Legacy Vault SA

Data Protection Policy

Effective Date: 1 August 2025
Last Updated: 1 August 2025

1. Introduction

Legacy Vault SA is committed to protecting personal information in accordance with the Protection of Personal Information Act (POPIA) and other applicable South African data protection laws. This policy outlines our approach to data protection and information security.

2. Legal Framework

Our data protection practices comply with:

  • Protection of Personal Information Act (POPIA): Primary data protection legislation
  • Financial Intelligence Centre Act (FICA): Financial sector compliance requirements
  • Promotion of Access to Information Act (PAIA): Information access rights
  • Electronic Communications and Transactions Act (ECTA): Electronic transaction security
  • Consumer Protection Act (CPA): Consumer information rights

3. Data Protection Principles

We adhere to the following POPIA principles:

3.1 Accountability

We take responsibility for compliance with data protection conditions and can demonstrate such compliance.

3.2 Processing Limitation

Personal information is processed lawfully, fairly, and transparently for specific, explicitly defined purposes.

3.3 Purpose Specification

We collect information for specific, explicitly defined, and legitimate purposes.

3.4 Further Processing Limitation

Information is not processed beyond the original purpose unless legally required or with consent.

3.5 Information Quality

We ensure personal information is complete, accurate, and up-to-date.

3.6 Openness

We maintain clear documentation about information processing and make it available to data subjects.

3.7 Security Safeguards

Appropriate technical and organizational measures protect against unauthorized access, loss, or damage.

3.8 Data Subject Participation

Individuals have rights regarding their personal information, which we respect and facilitate.

4. Technical Security Measures

4.1 Data Encryption

  • All data transmitted is encrypted using TLS 1.3 or higher
  • Data at rest is encrypted using AES-256 encryption
  • Database encryption for sensitive financial information
  • Encrypted backups with secure key management

4.2 Access Controls

  • Multi-factor authentication for all user accounts
  • Role-based access control (RBAC) systems
  • Regular access reviews and deprovisioning
  • Privileged access management for administrative functions

4.3 Infrastructure Security

  • Secure cloud hosting with ISO 27001 certified providers
  • Regular security patching and updates
  • Network segmentation and firewall protection
  • Intrusion detection and monitoring systems

5. Organizational Security Measures

5.1 Staff Training

  • Regular POPIA and data protection training
  • Cybersecurity awareness programs
  • Incident response training
  • Professional ethics and confidentiality training

5.2 Policies and Procedures

  • Data handling and processing procedures
  • Incident response and breach notification protocols
  • Data retention and disposal policies
  • Third-party vendor security requirements

6. Data Breach Response

In the event of a data breach, we will:

  1. Immediate Response (0-24 hours): Contain the breach and assess the scope
  2. Investigation (24-72 hours): Determine cause, impact, and affected individuals
  3. Notification (72 hours): Report to Information Regulator if required
  4. Communication (without delay): Notify affected individuals if high risk to rights
  5. Remediation: Implement measures to prevent recurrence
  6. Documentation: Maintain records of incident and response

7. Cross-Border Data Transfers

When transferring personal information outside South Africa, we ensure:

  • Recipient country has adequate protection level
  • Appropriate safeguards are in place (contracts, certifications)
  • Data subject consent where required
  • Compliance with POPIA cross-border transfer conditions

8. Data Subject Rights

Under POPIA, you have the right to:

  • Access: Request copies of your personal information
  • Correction: Update inaccurate or incomplete information
  • Deletion: Request erasure of personal information (subject to legal obligations)
  • Objection: Object to processing in certain circumstances
  • Restriction: Request limitation of processing
  • Portability: Receive information in a structured, commonly used format
  • Complaint: Lodge complaints with the Information Regulator

9. Information Officer

Our designated Information Officer is responsible for:

  • Monitoring compliance with POPIA and this policy
  • Handling data subject requests and complaints
  • Liaising with the Information Regulator
  • Conducting privacy impact assessments
  • Training staff on data protection requirements

Information Officer Contact:

DB Legal Services

Email: [email protected]

Phone: 066 233 9960

10. Regular Reviews and Updates

This Data Protection Policy is reviewed annually or when significant changes occur to:

  • Data protection legislation
  • Our business operations or technology systems
  • Industry best practices and standards
  • Regulatory guidance or enforcement actions