LEGAL — POPIA COMPLIANCE

POPIA compliance.

Our commitments under the Protection of Personal Information Act, 4 of 2013.

LAST UPDATED: JULY 2026

Our commitment

Zolabix(Pty) Ltd processes personal information lawfully under POPIA and in line with our obligations as a SANAS-accredited certification body under ISO/IEC 17021-1 — which independently requires us to keep all client information confidential. Below is how we meet each of POPIA's eight conditions for lawful processing. The full detail lives in our Privacy Policy.

The eight conditions, in plain language

  • 1. Accountability: A registered Information Officer oversees our compliance framework, maintains our Personal Information Impact Assessment and PAIA Manual, and is your point of contact for anything in this policy.
  • 2. Processing limitation: We collect personal information directly from you (or from your company where the certification scheme requires it), only for certification and related services, and only on a lawful basis — consent, contract, legal obligation or legitimate interest.
  • 3. Purpose specification & retention: Every category of information we hold has a recorded purpose and a documented retention period. Certification records are kept for the current certification cycle plus one full cycle, as required of accredited certification bodies; everything else is deleted or de-identified when its purpose is fulfilled.
  • 4. Further processing limitation: Information collected for certification is not reused for unrelated purposes. Marketing communications are sent only to people who have explicitly opted in.
  • 5. Information quality: You (and your company's administrators) can correct your details in the client portal at any time, and every change is recorded in a tamper-evident audit trail.
  • 6. Openness: Our Privacy Policy, this page and our PAIA Manual describe what we hold and why. If your details were given to us by your employer as part of a certification application, this framework applies to that information too.
  • 7. Security safeguards: Role-based access control at three layers, encrypted transport, private document storage behind per-object permission checks, EU data residency with daily off-site backup, and full access and change logging. Written agreements bind every service provider that processes information on our behalf.
  • 8. Data subject participation: You can request access to, correction of, or deletion of your personal information at any time — see “Your rights” below.

Where your data lives

Your personal information is hosted on secure servers in the European Union, operated under the GDPR and written data-processing agreements — a transfer basis recognised by section 72(1)(a) of POPIA. We never sell personal information.

Your rights

You may request access to, correction of, or deletion of your personal information, object to processing, and complain to the Information Regulator (inforegulator.org.za). Email our registered Information Officer at alan@zolabix.co.za — we verify identity before disclosing anything and aim to respond within 30 days. Records we must keep for accreditation or legal reasons are explained rather than deleted, and access to records is also available under the PAIA Manual.