POPIA Privacy Notice
Our commitment to protecting your personal information in accordance with South Africa’s Protection of Personal Information Act.
📅 Effective Date: 28 February 2025POPIA Compliance Statement
Upscale Insightslock Consulting is committed to full compliance with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) (POPIA). This notice explains how we process your personal information in accordance with POPIA’s eight conditions for lawful processing.
1. Responsible Party Information
In terms of POPIA, Upscale Insightslock Consulting is the Responsible Party for the personal information we process.
Name: Upscale Insightslock Consulting
Registration: K2025154029
Contact: Legal@upscaleinsightslockconsulting.com
Information Officer: Refiloe Mokgalaka +27713790965
2. Purpose of This Notice
This POPIA Privacy Notice informs you, as a data subject, about:
- What personal information we collect
- Why we process your personal information
- How we collect and use your personal information
- Who we share your information with
- Your rights under POPIA
- How to contact us regarding your personal information
- How to lodge a complaint with the Information Regulator
3. Personal Information We Process
3.1 Categories of Personal Information
| Category | Examples |
|---|---|
| Identity Information | Full name, ID number, date of birth, gender, nationality |
| Contact Information | Email address, phone number, physical address, postal address |
| Professional Information | Job title, company name, industry, work experience |
| Financial Information | Banking details, payment information, invoicing details |
| Technical Information | IP address, browser type, device information, cookies |
| Usage Information | Website activity, service interactions, communication records |
| Business Information | Company details, business requirements, project information |
3.2 Special Personal Information
We do not routinely collect special personal information (sensitive data such as religious beliefs, race, health information, etc.) unless:
- Required for a specific service or legal obligation
- Provided voluntarily with your explicit consent
- Necessary for establishing, exercising, or defending a right or obligation
4. How We Collect Personal Information
📝 Direct Collection
Through forms, consultations, contracts, emails, and direct communications
🌐 Website Collection
Cookies, analytics, and automated technologies when you visit our site
🤝 Third Parties
Business partners, referral sources, public databases, and professional networks
📊 Service Delivery
Information gathered during consulting engagements and project delivery
5. Purpose of Processing
We process your personal information for the following purposes:
5.1 Service Delivery and Management
- Providing consulting and advisory services
- Managing client relationships and projects
- Communicating about services and deliverables
- Conducting business analysis and developing recommendations
- Quality assurance and service improvement
5.2 Business Operations
- Processing payments and managing accounts
- Maintaining financial and business records
- Internal administration and operations
- Business planning and development
5.3 Marketing and Communications
- Sending newsletters and thought leadership content (with consent)
- Informing you about relevant services and offerings
- Event invitations and industry updates
- Market research and surveys
5.4 Legal and Compliance
- Complying with legal and regulatory requirements
- Protecting our rights and interests
- Fraud prevention and security
- Resolving disputes and enforcing agreements
6. Legal Basis for Processing (POPIA Conditions)
We process your personal information based on the following lawful grounds under POPIA:
6.1 Consent (Condition 2)
We process personal information with your voluntary, specific, and informed consent for purposes such as:
- Marketing communications
- Non-essential cookies and tracking
- Optional services or features
- Sharing information with third parties for non-contractual purposes
6.2 Contract Performance (Condition 6)
Processing is necessary to:
- Enter into or perform a consulting services agreement
- Deliver services you have requested
- Take steps at your request before entering into a contract
6.3 Legal Obligation (Condition 7)
Processing is required to comply with:
- Tax and financial reporting laws
- Company registration and regulatory requirements
- Court orders or legal processes
- Professional conduct regulations
6.4 Legitimate Interests (Condition 8)
We process information for legitimate business interests, including:
- Improving our services and website functionality
- Conducting analytics and business intelligence
- Protecting against fraud and security threats
- Managing business operations efficiently
We balance our legitimate interests against your rights and only process where your interests do not override ours.
7. POPIA’s Eight Conditions for Lawful Processing
We comply with all eight conditions set out in POPIA:
1️⃣ Accountability
We take responsibility for personal information in our possession and ensure compliance
2️⃣ Processing Limitation
We process information lawfully, fairly, transparently, and only for specified purposes
3️⃣ Purpose Specification
We collect information for specific, explicitly defined, and lawful purposes
4️⃣ Further Processing
We don’t process information for purposes incompatible with original collection
5️⃣ Information Quality
We ensure information is complete, accurate, not misleading, and updated
6️⃣ Openness
We maintain documentation and communicate openly about our processing activities
7️⃣ Security Safeguards
We implement appropriate technical and organizational security measures
8️⃣ Data Subject Participation
We respect and facilitate your rights to access and control your information
8. Sharing Personal Information
8.1 Third-Party Recipients
We may share your personal information with:
| Recipient Category | Purpose |
|---|---|
| Service Providers | Website hosting, email marketing, payment processing, CRM systems |
| Professional Advisors | Legal, accounting, audit, and insurance services |
| Business Partners | Alliance partners, referral networks (with your consent) |
| Regulatory Authorities | Tax authorities, professional regulators, law enforcement (as required) |
| Successor Entities | In case of merger, acquisition, or business transfer |
8.2 Operator Agreements
When we share information with service providers (operators), we:
- Enter into written agreements as required by POPIA
- Ensure they process only for specified purposes
- Require appropriate security measures
- Maintain oversight of their processing activities
8.3 International Transfers
If we transfer personal information outside South Africa:
- We ensure the recipient country has adequate protection (Section 72)
- We implement appropriate safeguards (standard contractual clauses)
- We obtain your consent where required
- We comply with transborder flow requirements under POPIA
9. Security Measures
We implement appropriate technical and organizational measures to secure personal information:
9.1 Technical Safeguards
- Encryption of data in transit (SSL/TLS) and at rest
- Secure authentication and access controls
- Firewalls and intrusion detection systems
- Regular security updates and patches
- Secure backup and disaster recovery procedures
9.2 Organizational Measures
- Confidentiality agreements with staff and contractors
- Privacy and security training programs
- Access controls based on need-to-know principles
- Regular risk assessments and audits
- Incident response and breach notification procedures
9.3 Data Breach Response
In the event of a data breach, we will:
- Take immediate steps to contain and mitigate the breach
- Notify the Information Regulator without undue delay (as required by Section 22)
- Notify affected data subjects if the breach poses a significant risk
- Document the breach and our response measures
- Review and strengthen security measures to prevent recurrence
10. Data Retention
We retain personal information only as long as necessary for the purposes collected or as required by law:
| Information Type | Retention Period |
|---|---|
| Client engagement data | Duration of engagement + 7 years |
| Financial records | 5 years minimum (legal requirement) |
| Contracts and agreements | Duration + 3 years after expiry |
| Marketing consent records | Until consent withdrawn + 1 year |
| Website analytics | 26 months maximum |
| CCTV footage (if applicable) | 30 days unless incident reported |
After retention periods expire, we securely delete or anonymize personal information.
11. Your Rights as a Data Subject
Under POPIA Chapter 3, you have the following rights:
11.1 Right to Access (Section 23)
You may request:
- Confirmation of whether we hold your personal information
- Access to your personal information
- Description of the information and how it’s processed
- Identity of third parties who have access to your information
- Submit a written request to Legal@upscaleinsightslockconsulting.com
- Provide proof of identity (certified copy of ID)
- Specify the information you wish to access
- We will respond within 30 days
- A prescribed fee may apply for retrieval and preparation
11.2 Right to Correction (Section 24)
You have the right to request correction of:
- Inaccurate personal information
- Incomplete personal information
- Misleading personal information
We will correct information within a reasonable period and notify third parties to whom the information was disclosed.
11.3 Right to Object (Section 11(3))
You may object to processing based on:
- Legitimate interests
- Direct marketing purposes
- Processing for purposes other than originally intended
11.4 Right to Erasure/Deletion
You may request deletion when:
- Personal information is no longer necessary for the purpose
- You withdraw consent and there’s no other legal basis
- You successfully object to the processing
- Information was unlawfully processed
Note: We may be required to retain certain information for legal, regulatory, or legitimate business purposes.
11.5 Right to Restriction
You may request restricted processing when:
- Contesting the accuracy of information
- Processing is unlawful but you don’t want deletion
- We no longer need the information but you need it for legal claims
11.6 Right to Data Portability
You have the right to receive your personal information in a structured, commonly used, machine-readable format for transmission to another responsible party.
12. Exercising Your Rights
To exercise any of your rights:
- Email: Legal@upscaleinsightslockconsulting.com
- Subject Line: “POPIA Rights Request – [Type of Request]”
- Include: Your full name, contact details, proof of identity, specific request details
- Response Time: We will respond within 30 days
- Verification: We may request additional information to verify your identity
We will not charge a fee for legitimate requests unless they are manifestly unfounded, excessive, or repetitive.
13. Automated Decision-Making
We do not make significant decisions based solely on automated processing, including profiling, that would produce legal effects or similarly significantly affect you. If we introduce automated decision-making:
- We will inform you and explain the logic involved
- You will have the right to request human intervention
- You can express your point of view and contest the decision
14. Children’s Personal Information
Our services are not directed at children under 18. We do not knowingly process personal information of children. If we become aware of such processing, we will:
- Delete the information immediately
- Not process it for any purpose
- Notify parents/guardians if appropriate
15. Direct Marketing
In compliance with Section 69 of POPIA:
- We only send marketing communications with your consent
- Every marketing message includes an opt-out mechanism
- You can object to direct marketing at any time
- We maintain a suppression list for those who have opted out
- We do not sell your information for third-party marketing
16. Updates to This Notice
We may update this POPIA Privacy Notice to reflect:
- Changes in our processing activities
- New legal or regulatory requirements
- Technological developments
- Best practice recommendations
We will notify you of material changes by:
- Posting the updated notice on our website
- Updating the effective date
- Sending email notifications for significant changes
17. Complaints and Information Regulator
If you believe we have processed your personal information unlawfully or in violation of POPIA, you have the right to lodge a complaint.
17.1 Internal Complaint Process
First, please contact us at:
- Email: Legal@upscaleinsightslockconsulting.com
- Subject: “POPIA Complaint”
We will:
- Acknowledge your complaint within 5 business days
- Investigate thoroughly
- Provide a substantive response within 30 days
- Take corrective action if required
17.2 Information Regulator (South Africa)
You have the right to lodge a complaint directly with the Information Regulator:
Information Regulator (South Africa)
Physical Address:
JD House, 27 Stiemens Street
Braamfontein, Johannesburg, 2001
Postal Address:
P.O. Box 31533
Braamfontein, Johannesburg, 2017
Contact Details:
📧 Email: inforeg@justice.gov.za
📞 Phone: 010 023 5200
🌐 Website: www.justice.gov.za/inforeg
18. Contact Information
Email: Legal@upscaleinsightslockconsulting.com
Subject Line: Include “POPIA” or “Privacy” for priority handling
Information Officer: Refiloe Mokgalaka
Response Time: Within 5 business days for initial acknowledgment, 30 days for substantive response
19. Language
This POPIA Privacy Notice is available in English. If you require a translation into another official South African language, please contact us and we will make reasonable efforts to accommodate your request.
20. Acknowledgment and Consent
By engaging with our services or providing personal information, you acknowledge that:
- You have read and understood this POPIA Privacy Notice
- You understand how your personal information will be processed
- You consent to processing where consent is the legal basis
- You understand your rights under POPIA
Upscale Insightslock Consulting
Committed to POPIA Compliance and Data Protection
Last Updated: 28 February 2025