS (POPIA SECTION 21)

Where third parties are engaged to process personal information:

9.1 Due Diligence

  • Sub-processors are assessed for security, confidentiality, and compliance posture

  • Written agreements are in place governing data protection responsibilities

9.2 Control & Oversight

  • Processing is limited strictly to defined purposes

  • Access may be revoked immediately where risk is identified

  • Technical controls may be implemented to prevent unauthorised extraction or duplication of data

9.3 Audit & Accountability

  • Audit trails are maintained

  • The Company cooperates with Responsible Parties in investigations or compliance reviews

10. DATA BREACH MANAGEMENT (POPIA SECTION 21)

In the event of a suspected or confirmed compromise of personal information:

  • Immediate containment and assessment is performed

  • The Responsible Party is notified without undue delay (where applicable)

  • The Information Regulator and affected data subjects are notified where legally required

  • Corrective actions are implemented to prevent recurrence

11. DATA RETENTION & DESTRUCTION

  • Personal information is retained only for as long as necessary

  • Retention periods are aligned to legal, regulatory, and contractual obligations

  • Secure deletion or anonymisation is applied once retention expires

12. AUTOMATED DECISION-MAKING (POPIA SECTION 71)

Creative Tech Worx (Pty) Ltd ensures that:

  • No decision producing legal or similarly significant effects is made solely by automated means

  • Human oversight is available

  • Automated systems are monitored for fairness and correctness

13. TRANSBORDER DATA FLOWS

Where data is processed outside South Africa:

  • Adequate protection is contractually ensured

  • POPIA Section 72 requirements are met

14. ENFORCEMENT & REVIEW

This POPIA Compliance Policy is:

  • Reviewed annually

  • Updated upon material system, legal, or risk changes

  • Enforced across all business units and platforms

15. DIRECT MARKETING (POPIA SECTION 69)

  • Creative Tech Worx (Pty) Ltd strictly complies with Section 69 of POPIA regarding direct marketing by electronic means.

  • Electronic communications are sent only to Data Subjects who have provided explicit Opt-In consent

  • No pre-ticked boxes or implied consent mechanisms are used

  • Every marketing communication includes a clear, accessible, and no-cost Opt-Out mechanism

  • Waitlists and early-access programmes operate on an opt-in basis only.

16. EMPLOYEE & CONTRACTOR TRAINING

In accordance with Regulation 4 of POPIA:

  • All employees and contractors undergo mandatory POPIA awareness training upon onboarding

  • Refresher training is conducted at least annually

  • Training ensures that security safeguards, confidentiality obligations, and incident reporting procedures are understood and applied