POPIA Privacy Notice
This notice is issued in terms of Section 18 of the Protection of Personal Information Act, 4 of 2013 (POPIA). It informs you of your rights as a data subject and how Upscale Insightslock Consulting processes your personal information in accordance with South African law.
1. Purpose of This Notice
This POPIA Privacy Notice is designed to be transparent about how we collect, use, store, and protect personal information in compliance with the Protection of Personal Information Act, 4 of 2013 (“POPIA” or “the Act”). POPIA came into full effect on 1 July 2021.
This notice applies to all personal information processed by Upscale Insightslock Consulting in connection with our consulting services, website, and all business operations.
2. Responsible Party
Under POPIA, the responsible party is the entity that determines the purpose and means of processing personal information. Upscale Insightslock Consulting is the responsible party for all personal information processed in connection with our business.
- Entity: Upscale Insightslock Consulting
- Country of Registration: Republic of South Africa
- Website: upscaleinsightslockconsulting.com
3. Information Officer
In terms of Section 55 of POPIA, every responsible party must register an Information Officer with the Information Regulator. Our Information Officer is responsible for ensuring compliance with POPIA and handling all data-related enquiries and complaints.
To contact our Information Officer, please use the contact details provided at the bottom of this notice. All data subject requests will be handled within 30 days of receipt.
4. Processing Principles
We commit to processing personal information in accordance with the eight conditions for lawful processing as set out in POPIA:
Accountability
We take responsibility for ensuring compliance with POPIA in all our processing activities.
Processing Limitation
We only process personal information with your consent or on another lawful basis, and only to the extent necessary.
Purpose Specification
Personal information is collected for a specific, explicitly defined, and lawful purpose related to our business activities.
Further Processing Limitation
We do not use personal information for purposes incompatible with the original purpose of collection.
Information Quality
We take reasonable steps to ensure personal information is accurate, complete, and up to date.
Openness
We maintain documentation of all processing activities and notify data subjects of how their information is used.
Security Safeguards
We implement appropriate technical and organisational measures to secure personal information against loss, damage, or unauthorised access.
Data Subject Participation
We acknowledge and facilitate the rights of data subjects to access, correct, or delete their personal information.
5. Categories of Personal Information
We process the following categories of personal information as defined under POPIA:
- Contact information (name, email address, telephone number, physical address)
- Identity information (in cases where identity verification is required)
- Financial information necessary for invoicing and payment processing
- Professional information (job title, employer, industry)
- Communication records (emails, messages, meeting notes)
- Technical information (IP address, browser data, website usage statistics)
6. Purposes of Processing
Personal information is processed for the following specific purposes:
- Delivering contracted consulting services
- Communicating with clients and prospective clients
- Managing business administration, billing, and invoicing
- Complying with legal, regulatory, and contractual obligations
- Improving the quality and relevance of our services
- Sending marketing communications where explicit consent has been obtained
- Fraud prevention and security purposes
7. Special Categories of Information
POPIA affords additional protection to “special personal information”, which includes information relating to religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinion, health or sex life, biometric information, and criminal behaviour.
We do not routinely collect or process special personal information. In the exceptional circumstances where this may be required (for example, during certain HR or transformation consulting engagements), we will:
- Obtain explicit, specific consent prior to collection
- Process such information only to the minimum extent necessary
- Apply heightened security measures to its storage and handling
8. Sharing & Cross-Border Transfer
We may share personal information with third-party operators (as defined in POPIA) who process information on our behalf. All such operators are required to maintain the same level of protection as required by POPIA.
Where personal information is transferred to a recipient in a country outside South Africa that does not provide adequate protection, we will ensure that:
- The data subject has consented to the transfer, or
- The transfer is necessary for the performance of a contract, or
- Appropriate contractual safeguards have been put in place, or
- The transfer is required by law or in the public interest
9. Data Subject Rights
As a data subject under POPIA, you have the following rights which you may exercise at any time:
Right to Access
Request confirmation of whether we hold your personal information and obtain a copy of it.
Right to Correction
Request correction or updating of inaccurate, incomplete, or misleading personal information.
Right to Deletion
Request deletion or destruction of personal information we are no longer authorised or required to retain.
Right to Objection
Object to processing of your personal information on reasonable grounds, including for direct marketing.
Right to Withdraw Consent
Where processing is based on consent, withdraw that consent at any time without affecting prior processing.
Right to Complain
Lodge a complaint with the Information Regulator of South Africa if you believe your rights have been violated.
Submit your request in writing to our Information Officer. We will acknowledge receipt within 3 business days and respond fully within 30 calendar days.
10. Security Measures
In terms of Section 19 of POPIA, we maintain appropriate, reasonable technical and organisational security measures to prevent loss, damage, unauthorised destruction, and unlawful access to personal information.
Our security measures include:
- Encryption of personal information transmitted over the internet
- Role-based access controls limiting internal access to personal information
- Regular staff awareness and data protection training
- Use of reputable, POPIA-compliant third-party service providers
- Documented data processing and retention policies
11. Data Breach Notification
In the event of a data breach that is likely to harm you, we will notify:
- The Information Regulator as soon as reasonably possible after becoming aware of the breach
- Affected data subjects in a manner that balances urgency with accuracy
Notification will include the nature of the breach, the information involved, the likely consequences, and the steps taken or to be taken to address it. This is in accordance with Section 22 of POPIA.
12. Complaints
If you believe your personal information has been processed unlawfully or that your rights under POPIA have been infringed, you may:
- First contact our Information Officer to resolve the matter internally
- If unresolved, submit a complaint directly to the Information Regulator of South Africa
Physical: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Website: www.inforeg.org.za
Complaints email: complaints.IR@justice.gov.za
General enquiries: inforeg@justice.gov.za
13. Contact Our Information Officer
To submit a data subject access request, exercise any of your rights, or ask questions about how we handle your personal information:
Republic of South Africa
Phone / WhatsApp: +27 71 379 0965
Website: upscaleinsightslockconsulting.com