POPIA Compliance Policy
This POPIA Compliance Policy sets out how Tsamma Solutions (Pty) Limited complies with the Protection of Personal Information Act, 4 of 2013 (POPIA) and the regulations made under it. It explains how we protect the privacy of South African data subjects and regulate how Personal Information is processed in connection with our recruitment matching services.
1. Introduction and Purpose
This POPIA Compliance Policy ("Policy") sets out how Tsamma complies with the Protection of Personal Information Act, 4 of 2013 ("POPIA") and the regulations made under it. The purpose of the POPIA is to protect the right to privacy of personal information of South African data subjects, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed. The Policy applies to all directors, employees, contractors, and operators of Tsamma who process Personal Information in connection with our recruitment matching services.
During the normal course of its business activities, Tsamma will collect, store and process personal information about Tsamma staff, customers, suppliers and other third parties.
Tsamma recognises that it has a moral and legal responsibility to treat such data in a manner which respects the rights of the data subjects in both the letter and spirit of the relevant legislation and is committed to taking all reasonable steps to do so.
2. Scope
This Policy applies to any persons who Process Personal Information on behalf of the Company, including Company directors, employees and Operators.
This policy should be read and interpreted in conjunction with any other policy schedule, policy wording, disclosure notice or other terms and conditions between Tsamma and yourself.
We may amend this policy from time to time. Where material changes are made, we will notify you, however, you should review this policy from time to time to note any amendments.
3. Definitions
Capitalised terms have the meanings given to them in POPIA. The following are highlighted for clarity:
- "Data Subject" - means the person to whom Personal Information relates. This includes customers, employees, suppliers, contractors, job applicants, vendors, third parties and other stakeholders. This also refers to an individual or legal entity.
- "Information Officer" - means the information officer appointed as such by Tsamma in terms of section 56 of POPIA and who will have the ultimate responsibility to ensure that Tsamma complies with the provisions of POPIA.
- Information "Regulator" - means the Information Regulator established in terms of section 39 of POPIA.
- "Operator" - means a person who processes Personal Information for a responsible party in terms of a contract or mandate.
- "Personal Information" - means personal information relating to an identifiable, living, natural person and, where applicable and, identifiable existing juristic person;
- "Processing" - means any operation concerning Personal Information, including collection, storage, use, sharing, and destruction.
- "Responsible Party" - means Tsamma, who determines, either on its own or as joint responsible party with any other responsible parties, the purpose of and means for processing personal information.
- "Special personal information" - includes personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
4. The Eight Conditions for Lawful Processing
POPIA sets out eight conditions for the lawful processing of Personal Information. Tsamma's policies and procedures are designed around these conditions.
Condition 1: Accountability
Tsamma takes full accountability for ensuring compliance with POPIA. We have:
- Appointed an Information Officer responsible for POPIA compliance;
- Implemented this Policy and supporting procedures;
- Documented our processing activities and lawful bases;
- Allocated appropriate resources to data protection.
Condition 2: Processing Limitation
We process Personal Information lawfully and in a reasonable manner that does not infringe the privacy of the Data Subject. Specifically:
- We process Personal Information only with a lawful basis (consent, contract, legal obligation, or legitimate interest);
- We collect Personal Information directly from the Data Subject through the WhatsApp registration flow, except where lawful exceptions apply (e.g., verification with their consent);
- We minimise data collection to what is necessary for recruitment matching;
- We obtain explicit consent for Special Personal Information (race, health, criminal records).
Condition 3: Purpose Specification
We collect Personal Information for specific, explicitly defined, and lawful purposes, namely:
- Building applicant profiles;
- Matching applicants to vacancies;
- Facilitating employer introductions;
- Conducting verification checks (with consent);
- Complying with legal obligations (e.g., Employment Equity reporting, tax compliance);
- Improving and securing our service.
These purposes are clearly disclosed in our Privacy Policy and at the start of the registration flow.
Condition 4: Further Processing Limitation
We do not further process Personal Information in a manner incompatible with the original purpose. Where new processing is contemplated (e.g., a new analytics use case), we assess compatibility and, where required, obtain fresh consent.
Condition 5: Information Quality
We take reasonable steps to ensure Personal Information is complete, accurate, not misleading, and updated where necessary. This includes:
- Allowing applicants to review and correct their information at any time;
- Periodically prompting inactive applicants to confirm or update their details;
- Validating identity and document data through verification partners (with consent).
Condition 6: Openness
We maintain transparency by:
- Publishing a clear Privacy Policy on our website and at the start of the WhatsApp Flow;
- Maintaining a PAIA Manual that lists our processing activities;
- Notifying the Information Regulator of our processing activities (where required);
- Notifying Data Subjects when we collect their information.
Condition 7: Security Safeguards
We implement appropriate technical and organisational measures to secure Personal Information. See Section 9.
Condition 8: Data Subject Participation
We respect Data Subject rights as set out in Section 7.
5. Information Officer
Tsamma's Information Officer's details can be found in the Tsamma PAIA Manual or in Section 18.
The Information Officer is responsible for:
- Ensuring that Tsamma complies with POPIA;
- Acting as the primary contact for the Information Regulator;
- Handling Data Subject requests;
- Overseeing the development, implementation, and maintenance of compliance frameworks;
- Conducting and reviewing Personal Information Impact Assessments (PIAs);
- Coordinating staff training on POPIA;
- Investigating and reporting Data Breaches;
- Maintaining the PAIA Manual;
- Registering with the Information Regulator as required.
6. Lawful Basis for Processing
For each processing activity, Tsamma identifies and documents the lawful basis. The most common lawful bases are summarised below.
- Capturing applicant profile via WhatsApp Flow - Consent + performance of contract
- Matching applicants to employer vacancies - Consent + legitimate interest
- Sharing profiles with employers - Consent
- Conducting verification checks - Consent
- Storing assessment results - Consent + legitimate interest
- Processing race / ethnicity for Employment Equity - Consent + legal obligation
- Processing disability data - Express consent (voluntary disclosure)
- Processing criminal record disclosures - Express consent
- Retaining tax-related records - Legal obligation (SARS)
- Security monitoring and fraud prevention - Legitimate interest
7. Data Subject Rights
POPIA grants Data Subjects the following rights, all of which Tsamma respects and supports.
Right to Notification
Data Subjects are notified of the collection of their Personal Information through:
- The Privacy Policy;
- The notices and consent prompts at the start of the WhatsApp registration flow;
- Notifications when their profile is shared with an employer (where reasonably practical).
Right of Access
Data Subjects have the right to request:
- Confirmation of whether we hold their Personal Information;
- A copy of the Personal Information we hold;
- The identity of any third parties (or categories thereof) who have or have had access.
Requests are to be submitted to the Information Officer using POPIA Form 2 or via email/WhatsApp. We will respond within 30 days.
Right to Correction or Deletion
Data Subjects may request:
- Correction or update of inaccurate, incomplete, irrelevant, excessive, or unlawfully obtained Personal Information;
- Deletion of Personal Information that we are no longer authorised to retain.
We action valid requests promptly and confirm in writing.
Right to Object
Data Subjects may object to processing on reasonable grounds, particularly for direct marketing or where processing is based on legitimate interest.
Right to Withdraw Consent
Where processing is based on consent, Data Subjects may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
Right to Lodge a Complaint
Data Subjects may complain to the Information Regulator if they believe their rights have been infringed. Contact details for the Regulator are provided in the Privacy Policy.
Handling Data Subject Requests Internally
Staff who receive Data Subject requests must:
- Forward the request to the Information Officer immediately;
- Not delete, alter, or disclose any Personal Information until guided by the Information Officer;
- Document receipt of the request with date and time.
The Information Officer maintains a log of all Data Subject requests and tracks resolution timelines.
8. Consent Management
Obtaining Consent
Tsamma obtains consent through:
- Explicit opt-in checkboxes at the start of the WhatsApp Flow;
- Specific consent for verification checks (Work Conditions screen);
- Explicit consent at the point of disclosing Special Personal Information.
Quality of Consent
Consent must be:
- Voluntary: given without coercion;
- Specific: for clearly defined purposes;
- Informed: preceded by clear and accessible information;
- Express: through an active opt-in (not pre-ticked boxes or silence).
Recording Consent
We record the time, date, version of the Privacy Policy and Terms in force, and the specific consent text shown to the applicant. Consent records are retained for the duration of the applicant's profile and for 5 years after deactivation.
Withdrawing Consent
Applicants may withdraw consent by:
- Emailing the Information Officer;
- Submitting a request via our website.
Upon withdrawal, we cease processing and delete or anonymise the Personal Information, subject to legal retention obligations.
9. Security of Personal Information
Tsamma always strives to secure the integrity and confidentiality of Personal Information in our possession or under our control by taking appropriate, reasonable technical and organisational measures to prevent unlawful access to or processing of, loss of, damage to or unauthorised destruction of Personal Information. Where your Personal Information is processed by an Operator or third party, they will be contractually obligated to treat such Personal Information as confidential and will be obliged not to disclose it, unless required by law or in the course of the performance of their contractual duties. They will also be required to establish and maintain the appropriate security measures contained in POPI.
Risk-Based Approach
We assess risks to Personal Information considering:
- Sensitivity (especially Special Personal Information);
- Volume of records;
- Likelihood and impact of unauthorised access, loss, or disclosure;
- Channels of transmission and storage.
Technical Measures
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
- Multi-factor authentication for staff and admin systems;
- Role-based access control with least-privilege defaults;
- Logging, monitoring, and alerting on access and changes;
- Regular patching and vulnerability scanning;
- Backups stored securely with restricted access;
- Hardened cloud infrastructure with reputable providers.
Organisational Measures
- Background checks for staff with access to Personal Information;
- Confidentiality clauses in all employment and contractor agreements;
- Mandatory POPIA training for all staff at induction and annually thereafter;
- Clear desk and clean screen policies;
- Secure disposal of physical and digital records;
- Vendor due diligence for all Sub-Operators;
- Periodic internal audits of compliance.
Operator Agreements
Every Operator (Sub-Operator) processing Personal Information on Tsamma's behalf must enter into a written agreement that:
- Restricts processing to defined purposes;
- Imposes equivalent confidentiality and security obligations;
- Requires breach notification within agreed timeframes;
- Permits audit and termination rights.
10. Data Breach Management
A Data Breach is a compromise of the security, integrity, or confidentiality of Personal Information, including unauthorised access, accidental loss, alteration, disclosure, or destruction.
Any staff member, contractor, or Operator who becomes aware of a suspected or confirmed Data Breach must:
- Report it to the Information Officer immediately (within 24 hours of discovery);
- Preserve evidence and avoid actions that could compromise investigation;
- Cooperate fully with the breach response team.
The Information Officer leads the breach response, including:
- Assessment of scope and impact;
- Containment and mitigation;
- Investigation and root cause analysis;
- Notification to the Information Regulator and affected Data Subjects (where required by section 22 of POPIA);
- Notification to affected Clients (employers) under the Data Processing Agreement;
- Documentation in the breach register;
- Remediation and lessons learned.
Tsamma will notify the Information Regulator of any breach involving the unauthorised acquisition of Personal Information, as required by POPIA, as soon as reasonably possible after becoming aware.
Tsamma will notify affected Data Subjects in writing (typically via WhatsApp or email) where the breach poses a real risk of harm, with sufficient information to allow them to take protective measures.
11. Personal Impact Assessments (PIAs)
For new products, features, processing activities, or vendor engagements that materially affect Personal Information processing, the team responsible must complete a PIA before implementation. The PIA evaluates:
- The purpose and necessity of the processing;
- The lawful basis;
- The categories of Personal Information involved;
- Recipients and Sub-Operators;
- Cross-border transfer implications;
- Security and risk mitigation measures;
- Data Subject rights impacts.
PIAs are reviewed and signed off by the Information Officer.
12. Roles and Responsibilities
- Board of Directors - Overall accountability for POPIA compliance
- Information Officer - Day-to-day compliance, regulator liaison, breach management
- Deputy Information Officers - Support the Information Officer in their assigned areas
- Department Heads - Embed POPIA in their team's processes
- All Staff - Comply with this Policy and report concerns
- Operators - Process Personal Information only as instructed and per agreement
13. Retention, Storage and Disposal
We will not retain your Personal Information for longer than it is necessary considering the purpose for which it was collected or for other lawfully permissible reasons, including where retention is required by legal, regulatory or contractual obligations, for historical or statistical purposes. Your Personal Information will be appropriately destroyed, deleted or de-identified after we are no longer required or permitted to retain it.
Personal Information is retained only as long as necessary. Standard retention periods are summarised in Tsamma's Privacy Policy and include:
- Active applicant profiles: while active;
- Inactive profiles: up to 24 months from last activity;
- Tax records: In accordance with Tax Legislation;
- Placement records: Five (5) years;
- Communications and audit logs: Three (3) years.
When retention periods expire or a deletion request is actioned, Personal Information is:
- Securely deleted from production systems and backups (where reasonably practical);
- Anonymised where deletion is not feasible (e.g., audit logs);
- Physically destroyed (for hardcopy records) using cross-cut shredding or accredited destruction services.
14. Cross-Border Transfers
Tsamma may transfer Personal Information outside South Africa only where one of the following applies (per section 72 of POPIA):
- The recipient is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection;
- The Data Subject has consented to the transfer;
- The transfer is necessary for the performance of a contract with the Data Subject;
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject;
- The transfer is for the benefit of the Data Subject, and consent is impracticable.
15. Training
The Company will conduct regular training sessions covering the contents of the data privacy laws and the Company-related Personal Information Processing and policies and procedures, which will be available to all employees. The Information Officer maintains records of training completion.
All employees will complete POPIA training:
- At induction (within 30 days of starting);
- Annually thereafter;
- Whenever there are material changes to the law or this Policy.
The training will cover:
- The eight conditions for lawful processing;
- Data Subject rights;
- Recognising and reporting Data Breaches;
- Handling Special Personal Information;
- Security and confidentiality obligations.
16. Non-Compliance
Compliance with this Policy and any related procedures and policies is mandatory.
Any transgression of this Policy, and any related procedures and policies, will be investigated and may lead to action may result in:
- Disciplinary action, up to and including dismissal;
- Termination of contracts (for contractors and Operators);
- Civil or criminal liability under POPIA;
- Personal liability for the Information Officer in cases of wilful misconduct.
17. Monitoring and Audit
This policy is reviewed annually by the Information Officer to ensure it is achieving its stated objectives. Findings are reported to senior management with corrective actions tracked to closure. This Policy is reviewed at least annually, or more frequently if required by law or business changes.
18. Complaints
Should you have a complaint regarding your Personal Information you may direct your correspondence to Tsamma's Information Officer:
- Tsamma Solutions (Pty) Limited
- Attention: Anro Redelinghuys, Information Officer
- Email: compliance@tsamma.io
If you are not satisfied with the internal resolution of your complaint regarding your Personal Information, you have the right to lodge a complaint with the Information Regulator: Email: POPIAComplaints@inforegulator.org.za
19. Related Documents
- PAIA Manual;
- Privacy Policy;
- Terms and Conditions of Application and Employment;
- Data Processing Agreement (Employer Clients);
- Information Security Policy;
- Data Breach Response Procedure;
- Data Subject Request Procedure;
- Records Retention Schedule.
20. Contact Us
If you have any questions about this Policy, or wish to exercise your rights, please contact us. Our Information Officer is Anro Redelinghuys.