Data Processing Policy

This Data Processing Policy explains how CapeLedger Audit Group (Registration Number: 2010/012345/07) ("we", "us", "our") processes personal information in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and other applicable South African laws. This policy applies to all personal information processed by us, regardless of the medium on which that information is stored.

1. Definitions

For the purposes of this Data Processing Policy:

• "Data Subject" means the person to whom the personal information relates;
• "Information Officer" means the person responsible for ensuring our compliance with POPIA;
• "Personal Information" means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, as defined in POPIA;
• "Processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, restriction, degradation, erasure or destruction of information.

2. Processing Principles

We are committed to processing personal information lawfully, fairly, and in a transparent manner. To this end, we will adhere to the following principles:

2.1 Accountability

We will ensure that all processing of personal information is carried out in accordance with POPIA, and that appropriate security measures are in place to prevent unlawful access or processing of personal information.

2.2 Processing Limitation

We will process personal information only for specific, explicitly defined and legitimate purposes, and will not process personal information in a manner that is incompatible with those purposes.

2.3 Purpose Specification

We will collect personal information for a specific, explicitly defined and lawful purpose related to a function or activity of our business. We will retain personal information only for as long as necessary to achieve the purpose for which it was collected and processed.

2.4 Further Processing Limitation

Further processing of personal information will be compatible with the purpose for which it was initially collected.

2.5 Information Quality

We will take reasonably practicable steps to ensure that the personal information we process is complete, accurate, not misleading, and updated where necessary.

2.6 Openness

We will maintain documentation of all processing operations under our responsibility as required by POPIA.

2.7 Security Safeguards

We will secure the integrity and confidentiality of personal information in our possession or under our control by taking appropriate, reasonable technical and organizational measures to prevent loss of, damage to, or unauthorized destruction of personal information, and unlawful access to or processing of personal information.

2.8 Data Subject Participation

We will ensure that data subjects have the right to access their personal information and the right to request the correction, destruction, or deletion of their personal information.

3. Lawful Processing

We will only process personal information if one of the following conditions applies:

• The data subject, or a competent person where the data subject is a child, consents to the processing;
• Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;
• Processing complies with an obligation imposed on us by law;
• Processing protects a legitimate interest of the data subject;
• Processing is necessary for the proper performance of a public law duty by a public body;
• Processing is necessary for pursuing our legitimate interests or the legitimate interests of a third party to whom the information is supplied.

4. Special Personal Information

We will only process special personal information (information concerning a data subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behavior) in the following circumstances:

• The data subject has consented to such processing;
• Processing is required by law;
• Processing is for historical, statistical, or research purposes, subject to certain safeguards;
• The information has been deliberately made public by the data subject;
• Specific exemptions apply as set out in POPIA.

5. Data Subject Rights

Data subjects have the following rights regarding their personal information that we process:

• The right to be notified that personal information is being collected or that their personal information has been accessed or acquired by an unauthorized person;
• The right to establish whether we hold their personal information and to request access to such personal information;
• The right to request correction, destruction, or deletion of their personal information;
• The right to object, on reasonable grounds, to the processing of their personal information;
• The right to object to the processing of personal information for direct marketing purposes;
• The right not to be subject to a decision based solely on automated processing;
• The right to submit a complaint to the Information Regulator;
• The right to institute civil proceedings regarding the alleged interference with the protection of their personal information.

6. Security Measures

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of harm that might result from unauthorized or unlawful processing, accidental loss, destruction, or damage to personal information. These measures include:

• Pseudonymization and encryption of personal information where appropriate;
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• Measures to restore the availability and access to personal information in a timely manner in the event of a physical or technical incident;
• Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
• Regular staff training on data protection and security;
• Physical security measures to protect personal information.

7. Data Breach Notification

In the event of a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information, we will:

• Notify the Information Regulator as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of our information system;
• Notify the data subject as soon as reasonably possible after the discovery of the compromise, in writing, and communicated to the data subject in one of the following ways: (a) mailed to the data subject's last known physical or postal address; (b) sent by e-mail to the data subject's last known e-mail address; (c) placed in a prominent position on our website; (d) published in the news media; or (e) as directed by the Information Regulator.

8. Data Processing Agreements

When we engage third parties to process personal information on our behalf, we will ensure that such processing is governed by a written contract that includes safeguards for the protection of personal information consistent with our obligations under POPIA.

9. Cross-Border Transfers

We will not transfer personal information to a third party in a foreign country unless one of the following conditions applies:

• The recipient is subject to a law, binding corporate rules, or binding agreement which provides an adequate level of protection similar to POPIA;
• The data subject consents to the transfer;
• The transfer is necessary for the performance of a contract between the data subject and us;
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject;
• The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain their consent, and if it were, they would be likely to give it.

10. Information Officer

We have appointed an Information Officer who is responsible for ensuring our compliance with POPIA. The duties of the Information Officer include:

• Encouraging compliance with the conditions for the lawful processing of personal information;
• Dealing with requests made to us pursuant to POPIA;
• Working with the Information Regulator in relation to investigations conducted regarding the processing of personal information by us;
• Ensuring compliance by us with the provisions of POPIA.

11. Changes to this Data Processing Policy

We may update this Data Processing Policy from time to time. We will notify you of any changes by posting the new Data Processing Policy on this page and updating the "Last Updated" date. You are advised to review this Data Processing Policy periodically for any changes. Changes to this Data Processing Policy are effective when they are posted on this page.

12. Contact Information

If you have any questions about this Data Processing Policy or our data practices, please contact our Information Officer at:

Information Officer
CapeLedger Audit Group
6 Long Street, Cape Town, 8001, South Africa
Email: privacy@brontaniquezone.sbs
Phone: +27 21 555 4479

Last Updated: October 10, 2025