About POPIA
The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa's data protection legislation. It regulates how organizations collect, store, process, and share personal information.
POPIA came into full effect on 1 July 2021, and skillSYMS is committed to full compliance with all its requirements.
Our Commitment
skillSYMS is committed to:
- Processing personal information lawfully, fairly, and transparently
- Collecting information for specified, explicit, and legitimate purposes
- Ensuring information is adequate, relevant, and limited to what is necessary
- Keeping information accurate and up to date
- Retaining information only as long as necessary
- Processing information securely and confidentially
- Being accountable for compliance
Responsible Party
In terms of POPIA, the Responsible Party is the organization that determines the purpose and means of processing personal information.
For the skillSYMS platform:
- skillSYMS (Pty) Ltd is the Responsible Party for platform operations, user account data, and service delivery
- Your Organization (training provider/employer) is typically the Responsible Party for learner personal information they capture and process using skillSYMS
- skillSYMS acts as an Operator (processor) when processing learner data on behalf of training providers and employers
Lawful Basis for Processing
We process personal information based on the following lawful grounds:
| Processing Activity | Lawful Basis |
|---|---|
| Learner registration and enrolment | Contract performance, Legal obligation |
| Assessment and moderation records | Contract performance, Legal obligation (QCTO requirements) |
| QCTO/SETA data submissions | Legal obligation |
| User account management | Contract performance |
| WhatsApp notifications | Consent, Legitimate interest |
| Marketing communications | Consent |
| Audit logging | Legal obligation, Legitimate interest |
Data Subject Rights
Under POPIA, data subjects (individuals whose information we process) have the following rights:
Right to be Notified (Section 18)
You have the right to be informed when your personal information is collected, including the purpose and who will receive it.
Right of Access (Section 23)
You may request confirmation of what personal information we hold about you and obtain a copy of that information.
Right to Correction (Section 24)
You may request correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained information.
Right to Object (Section 11(3))
You may object to processing based on legitimate interests, and we must stop unless we have compelling grounds.
Right Not to be Subject to Automated Decisions (Section 71)
You have the right not to be subject to decisions based solely on automated processing that significantly affect you.
Right to Submit Complaints (Section 74)
You may submit a complaint to the Information Regulator if you believe your rights have been infringed.
Special Categories of Information
POPIA defines special personal information as information relating to religion, race, ethnic origin, trade union membership, political opinions, health, sex life, biometric information, and criminal history.
skillSYMS processes limited special personal information:
- Biometric Information: SA ID numbers contain embedded biometric references. We encrypt and mask ID numbers and only use them for learner identification and QCTO reporting as required by law.
- Disability Status: Where provided for reasonable accommodation or grant purposes, processed with consent and handled with enhanced security.
Cross-Border Transfers
skillSYMS uses Cloudflare for infrastructure, which may involve data processing outside South Africa. We ensure adequate protection through:
- Cloudflare's compliance with international data protection standards
- Data processing agreements with appropriate safeguards
- Technical measures including encryption
- Primary data storage in regions with adequate data protection laws
Data Breach Notification
In the event of a security compromise that poses a risk to data subjects, we will:
- Notify the Information Regulator as soon as reasonably possible
- Notify affected data subjects if required by POPIA
- Take immediate steps to address the breach and prevent recurrence
- Document the incident and our response
We maintain incident response procedures and conduct regular security assessments to minimize breach risks.
Information Officer
skillSYMS has appointed an Information Officer responsible for POPIA compliance:
Information Officer
skillSYMS (Pty) Ltd
1 Amarand Avenue, Waterkloof Glen
Pretoria 0081, South Africa
privacy@skillsyms.com
+27 12 881 7331
The Information Officer is responsible for:
- Encouraging compliance with POPIA
- Handling access and correction requests
- Working with the Information Regulator
- Ensuring the company is registered with the Information Regulator
Complaints
If you believe your POPIA rights have been violated, you may:
- Contact our Information Officer at privacy@skillsyms.com. We aim to resolve complaints within 30 days.
-
Lodge a complaint with the Information Regulator of South Africa:
Information Regulator (South Africa)
SALU Building, 316 Thabo Sehume Street
Pretoria 0001
complaints.IR@justice.gov.za
www.justice.gov.za/inforeg