POPIA COMPLIANCE

Last Updated: January 2026

This POPIA Compliance Statement outlines how VuzoPay (Pty) Ltd ("VuzoPay", "we", "us", or "our") complies with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) ("POPIA") in the processing of personal information. VuzoPay is committed to protecting the privacy and personal information of all data subjects in accordance with the eight conditions for lawful processing set out in POPIA.

1. Accountability

VuzoPay has appointed an Information Officer responsible for ensuring compliance with POPIA and overseeing all aspects of personal information processing.

Information Officer: VuzoPay (Pty) Ltd

Contact: info@vuzopay.com

Phone: +27 (0) 11 123 4567

Our Information Officer is responsible for monitoring compliance, handling data subject requests, liaising with the Information Regulator, and maintaining comprehensive records of processing activities.

2. Processing Limitation

2.1 Lawfulness of Processing

We process personal information only when we have a lawful basis:

  • Consent: Explicit, informed consent obtained from data subjects
  • Contract: Processing necessary for contract performance (employment services)
  • Legal Obligation: Compliance with BCEA, Income Tax Act, UIF Act, and other legislation
  • Legitimate Interest: Fraud prevention, security, and service improvement

2.2 Minimality

We collect and process only the minimum personal information necessary to fulfill the specified purpose. We do not collect excessive or irrelevant information.

2.3 Consent

Where we rely on consent, we ensure:

  • Consent is voluntary, specific, and informed
  • Data subjects understand what they are consenting to
  • Consent can be withdrawn at any time
  • Records of consent are maintained

3. Purpose Specification

Personal information is collected for specific, explicitly defined, and lawful purposes:

  • Payroll Processing: Calculate salaries, deductions, and generate payslips
  • Statutory Compliance: SARS submissions, UIF declarations, SDL reporting
  • Leave Management: Track and manage employee leave entitlements
  • Contract Management: Generate and store employment agreements
  • Background Screening: Verify identity, criminal records, and credit history
  • Service Delivery: Provide customer support and platform functionality

We do not process personal information for purposes incompatible with the original purpose without obtaining additional consent.

4. Further Processing Limitation

Personal information is not processed for secondary purposes that are incompatible with the original purpose, unless we obtain consent or are legally required to do so. Before using information for a new purpose, we assess compatibility and obtain necessary authorizations.

5. Information Quality

5.1 Accuracy and Completeness

We take reasonable steps to ensure personal information is:

  • Complete, accurate, and not misleading
  • Updated where necessary
  • Verified at regular intervals

5.2 Data Subject Responsibility

Data subjects are responsible for ensuring the accuracy of information they provide and must notify us of any changes. We provide mechanisms for data subjects to update their information.

6. Openness

VuzoPay maintains transparency about personal information processing:

  • Our Privacy Policy is publicly available and clearly written
  • Data subjects are informed about collection, purpose, and recipients
  • Information Officer contact details are readily accessible
  • Processing activities are documented and available upon request
  • Data subjects can request information about their personal data

7. Security Safeguards

7.1 Technical Safeguards

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Controls: Role-based permissions, multi-factor authentication
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Monitoring: 24/7 security monitoring and incident response
  • Backups: Regular encrypted backups with disaster recovery

7.2 Organizational Safeguards

  • Policies and Procedures: Comprehensive data protection policies
  • Employee Training: Regular POPIA and security awareness training
  • Confidentiality Agreements: All employees sign confidentiality agreements
  • Vendor Management: Third-party processors bound by data protection agreements
  • Incident Response: Documented breach notification procedures

7.3 Security Breach Notification

In the event of a security breach compromising personal information, we will notify the Information Regulator and affected data subjects as soon as reasonably possible, in accordance with Section 22 of POPIA.

8. Data Subject Participation

8.1 Rights of Data Subjects

Data subjects have the following rights under POPIA:

  • Right to Notification: Be notified when personal information is collected
  • Right to Access: Request confirmation and access to personal information
  • Right to Correction: Request correction of inaccurate information
  • Right to Deletion: Request deletion where no legal basis exists
  • Right to Object: Object to processing for direct marketing or other purposes
  • Right to Restriction: Request restriction of processing in certain circumstances
  • Right to Data Portability: Receive personal information in a portable format
  • Right to Complain: Lodge complaints with the Information Regulator

8.2 Exercising Rights

To exercise any rights:

  • Contact our Information Officer at info@vuzopay.com
  • Provide sufficient information to verify your identity
  • Specify the right you wish to exercise
  • We will respond within 30 days

We may charge a reasonable fee for access requests in accordance with POPIA regulations.

9. Transborder Information Flows

Personal information is primarily stored and processed within South Africa. Where transborder transfers are necessary:

  • We ensure the recipient country has adequate data protection laws, or
  • We implement appropriate safeguards (standard contractual clauses), or
  • We obtain explicit consent from data subjects

Current transborder flows include WhatsApp Business API (Meta Platforms) for employee communications, with appropriate safeguards in place.

10. Retention and Disposal

Personal information is retained only for as long as necessary:

  • Payroll Records: 5 years (BCEA requirement)
  • Tax Records: 5 years (Income Tax Act requirement)
  • Employment Contracts: 3 years after termination
  • Background Checks: 1 year from date of check

After retention periods expire, personal information is securely destroyed or anonymized using industry-standard methods including secure deletion, degaussing, and physical destruction of storage media.

11. Complaints and Enforcement

11.1 Internal Complaints

Data subjects may lodge complaints with our Information Officer at info@vuzopay.com. We will investigate and respond to complaints within 30 days.

11.2 Information Regulator

Data subjects may lodge complaints with the Information Regulator of South Africa:

Website: www.justice.gov.za/inforeg/

Email: inforeg@justice.gov.za

Phone: +27 (0) 12 406 4818

12. Updates to This Statement

This POPIA Compliance Statement may be updated to reflect changes in our practices or legal requirements. Material changes will be communicated via email or prominent notice on our platform. The "Last Updated" date at the top of this document indicates when changes were last made.

Commitment to Compliance

VuzoPay is committed to ongoing compliance with POPIA and continuously reviews and updates our practices to ensure the highest standards of personal information protection.