POPIA Compliance
Our commitment to the Protection of Personal Information Act
Last updated: April 2025
1. Our Commitment to POPIA
Vernice Merchants (Pty) Ltd, trading as VM Digital, is committed to complying with the Protection of Personal Information Act, 2013 (Act 4 of 2013) ("POPIA") in all aspects of our business operations.
As a business process outsourcing (BPO) and contact centre company, we occupy a dual role in the data protection landscape:
- Responsible party: We are a responsible party in respect of personal information we collect and process for our own business purposes — including website enquiries, marketing activities, recruitment, and internal operations.
- Operator: We act as an operator (processor) when we process personal information on behalf of our clients in the course of delivering BPO and contact centre services. In this capacity, we process data strictly under the instructions of the relevant client.
This compliance statement outlines the measures we have implemented to meet our obligations under POPIA in both capacities. It is intended to complement our Privacy Policy and to provide transparency to clients, partners, data subjects, and regulatory bodies about our data protection practices.
2. How We Comply
Our compliance framework is built around the eight conditions for lawful processing set out in POPIA:
Accountability
We have designated an Information Officer who is responsible for ensuring compliance with POPIA across the organisation. Our leadership team is accountable for fostering a culture of data protection and ensuring that adequate resources are allocated to compliance.
Processing Limitation
We collect personal information only where there is a lawful basis to do so — typically consent, contractual necessity, legitimate interest, or legal obligation. We do not process personal information beyond what is necessary for the identified purpose.
Purpose Specification
We collect personal information for specific, explicitly defined, and legitimate purposes. Data subjects are informed of these purposes at or before the time of collection, and we do not retain information longer than necessary to fulfil those purposes.
Further Processing Limitation
We do not process personal information for purposes that are incompatible with the original purpose of collection, unless we have obtained the data subject's consent or the further processing is permitted by law.
Information Quality
We take reasonable steps to ensure that personal information in our possession is complete, accurate, not misleading, and up to date, having regard to the purpose for which it is processed.
Openness
We maintain transparency about our data processing activities. Our Privacy Policy is publicly available and sets out the types of information we collect, the purposes of processing, and the rights available to data subjects.
Security Safeguards
We have implemented appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, or unlawful processing. These measures are detailed in Section 5 below.
Data Subject Participation
We facilitate the exercise of data subject rights, including the right to access, correct, and delete personal information. Our processes for handling such requests are set out in Section 6 below.
3. As a Responsible Party
In our capacity as a responsible party, we ensure that our own data processing activities comply with POPIA principles:
- Marketing and business development: We collect contact information from prospective clients who express interest in our services. We only send marketing communications with appropriate consent and provide clear opt-out mechanisms.
- Recruitment: Job applicant personal information is collected with consent, used solely for the recruitment process, and retained only for a reasonable period. Applicants are informed of how their data will be used.
- Website enquiry handling: Personal information submitted through our contact forms is processed to respond to the enquiry and, where appropriate, to follow up on potential service opportunities. Data is retained for up to 24 months.
- Internal operations: Employee and contractor personal information is processed in accordance with POPIA and applicable labour legislation.
4. As an Operator (BPO Processing)
When processing personal information on behalf of our clients, we adhere to strict controls that ensure compliance with POPIA's requirements for operators:
- Documented instructions: We process client data only in accordance with the written instructions of the client, as set out in the applicable service agreement or data processing addendum.
- Confidentiality: Non-disclosure agreements (NDAs) are in place for every client engagement. All personnel involved in client data processing are bound by confidentiality obligations.
- Access restriction: Access to client data is restricted to authorised personnel who require it to perform their duties. Role-based access controls are enforced across our systems.
- No unauthorised retention: Client data is not retained beyond the period required by the service agreement. Upon termination of the engagement, data is returned to the client or securely destroyed as directed.
- No secondary use: We do not use client data for our own business purposes, marketing, or analytics. Client data is processed exclusively for the purposes defined by the client.
- Sub-processing: We do not engage sub-processors to handle client data without the client's prior written consent. Where sub-processors are engaged, they are subject to equivalent data protection obligations.
5. Security Measures
We maintain a comprehensive set of security controls to protect personal information:
Physical controls
- Controlled access to office premises and work areas
- Secure storage for physical documents containing personal information
- Clean desk policy in operational environments
Technical controls
- Encryption of data in transit (TLS/SSL) and at rest where appropriate
- Firewalls, intrusion detection, and anti-malware protection
- Role-based access controls and multi-factor authentication for critical systems
- Regular security assessments and vulnerability scanning
- Secure backup and disaster recovery procedures
Organisational controls
- Mandatory data protection training for all staff during onboarding and on an ongoing basis
- Non-disclosure agreements with all employees, contractors, and third-party service providers
- Documented incident response procedures for data breaches, including notification to the Information Regulator and affected data subjects where required
- Regular internal reviews of data handling practices and compliance posture
6. Data Subject Rights
Individuals whose personal information we process have the following rights under POPIA:
- Right to access: Request confirmation of whether we hold your personal information and obtain a copy
- Right to correction: Request correction of inaccurate or incomplete personal information
- Right to deletion: Request deletion of personal information where it is no longer necessary or where consent has been withdrawn
- Right to object: Object to the processing of your personal information on legitimate grounds, including for direct marketing
How to submit a request
To exercise any of these rights, please submit a written request to our Information Officer at info@vernicemerchants.com. We may require verification of your identity before processing the request. We will respond within a reasonable time, and in any event within the timeframes prescribed by POPIA.
If your personal information is processed by us on behalf of one of our clients (i.e., in our capacity as an operator), we will refer your request to the relevant client, who is the responsible party for that data.
7. Information Officer
Contact Our Information Officer
Our designated Information Officer can be contacted for any queries related to POPIA compliance, data protection, or to submit a data subject request:
- Email: info@vernicemerchants.com
- Phone: +27 83 875 5929
- Address: Johannesburg, South Africa
Complaints regarding the handling of personal information may also be directed to the Information Regulator of South Africa:
- Website: inforegulator.org.za
- Email: complaints.IR@justice.gov.za
8. Continuous Improvement
We recognise that data protection compliance is an ongoing process. We are committed to continuously improving our data handling practices through:
- Regular reviews of our data protection policies, procedures, and technical controls
- Ongoing staff training and awareness programmes to reinforce a culture of data protection
- Periodic assessments of our compliance posture against POPIA requirements and industry best practices
- Engagement with clients to ensure alignment on data protection expectations and contractual obligations
- Monitoring regulatory developments and guidance from the Information Regulator to adapt our practices accordingly
This compliance statement is reviewed periodically and updated as needed to reflect changes in our practices, regulatory requirements, or business operations.