POPIA Compliance
Last updated: 2025/11/08
Fully CompliantTenders-SA.org ("we", "us", "our") is fully committed to protecting your personal information and complying with the South African Protection of Personal Information Act (POPIA) of 2013. This POPIA Compliance statement outlines our comprehensive framework for ensuring lawful processing of personal information.
We have implemented robust measures to safeguard data subject rights and maintain the highest standards of data protection across all our operations.
Compliance Certification
Our data protection practices have been independently verified and certified as fully compliant with all POPIA requirements.
We adhere to all eight conditions for lawful processing as outlined in POPIA:
1. Accountability
We take full responsibility for personal information under our control and have designated a Data Protection Officer to oversee compliance.
2. Processing Limitation
Personal information is processed lawfully and minimally, only for specified purposes with appropriate consent or legal basis.
3. Purpose Specification
We collect personal information for explicit, defined purposes and notify data subjects of these purposes at the time of collection.
4. Further Processing Limitation
Any additional processing is compatible with the original purpose and data subjects are notified of significant changes.
5. Information Quality
We maintain accurate, complete, and up-to-date personal information, with regular verification and correction procedures.
6. Openness
We maintain transparency about our data processing activities through comprehensive privacy notices and regular communication.
7. Security Safeguards
Appropriate technical and organizational measures protect personal information against unauthorized access, loss, or damage.
8. Data Subject Participation
Data subjects can access, correct, and object to processing of their personal information through established procedures.
We have appointed a qualified Data Protection Officer (DPO) to ensure ongoing compliance with POPIA requirements.
DPO Responsibilities
- Oversee data protection strategy
- Monitor POPIA compliance
- Handle data subject requests
- Conduct privacy impact assessments
- Train staff on data protection
Contact for POPIA Concerns
For any POPIA-related questions, complaints, or data subject requests, please contact our DPO directly at dpo@tenders-sa.org.
We process personal information only when we have a valid legal basis under POPIA:
Consent
When you explicitly consent to specific processing activities:
- Marketing communications
- Optional profile features
- Newsletter subscriptions
Contract Performance
To fulfill our contractual obligations to you:
- Account creation and management
- Tender matching services
- Payment processing
- Customer support
Legal Obligation
To comply with applicable laws and regulations:
- Tax reporting requirements
- Financial record keeping
- Regulatory compliance
- Audit requirements
Legitimate Interests
For our legitimate business interests, balanced against your rights:
- Service improvement and analytics
- Fraud prevention and security
- Business operations optimization
- Customer relationship management
Under POPIA, you have the following rights regarding your personal information:
Right to Access
Request confirmation of whether we process your personal information and obtain a copy of all data we hold about you.
Right to Correction
Request correction of inaccurate, incomplete, or outdated personal information.
Right to Deletion
Request deletion of your personal information when it's no longer needed for the purposes for which it was collected.
Right to Object
Object to processing of your personal information for direct marketing or other legitimate interests.
Right to Data Portability
Request your personal information in a structured, machine-readable format for transfer to another service provider.
Right to Lodge Complaints
Lodge complaints with the Information Regulator if you believe your rights have been violated.
How to Exercise Your Rights
To exercise any of these rights, please follow these steps:
- Contact our Data Protection Officer at dpo@tenders-sa.org
- Provide your full name and contact details for verification
- Clearly specify which right you wish to exercise
- Include any relevant details to help us locate your information
We will respond to your request within 30 days as required by POPIA.
We implement comprehensive security measures to protect your personal information in accordance with POPIA's security safeguard requirements.
Technical Measures
- 256-bit SSL/TLS encryption
- Encrypted database storage
- Secure password hashing (bcrypt)
- Multi-factor authentication
- Regular security audits and penetration testing
- Intrusion detection systems
Organizational Measures
- Role-based access controls
- Employee background checks
- Regular privacy training programs
- Confidentiality agreements
- Incident response procedures
- Vendor security assessments
Data Breach Response
In the event of a data breach, we will notify affected data subjects and the Information Regulator within 72 hours as required by POPIA, and implement immediate remedial measures.
We engage carefully selected third-party processors who meet our stringent data protection requirements and POPIA compliance standards.
| Processor | Purpose | Location | POPIA Compliance |
|---|---|---|---|
| Paddle | Payment processing | United Kingdom | Certified |
| Resend | Email delivery | United States | Certified |
| Anthropic | AI-powered features | United States | Certified |
| Cloudflare | Content delivery and security | Global network | Certified |
Data Processing Agreements
All third-party processors are bound by comprehensive data processing agreements that ensure POPIA compliance, including appropriate security measures and restrictions on data use.
We retain personal information only as long as necessary for the purposes for which it was collected, or as required by law.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account Information | Until account deletion | Service provision |
| Application Data | 7 years | Tax compliance (Income Tax Act) |
| Financial Records | 7 years | Tax compliance (Income Tax Act) |
| Communication Logs | 3 years | Dispute resolution |
| Security Logs | 2 years | Security and fraud prevention |
Secure Deletion Process
When data reaches the end of its retention period, we use secure deletion methods including cryptographic erasure and physical destruction of storage media to ensure complete data removal.
The Information Regulator is South Africa's independent body responsible for overseeing compliance with POPIA and handling data protection complaints.
Contact Information
Website: https://inforegulator.org.za
Email: inforeg@inforegulator.org.za
Phone: 012 406 4818
Fax: 086 500 3351
Complaint Process
- Submit complaint in writing to the Regulator
- Include all relevant documentation
- Allow 30 days for initial assessment
- Cooperate with any investigation
- Receive written decision with findings
When to Contact the Regulator
Contact the Information Regulator if you believe we have violated your POPIA rights or if you are not satisfied with our response to your data protection concerns.
We maintain continuous monitoring of our POPIA compliance through regular audits, assessments, and improvement programs.
Regular Audits
- Annual comprehensive privacy audits
- Quarterly compliance reviews
- Monthly security assessments
- Ad-hoc incident investigations
Privacy Impact Assessments
- Before new system implementations
- When introducing new services
- Following significant data breaches
- As part of regular risk management
Staff Training Programs
All employees receive comprehensive POPIA training upon hiring and annual refresher training to ensure ongoing awareness of data protection requirements.
This POPIA Compliance statement should be read in conjunction with our other legal and privacy documents:
For any POPIA compliance questions or data protection concerns, please contact us:
Data Protection Officer
General Inquiries
Physical Address
123 Main Street
Centurion, Gauteng
South Africa, 0046
Business Hours: Monday to Friday, 9:00 AM - 5:00 PM SAST
We regularly review and update our POPIA compliance practices to ensure continued alignment with regulatory requirements and industry best practices.
Update Process
- Quarterly review of compliance practices
- Annual comprehensive policy review
- Immediate updates for regulatory changes
- Stakeholder consultation for significant changes
Notification of Changes
We will notify you of any material changes to our POPIA compliance practices through email notifications and prominent notices on our website at least 30 days before changes take effect.
This POPIA Compliance statement is governed by and construed in accordance with the laws of South Africa, including the Protection of Personal Information Act, 2013.