1. What POPIA is
The Protection of Personal Information Act (POPIA) is South Africa's data-protection law, modelled in spirit on the EU's GDPR but written for South African realities. It came into full force on 1 July 2021 and is enforced by the Information Regulator.
POPIA governs how every organisation in South Africa collects, stores, uses, shares, and disposes of personal information — anything that identifies a living person (or a juristic person, for some purposes). For an educational technology company like eduSYMS, that's the entire core of what we do.
The mindset: POPIA isn't a bolt-on; it's how a well-run organisation should already operate. Most of what it requires — knowing what data you hold, holding only what you need, securing it, and respecting the people it belongs to — is good business hygiene.
2. Who POPIA covers
- Responsible parties determine why and how personal information is processed. Educational institutions are responsible parties for their learners, parents, and staff.
- Operators process personal information on behalf of a responsible party. eduSYMS is the operator when we run learner records, attendance, and finance for an institutional customer.
- Data subjects are the people whose information is being processed: learners, parents, staff, partners, lead form submitters, academy enrolees.
The same data flow can have different roles attached to it. When a parent fills in a brochure form on edusyms.com, eduSYMS is the responsible party for that lead. When a school captures a learner's attendance in our platform, the school is the responsible party and eduSYMS is the operator.
3. The eight conditions for lawful processing
POPIA establishes eight conditions every act of processing must meet. They are non-negotiable and apply continuously.
Accountability
A named responsible party owns compliance. eduSYMS' Information Officer is accountable for our compliance posture.
Processing limitation
Lawful, minimal, justified by a lawful basis (consent, contract, legal obligation, legitimate interest, vital interest, public interest).
Purpose specification
Collect only for a specific, explicitly defined purpose. We document the purpose for every data flow.
Further-processing limitation
Further use must be compatible with the original purpose. Re-purposing requires a fresh basis (often consent).
Information quality
Keep records complete, accurate, and current. The platform exposes data-quality dashboards so customers can spot drift.
Openness
Publish what you collect and why. This page, our Privacy Policy, and our PAIA Manual cover this for eduSYMS.
Security safeguards
Reasonable technical and organisational measures: encryption in transit and at rest, role-based access, audit logs, backups, incident response.
Data subject participation
Meaningful access to one's own data, the right to correct, and the right to deletion (subject to legal limits).
4. Data subject rights
Under POPIA, every data subject has the following rights, exercisable directly with the responsible party:
- Right to be informed — to know that data is being collected, by whom, and why.
- Right of access — to request and receive the personal information held about you.
- Right to correction — to ask that inaccurate data be corrected.
- Right to deletion — to ask that data which is no longer needed (or is unlawfully held) be deleted, subject to legal retention obligations.
- Right to object — to object to processing on certain grounds (e.g. direct marketing) at any time.
- Right not to be subject to solely automated decision-making — where it has legal effects on you.
- Right to complain to the Information Regulator — if you believe your rights have been infringed.
To exercise any of these rights, email [email protected] with the subject "POPIA Request". We will acknowledge within 48 hours and respond substantively within 30 calendar days.
5. How eduSYMS implements POPIA
The eight conditions are concrete operational disciplines, not paperwork. Here is what we do:
- Lawful basis at source. Every data flow has a documented lawful basis — usually contract or legal obligation for operational data, consent for marketing.
- Per-purpose consent. Where consent is the basis, we capture it discretely (separate ticks for separate purposes, no bundle consent) and store it dated, with a revocation path.
- Data minimisation. Forms ask for what's needed for the stated purpose. Optional fields are clearly marked.
- Role-based access. Customers' platform access is scoped per role (principal, deputy, bursar, registrar, HOD, educator). eduSYMS staff access customer data only on a documented need-to-know basis.
- Access logs. Every access to personal information leaves an audit trail. Logs are retained per our retention schedule and are queryable on legitimate request.
- Encryption. TLS 1.3 in transit; AES-256 at rest.
- Backups & resilience. Encrypted backups with documented retention; tested restore procedures.
- SA data residency by default. Customer data is hosted in South Africa unless a customer explicitly opts to use a different region.
- Vendor management. Sub-processors are listed, evidenced, and contracted under section 21 operator agreements.
- Retention schedules. Each data class has a documented retention period tied to lifecycle (not arbitrary years), with end-of-life action evidenced.
- Incident response. 72-hour notification runbook; logged incidents; post-incident reviews documented.
- Subject access workflows. Single export per learner / parent on request, with cross-references to all data classes held.
6. Information Officer
POPIA mandates that every responsible party register an Information Officer with the Regulator. The default IO is the head of the responsible party — at eduSYMS, that's our Director.
| Information Officer | Lovemore Chanengeta, Director |
|---|---|
| [email protected] (subject: Information Officer) | |
| Telephone / WhatsApp | +27 76 263 6000 |
| Postal address | Information Officer, eduSYMS, Pegasus Building 1, Amarand Avenue, Menlyn Maine, Pretoria, South Africa |
| Regulator registration | Registered with the Information Regulator |
7. Breach response — the 72-hour clock
Section 22 of POPIA requires that, in case of a breach of security safeguards leading to unauthorised access or acquisition of personal information, eduSYMS notify the Regulator and affected data subjects as soon as reasonably possible after discovery. The practical bar is 72 hours.
- Contain — revoke access, change credentials, isolate affected systems.
- Assess — what was exposed, how many subjects, what sensitivity.
- Notify the Regulator — using the prescribed form, including who, what, when, what we did, what's next.
- Notify affected data subjects — with practical guidance on what they should do (change passwords, watch for fraud, etc.).
- Post-incident review — root cause, remediation, prevention update — documented.
Customers in operator relationships with us are notified immediately on discovery so the institutional responsible party can meet its own obligations.
8. Cross-border transfers
Section 72 of POPIA restricts transferring personal information out of South Africa unless the receiving jurisdiction provides equivalent protection, the data subject consents, or the transfer is necessary for contract performance.
Customer data is resident in South Africa by default. Where a sub-processor (e.g. WhatsApp Business, Google Analytics) processes limited operational data outside South Africa, the relationship is governed by contractual safeguards (standard contractual clauses or equivalent), and we disclose the sub-processors used in our Privacy Policy.
9. Operator agreement
When eduSYMS processes personal information on behalf of an institutional customer, section 21 of POPIA requires a written agreement. Our standard Master Services Agreement includes the operator clauses prescribed by POPIA — purpose, security, breach notification, sub-processor controls, termination, and return-or-deletion at end of contract.
Customers who want a copy of the operator schedule for their records can request it from [email protected].
10. How to contact us about POPIA
- General queries: [email protected] (subject: POPIA query)
- Data subject requests: [email protected] (subject: POPIA Request)
- Incident notification: [email protected] (subject: Security incident) and WhatsApp +27 76 263 6000
- Information Regulator: https://inforegulator.org.za
This page complements our Privacy Policy, Cookie Policy, and PAIA Manual. Where there is any conflict between this page and a specific contract with a customer, the contract prevails.