1. Identity of the Responsible Party

This privacy policy applies to the processing of personal information by the responsible party operating through the VerityLaw platform. As a multi-tenant compliance management platform, each organisation using VerityLaw acts as a responsible party in respect of the personal information they collect and process through the platform.

Contact your organisation's designated Information Officer or Deputy Information Officer for enquiries regarding the processing of your personal information.

2. Categories of Personal Information Collected

The platform may collect and process the following categories of personal information:

• Identity Information: Full name, ID/passport number, date of birth
• Contact Information: Email address, phone number, physical address
• Employment Information: Job title, department, employee number, role
• Authentication Data: Hashed passwords, login history, IP addresses
• Training Records: Completion status, quiz scores, certification dates
• Compliance Data: Data maps, consent records, PAIA requests, data breach reports
• Activity Logs: System activity, module access, user actions (for audit purposes)

3. Purposes of Processing

Personal information is processed for the following purposes:

• User authentication and access control
• POPIA compliance management and monitoring
• Data protection training and awareness
• Processing and responding to data subject requests (POPIA Sections 23-25)
• Data breach notification and management (POPIA Section 22)
• PAIA request processing and management (PAIA Section 51)
• Consent management and lifecycle tracking (POPIA Section 11)
• Data Protection Impact Assessments (POPIA Section 57)
• Audit trail and regulatory compliance
• Communication regarding compliance matters

4. Legal Basis for Processing

Processing is conducted on the following legal bases as per POPIA Section 11:

• Consent: Where you have given consent for specific processing activities
• Contract: Processing necessary for the performance of a contract (employment, service agreements)
• Legal Obligation: Processing required to comply with POPIA, PAIA, and other legal obligations
• Legitimate Interest: Processing necessary for the legitimate interests of the responsible party (security, audit)

5. Voluntary or Mandatory Collection

Certain information is mandatory for system access and compliance management (e.g., name, email, role). Optional information is clearly marked in forms. Failure to provide mandatory information may result in inability to access certain platform features.

6. Consequences of Not Providing Information

If you do not provide the required personal information, the consequences may include: inability to create a user account, inability to complete compliance training, inability to submit or track data subject requests, and inability to access compliance management features.

7. Third-Party Recipients

Personal information may be shared with:

• Email Service Providers: For sending notifications, password resets, and compliance communications
• Information Regulator: As required by law for data breach notifications and PAIA compliance
• Third-Party Operators: As documented in the operator register, bound by data processing agreements

All third-party operators are required to comply with POPIA Sections 20-21 and are bound by written agreements ensuring confidentiality and authorized processing only.

8. Cross-Border Transfers

Where personal information is transferred to parties outside the Republic of South Africa, such transfers are conducted in accordance with POPIA Section 72, ensuring the recipient country provides an adequate level of protection or that appropriate safeguards are in place (binding corporate rules, contractual necessity, or data subject consent).

9. Data Retention

Personal information is retained only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable legislation. Retention periods are documented in the data mapping register and monitored for compliance. Upon expiry of the retention period, personal information is securely disposed of through deletion or anonymisation.

10. Security Measures

The platform implements the following security measures to protect personal information:

• Password hashing (no plaintext storage)
• HTTPS encryption for data in transit
• Security headers (X-Content-Type-Options, X-Frame-Options, Content-Security-Policy)
• Anti-forgery token validation on all form submissions
• Role-based access control with permission enforcement
• Multi-tenant data isolation (CompanyId scoping)
• Activity logging and audit trails
• Password reset tokens (no plaintext passwords in emails)

11. Your Rights as a Data Subject

Under POPIA, you have the following rights:

• Right of Access (S23): Request confirmation of what personal information is held and access to it
• Right to Correction (S24): Request correction or deletion of inaccurate personal information
• Right to Deletion (S24): Request deletion of personal information that is no longer necessary
• Right to Object (S11(3)): Object to the processing of your personal information on reasonable grounds
• Right regarding Automated Decision-Making (S71): Challenge decisions made solely by automated processing
• Right to Withdraw Consent: Withdraw previously given consent at any time

To exercise any of these rights, please submit a request through the Data Subject Request Portal or contact your organisation's Information Officer.

12. Right to Complain

If you believe your personal information has been processed in contravention of POPIA, you have the right to lodge a complaint with the Information Regulator:

• Phone: 012 406 4818
• Email: inforeg@justice.gov.za
• Website: https://inforegulator.org.za

13. Changes to This Policy

This privacy policy may be updated from time to time to reflect changes in our processing activities or legal requirements. The latest version is always available on this page.