THE PROTECTION OF PERSONAL INFORMATION ACT (POPIA) CLIENT/ USER PRIVACY PROTOCOLS POLICY
The purpose of this policy is to inform clients, users, stakeholders, and any data subjects who engage with SG Governance (“the Company”) about why personal information (“PI”) is collected and processed, what categories of PI are in focus, and how such PI is lawfully processed, stored, and safeguarded.

The Company is committed to full compliance with the Protection of Personal Information Act, 2013 (POPIA) and the principles of lawful processing as set out therein. Appropriate technical, organisational, and operational measures have been implemented to ensure that data subject privacy is protected.
This policy applies to:

• All natural and juristic persons whose PI is collected and processed by the Company in the course of providing governance, compliance, and secretarial services.
• Requesters of records held by the Company under PAIA.

It extends to clients, client representatives, directors, shareholders, suppliers, service providers, employees, and stakeholders, as well as users of the Company’s website and digital platforms.

PI as defined in POPIA applies equally to information of natural persons and juristic persons.
SG Governance is a dedicated governance, compliance, and company secretarial service provider and an affiliate of SGA Law Africa.

The Company provides specialist support to organisations across South Africa in areas such as:

• Corporate governance advisory
• Regulatory compliance and monitoring
• Company secretarial services and statutory filings
• Director and shareholder support
• Risk and governance framework implementation

Through these services, SG Governance aims to assist clients in meeting legal, regulatory, and ethical obligations while operating efficiently and sustainably.
For purposes of this policy, “personal information” has the meaning assigned in POPIA and includes, but is not limited to:

• Information relating to an identifiable natural person, including race, gender, age, marital status, national or social origin, and identity numbers.
• Contact information such as email addresses, telephone numbers, and physical addresses.
• Information relating to the education, professional, financial, employment, or compliance history of a person.
• Information relating to juristic persons, including company registration details, tax numbers, and directors’ or shareholders’ details.
• Records of correspondence, opinions, preferences, or views of or about a data subject.
• Unique identifiers including account numbers, online identifiers, and location data.

The Company obtains PI from multiple sources, including but not limited to:

• Directly from data subjects (forms, correspondence, consultations, or service engagements).
• Publicly available records (e.g., CIPC, Deeds Office, regulators, and statutory databases).
• lient organisations, their directors, shareholders, or authorised representatives.
• Third parties such as auditors, attorneys, or compliance officers.
• Website analytics and cookies.

The Company may collect and process some or all of the following categories of PI:

• Names, identity or registration numbers, and demographic details.
• Contact details (email, phone, address).
• Professional and corporate details (job titles, responsibilities, directorships, shareholding).
• Financial and transactional records relevant to service provision.
• Compliance and governance-related records (statutory registers, resolutions, filings).
• Electronic correspondence and supporting documentation.
• Technical data from website usage (IP address, device information, browsing activity).

SG Governance processes PI for the following purposes:

• Delivering governance, compliance, and company secretarial services.
• Preparing and lodging statutory filings with regulators (CIPC, SARS, etc.).
• Maintaining statutory registers and corporate records.
• Verifying the identity and authority of clients, directors, or shareholders.
• Communicating with clients, stakeholders, and regulators.
• Managing billing, invoicing, and financial transactions.
• Conducting due diligence, risk assessments, and compliance monitoring.
• Meeting contractual and legal obligations.
• Conducting market, service improvement, or client satisfaction research (subject to consent).
• Record-keeping, audits, and reporting.
• In connection with legal proceedings or regulatory inquiries.

The Company processes PI only in accordance with the conditions for lawful processing under POPIA, including:

• Consent of the data subject.
• Contractual necessity, where processing is required to perform obligations under an agreement.
• Legal obligation, where processing is required by law or regulation.
• Legitimate interests, including efficient service delivery and compliance support.

PI is retained only as long as necessary for the purpose for which it was collected or as required by law, including obligations under the Companies Act, 2008, Financial Intelligence Centre Act, 2001, and labour or tax legislation.

Where retention is no longer necessary, PI will be securely deleted, destroyed, or anonymised.
Under POPIA, data subjects have the right to:

• Request access to the PI held by the Company.
• Request correction, updating, or deletion of PI.
• Object to the processing of PI or withdraw consent.
• Request restriction of processing or transfer of PI.
• Lodge a complaint with the Information Regulator if they believe their rights are infringed.

Information Regulator Contact Details:

Website: https://www.justice.gov.za/inforeg

Email: inforeg@justice.gov.za
PI may be disclosed to third parties where lawful and necessary, including:

• Regulators and statutory bodies (CIPC, SARS, FSCA, etc.).
• Auditors, attorneys, and professional advisers.
• IT and system providers hosting or maintaining secure systems.
• Affiliates within the SGA Law Africa group, where collaboration is required.
• Courts, tribunals, or authorities where disclosure is required by law.
• Cross-border disclosure may occur where international service providers or regulators are involved. In such cases, SG Governance will ensure that appropriate safeguards are in place in accordance with POPIA.

The Company has implemented reasonable, appropriate technical and organisational measures to secure PI against loss, unauthorised access, disclosure, alteration, or destruction. These measures include:

• Secure IT systems with firewalls, encryption, and controlled access.
• Physical security at offices and storage facilities.
• Staff training and confidentiality obligations.
• Policies for secure communication, contracting, and data handling.
• Ongoing monitoring, auditing, and incident response protocols.
• All service providers (operators) that process PI on behalf of the Company are required to comply with POPIA and contractual confidentiality and security obligations.

This Privacy Policy may be updated from time to time to reflect legal, operational, or technological changes. The most recent version will be available on the Company’s website and will include the effective date.
For any questions, requests, or complaints regarding this Privacy Policy or the processing of PI, please contact:

Our physical address:
416 Kirkness Street, Loftus Park
Building B, Second Floor, Flexi Suites
Arcadia, Pretoria, 0083

Our email address:
info@sggovernance.co.za

Our Contact Number:
(012) 110 4543