Legal

POPIA Compliance

How PeopleCore complies with South Africa's Protection of Personal Information Act

Our POPIA Commitment

PeopleCore HR (Pty) Ltd is committed to full compliance with the Protection of Personal Information Act 4 of 2013 (POPIA). As a platform that processes the personal information of South African employees, we take this responsibility seriously.

Our designated Information Officer can be contacted at legal@peoplecore.co.za.

What Personal Information We Process

  • Employee names, ID numbers and contact details
  • Employment history, job titles and reporting lines
  • Salary, banking and tax information (PAYE, UIF)
  • Leave records and attendance data
  • Disciplinary and performance records
  • Recruitment data (CVs, interview notes, offer letters)

Lawful Basis for Processing

  • Contract performance ? employment contracts and payroll obligations
  • Legal obligation ? SARS PAYE, UIF, SDL, BCEA compliance
  • Legitimate interest ? HR management and workforce planning
  • Consent ? where required, obtained explicitly from data subjects

Security Measures in Place

  • AES-256 encryption for sensitive fields (ID numbers, banking details)
  • bcrypt password hashing with salt rounds
  • TLS 1.2+ encryption for all data in transit
  • Role-based access control ? employees only see their own data
  • Complete audit log of all data access and changes
  • JWT authentication with short-lived access tokens (15 minutes)
  • Session management with ability to revoke active sessions
  • IP-based geo-restriction for administrative console

Your Rights as a Data Subject

  • Right to access ? request a copy of your personal information
  • Right to correction ? request inaccurate data be corrected
  • Right to deletion ? request deletion subject to legal retention requirements
  • Right to object ? object to processing of your personal information
  • Right to complain ? lodge a complaint with the Information Regulator

Data Retention

Employee records are retained for the duration of employment plus 5 years as required by South African law (SARS, UIF, BCEA). Payroll records are retained for 5 years per SARS requirements.

Recruitment data for unsuccessful candidates is deleted after 12 months unless consent is given to retain for future opportunities.

Data Breach Response

In the event of a personal information breach, we will notify the Information Regulator within 72 hours as required by POPIA, and notify affected data subjects without undue delay.

To report a suspected breach or security concern, contact us immediately at legal@peoplecore.co.za.

Information Regulator

If you believe your rights under POPIA have been violated, you may lodge a complaint with the Information Regulator of South Africa.

Website: inforegulator.org.za | Email: inforeg@justice.gov.za | Tel: 012 406 4818