Digiiworks Legal (“Digiiworks”) is committed to lawful, fair, and transparent processing of personal information in accordance with the Protection of Personal Information Act 4 of 2013 (“POPIA”). This Statement sets out how we comply with the eight conditions for the lawful processing of personal information and how you may exercise your rights as a data subject.
1. Our role under POPIA
Where Digiiworks determines the purpose and means of processing personal information (for example, our own website visitors, marketing contacts, and Account holders), we act as the responsible party. Where we process personal information on behalf of a law firm using our platform, we act as an operator as defined in section 1 of POPIA and process such information only on the firm’s documented instructions and in terms of a written operator agreement as contemplated in section 20 and 21 of POPIA.
2. Information Officer
In accordance with section 55 of POPIA, we have designated an Information Officer who is responsible for ensuring our compliance with POPIA. The Information Officer can be contacted at:
Digiiworks Legal Information Officer
Email: privacy@digiiworks.co
Website: law.digiiworks.co
Our Information Officer is registered with the Information Regulator of South Africa as required by the Regulations Relating to the Protection of Personal Information, 2018.
3. The eight conditions for lawful processing
3.1 Accountability (section 8)
Digiiworks ensures that the conditions set out in POPIA and all measures giving effect to those conditions are complied with at the time the purpose and means of processing are determined and during the processing itself.
3.2 Processing limitation (sections 9 – 12)
Personal information is processed lawfully and in a reasonable manner that does not infringe on the data subject’s privacy. We collect personal information only for a specific, explicitly defined and lawful purpose, and only the minimum information necessary to achieve that purpose.
3.3 Purpose specification (sections 13 – 14)
Personal information is collected for a specific, explicitly defined, and lawful purpose related to a function or activity of Digiiworks, and is retained only for as long as necessary to achieve that purpose or as required by law.
3.4 Further processing limitation (section 15)
We will not further process personal information in a manner incompatible with the purpose for which it was originally collected, unless such further processing is permitted by POPIA or with the data subject’s consent.
3.5 Information quality (section 16)
We take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading, and updated where necessary.
3.6 Openness (sections 17 – 18)
We maintain documentation of all processing operations and take reasonably practicable steps to notify data subjects of the information being collected, the purpose of collection, and their rights. This Statement and our Privacy Policy give effect to this condition.
3.7 Security safeguards (sections 19 – 22)
We secure the integrity and confidentiality of personal information in our possession or under our control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction, and unlawful access. These measures include:
- encryption of data in transit (TLS 1.2+) and at rest (AES-256);
- role-based access controls and least-privilege principles;
- passwordless magic-link authentication for all users, including administrative access — no password-based sign-in flow exists on the platform;
- a 30-minute inactivity timeout enforced server-side for all authenticated sessions, with the administrative console isolated on a separate hostname from the client portal;
- regular backups and disaster recovery testing;
- security logging, monitoring, and vulnerability management;
- written operator agreements with all sub-operators; and
- employee confidentiality undertakings and awareness training.
In the event of a security compromise, we will notify the Information Regulator and affected data subjects as soon as reasonably possible in accordance with section 22 of POPIA.
3.8 Data subject participation (sections 23 – 25)
You may request confirmation of whether we hold personal information about you, request access to that information, and request correction or deletion where appropriate. Requests must be made using Form 2 prescribed under the POPIA Regulations and sent to privacy@digiiworks.co. A reasonable fee may be charged in accordance with the Regulations.
4. Special personal information and children’s information
We do not process special personal information (as defined in section 26 of POPIA) or the personal information of children (section 34) unless a lawful justification applies and, where applicable, prior authorisation has been obtained from the Information Regulator.
5. Direct marketing
In accordance with section 69 of POPIA, we will only send direct marketing by electronic means to data subjects who have consented or who are existing customers in relation to similar products or services, and every communication will contain a clear opt-out mechanism.
6. Cross-border transfers
Where we transfer personal information outside the Republic of South Africa, we do so in compliance with section 72 of POPIA, ensuring that the recipient is subject to a law, binding corporate rules, or binding agreement that upholds principles for the reasonable processing of personal information substantially similar to those contained in POPIA.
7. Retention and destruction
Personal information is not retained for longer than necessary to achieve the purpose for which it was collected, except where retention is required or authorised by law (including the Legal Practice Act, the Financial Intelligence Centre Act, and tax legislation) or with the data subject’s consent. Upon expiry of the retention period, personal information is securely destroyed or de-identified in a manner that prevents reconstruction.
8. Data subject rights and complaints
As a data subject, you have the right to:
- be notified of the collection and processing of your information;
- access, correct, or request deletion of your personal information;
- object to processing, including for direct marketing purposes, on reasonable grounds;
- withdraw consent where processing is based on consent;
- lodge a complaint with the Information Regulator; and
- institute civil proceedings regarding an alleged interference with the protection of your personal information.
Complaints may be lodged with the Information Regulator of South Africa:
Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: POPIAComplaints@inforegulator.org.za
Website: https://inforegulator.org.za
9. PAIA manual
Our manual prepared in terms of the Promotion of Access to Information Act 2 of 2000 (“PAIA”) is available on request from privacy@digiiworks.co.
10. Updates to this Statement
We may update this Statement from time to time to reflect changes in law or our processing activities. The latest version will always be available at law.digiiworks.co/legal/popia.