Data Protection & Privacy

Overview

As an outsourced contact centre operator, Vernice Merchants regularly processes personal information on behalf of our clients. We take this responsibility seriously. Our data protection practices are designed to safeguard the personal information we handle, maintain client confidentiality, and comply with applicable data protection legislation — including South Africa's Protection of Personal Information Act (POPIA).

This page outlines how we approach data protection across our operations. It is not a substitute for specific data processing agreements, which are negotiated individually with each client.

POPIA Compliance

POPIA governs how personal information is collected, processed, stored, and shared in South Africa. As an operator that processes personal information on behalf of clients, we align our practices with the requirements of the Act.

In practice, this means:

• Lawful basis for processing — We process personal information only where there is a legitimate basis to do so, typically under the instruction and authority of the client (the responsible party under POPIA).
• Purpose limitation — Personal information is used only for the specific purposes defined by the client engagement. We do not repurpose client data for unrelated activities.
• Data minimisation — Our agents access only the data fields necessary for the task at hand. We do not request or store personal information beyond what the engagement requires.
• Processing integrity — We take reasonable steps to ensure the accuracy and completeness of the personal information we process, in line with client-provided data and scripts.

For clients operating outside South Africa, we work with their legal and compliance teams to align our practices with applicable local regulations.

Data Access Controls

Access to client systems and personal information is managed through a combination of organisational and technical controls:

• Role-based access — Agents, team leaders, QA analysts, and managers each have access levels appropriate to their function. Access is granted on a need-to-know basis.
• Agent authentication — All users authenticate individually before accessing client systems. Shared login credentials are not permitted.
• Clean-desk policy — Agents are not permitted to have personal devices, notepads, or recording equipment at their workstations when handling client data.
• Restricted system access — Workstations used for client operations have restricted internet access and disabled USB ports to prevent unauthorised data transfer.
• Access revocation — When an agent leaves a campaign or exits the company, system access is revoked promptly as part of our offboarding process.

Non-Disclosure Agreements

Every Vernice Merchants employee signs a non-disclosure agreement (NDA) as a condition of employment. This applies to all roles — agents, team leaders, QA staff, management, and support functions.

NDAs cover the confidentiality of client information, customer data, business processes, and proprietary systems. Breach of NDA is treated as a serious disciplinary matter.

Where clients require additional or bespoke confidentiality agreements, we accommodate these as part of the onboarding and contracting process.

Data Retention & Disposal

We retain personal information and operational records only for as long as necessary to fulfil the purpose for which they were collected, or as required by law or contractual obligation.

• Client-defined retention — Retention periods are typically set by the client based on their regulatory and business requirements. We follow client instructions on how long to retain records.
• Secure disposal — When data is no longer required, it is securely deleted or destroyed. Digital records are purged from systems, and any physical records are disposed of through secure shredding.
• End-of-contract handling — At the conclusion of a client engagement, we return or destroy client data in accordance with the terms of the service agreement.

Incident Response

In the event of a data incident — whether a suspected breach, unauthorised access, or accidental exposure — we follow a structured response process:

• Identification — Incidents may be flagged by agents, team leaders, QA monitoring, or system alerts. All staff are trained to recognise and report potential data incidents.
• Containment — Immediate steps are taken to contain the incident and prevent further exposure. This may include suspending access, isolating systems, or pausing operations on the affected campaign.
• Investigation — The incident is investigated to determine scope, root cause, and impact. Findings are documented.
• Notification — Affected clients are notified promptly. Where required by law or regulation, notification to the Information Regulator or affected data subjects is managed in coordination with the client.
• Remediation — Corrective actions are implemented to prevent recurrence. These may include process changes, additional training, or system modifications.

Client Responsibilities

Data protection is a shared responsibility. While we maintain robust internal controls, we also rely on our clients to fulfil their obligations as the responsible party (under POPIA) or data controller (under other frameworks):

• Lawful collection — Clients are responsible for ensuring that the personal information provided to us has been collected lawfully and with appropriate consent or legal basis.
• Accurate data provision — The quality and accuracy of the data we process depends on what is provided to us. Clients should ensure data is current and relevant to the engagement.
• Clear instructions — Clients should provide clear processing instructions, including permitted uses, retention requirements, and any sector-specific compliance obligations.
• Timely updates — Where regulations, consent conditions, or data requirements change, clients should notify us promptly so we can adjust our processes accordingly.

← Back to Trust & Compliance