POPIA Compliance

Last Updated: January 1, 2025
Effective Date: January 1, 2026

1. Introduction to POPIA Compliance

Oh8 Digital (Pty) Ltd is committed to full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA). This page provides detailed information about how we comply with POPIA requirements and how you can exercise your rights as a data subject.

POPIA regulates the processing of personal information by public and private bodies to protect the privacy of individuals while balancing this with the legitimate needs of organizations to collect and use personal information.

2. Our POPIA Compliance Framework

2.1 Information Officer

Information Officer: Deon Roos

Email: info@crooh.co.za

Responsibilities:

  • Ensuring POPIA compliance across all operations
  • Handling data subject requests and complaints
  • Liaising with the Information Regulator
  • Maintaining data protection policies and procedures

2.2 Compliance Measures

  • Data Protection Impact Assessments: Conducted for high-risk processing activities
  • Privacy by Design: Data protection built into all systems and processes
  • Staff Training: Regular POPIA training for all employees
  • Technical Safeguards: Encryption, access controls, and security monitoring
  • Organizational Measures: Policies, procedures, and governance frameworks

3. Lawful Basis for Processing

We process personal information based on the following lawful grounds under POPIA:

Consent

For marketing communications and optional features

Contractual Necessity

To provide our field service management platform and fulfill our contractual obligations

Legal Obligation

To comply with tax, accounting, and other legal requirements

Legitimate Interest

For service improvement, security, and business operations (balanced against your rights)

4. Your Rights as a Data Subject

Under POPIA, you have the following rights regarding your personal information:

Right of Access

Request access to your personal information we hold

Response time: 30 days

Right to Correction

Request correction of inaccurate or incomplete information

Response time: 30 days

Right to Deletion

Request deletion of your personal information (subject to legal requirements)

Response time: 30 days

Right to Object

Object to processing for direct marketing or legitimate interests

Response time: Immediate for marketing

Right to Restriction

Request restriction of processing in certain circumstances

Response time: 30 days

Right to Data Portability

Request transfer of your data in a structured format

Response time: 30 days

5. How to Exercise Your Rights

5.1 Making a Request

To exercise any of your rights, please contact our Information Officer:

Email: info@crooh.co.za

Subject Line: POPIA Data Subject Request

Include:

  • Your full name and contact details
  • Description of your request
  • Proof of identity (copy of ID document)
  • Specific information or action requested

5.2 Request Processing

  • Acknowledgment: We will acknowledge your request within 5 business days
  • Verification: We may request additional information to verify your identity
  • Response: We will respond within 30 days (may be extended by 30 days for complex requests)
  • No Fee: Most requests are processed free of charge

5.3 Fees

We may charge a reasonable fee for excessive or repetitive requests. Any fees will be communicated before processing your request.

6. Data Processing Activities

6.1 Categories of Personal Information

CategoryPurposeLegal Basis
Identity DataAccount management, authenticationContract
Contact DataCommunication, supportContract
Financial DataBilling, payment processingContract
Usage DataService improvement, analyticsLegitimate Interest
Marketing DataMarketing communicationsConsent

7. Data Sharing and Transfers

7.1 Third-Party Recipients

  • Cloud Service Providers: For hosting and infrastructure (with appropriate safeguards)
  • Payment Processors: For secure payment processing
  • Support Services: For customer support and technical assistance
  • Legal Advisors: For legal compliance and advice

7.2 International Transfers

When personal information is transferred outside South Africa, we ensure appropriate safeguards are in place, including:

  • Adequacy decisions by the Information Regulator
  • Standard contractual clauses
  • Binding corporate rules
  • Certification schemes

8. Data Security Measures

8.1 Technical Safeguards

  • End-to-end encryption for data in transit and at rest
  • Multi-factor authentication for system access
  • Regular security assessments and penetration testing
  • Automated backup and disaster recovery procedures
  • Network security monitoring and intrusion detection

8.2 Organizational Safeguards

  • Role-based access controls and principle of least privilege
  • Regular staff training on data protection and security
  • Confidentiality agreements for all personnel
  • Incident response and breach notification procedures
  • Regular review and update of security policies

9. Data Breach Procedures

9.1 Breach Response

In the event of a data breach, we will:

  • Contain and assess the breach within 24 hours
  • Notify the Information Regulator within 72 hours (if required)
  • Notify affected data subjects without undue delay (if high risk)
  • Document the breach and response actions taken
  • Implement measures to prevent future breaches

9.2 Notification Content

Breach notifications will include:

  • Nature and scope of the breach
  • Categories and number of data subjects affected
  • Likely consequences of the breach
  • Measures taken to address the breach
  • Contact information for further inquiries

10. Complaints and Enforcement

10.1 Internal Complaints

If you have concerns about our data processing practices, please contact our Information Officer first. We are committed to resolving complaints promptly and fairly.

10.2 Information Regulator

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator:

Information Regulator (South Africa)

Website: inforegulator.org.za

Email: inforegulator@justice.gov.za

Phone: 012 406 4818

Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

11. Regular Reviews and Updates

We regularly review our POPIA compliance measures to ensure they remain effective and up-to-date. This includes:

  • Annual compliance audits and assessments
  • Regular policy and procedure updates
  • Staff training and awareness programs
  • Technology and security updates
  • Monitoring of regulatory developments

12. Contact Information

Information Officer

Name: Deon Roos

Title: Information Officer

Company: Oh8 Digital (Pty) Ltd

Email: info@crooh.co.za

Response Time: 5 business days for acknowledgment, 30 days for full response

For POPIA-related inquiries, please include:

  • Subject line: "POPIA Inquiry" or "Data Subject Request"
  • Your full name and contact information
  • Clear description of your inquiry or request
  • Relevant account or reference information

13. Commitment Statement

Our POPIA Commitment

Oh8 Digital (Pty) Ltd is committed to protecting your personal information and respecting your privacy rights. We will continue to enhance our data protection practices and maintain the highest standards of POPIA compliance. Your trust is essential to our business, and we take our responsibility as a data controller seriously.