POPIA COMPLIANCE

Your Data. Protected by Design.

At Handover BPO Services, compliance is not a checkbox — it is the foundation of every system we build. We process personal information responsibly, transparently, and in full accordance with the Protection of Personal Information Act (POPIA).

SECTION 01 — THE 8 CONDITIONS FOR LAWFUL PROCESSING

At Handover BPO Services, we adhere to all eight conditions that POPIA establishes for the lawful processing of personal information.

1 — Accountability We take full responsibility for ensuring all personal information processed on our platforms complies with POPIA at all times.

2 — Processing Limitation Personal information is only collected for defined, specific, and legitimate purposes — never processed in ways incompatible with those purposes.

3 — Purpose Specification We clearly communicate the reason for collecting personal information before or at the time of collection.

4 — Further Processing Limitation Personal information is not used beyond its original stated purpose without renewed consent or a valid legal basis.

5 — Information Quality We take reasonable steps to ensure personal information we process is accurate, complete, and up to date.

6 — Openness We maintain transparent records of all processing activities and inform data subjects of our practices through this policy.

7 — Security Safeguards Appropriate technical and organisational measures protect personal information against loss, damage, or unauthorised access.

8 — Data Subject Participation Individuals retain the right to access, correct, or request deletion of their personal information held by us.

SECTION 02 — HOW WE PROTECT YOUR DATA

Our systems-first model replaces manual, people-driven processes with automated digital systems. By reducing human touchpoints in data handling, we minimise the risk of accidental exposure, unauthorised sharing, or mishandling.

Infrastructure All client platforms are hosted on enterprise-grade cloud infrastructure with access controls and encryption. WhatsApp automation workflows are built within platforms that comply with applicable privacy laws and data processing agreements.

Data Minimisation We collect only the personal information strictly necessary for the service being provided. We do not request, store, or process personal information beyond what is required to deliver, maintain, or improve our agreed services.

Retention & Disposal Personal information is retained only for as long as necessary. Upon termination of a service agreement, client data is securely deleted or returned within a reasonable period as agreed in writing.

Third Parties Where we engage third-party tools in the delivery of our services, appropriate data processing agreements are in place. We verify that third-party processors implement data protection measures consistent with POPIA requirements.

Access Control Access to client systems is restricted on a need-to-know basis and reviewed regularly. Intranet and document management solutions are deployed within Microsoft 365 environments with built-in compliance tooling.

SECTION 03 — INFORMATION WE MAY PROCESS

In the course of providing our services, Handover BPO Services may process the following categories of personal information on behalf of clients:

Contact Details — Names, phone numbers, email addresses, WhatsApp numbers Organisational Info — Job titles, department names, branch locations Communication Records — Chat logs from automated chatbot interactions Service Usage Data — Intranet access logs, help desk ticket submissions Identity Verification — Employee ID numbers where required for intranet access control

We do not process special personal information — such as health records, biometric data, or political affiliations — unless explicitly agreed in writing with a lawful basis under POPIA.

SECTION 04 — YOUR RIGHTS AS A DATA SUBJECT

Under POPIA, you have the following rights regarding your personal information. Handover BPO Services respects and upholds these rights in all client engagements.

Right of Access Request a copy of any personal information we hold about you at any time. Submit a written request to our Information Officer.

Right to Correction Request that inaccurate or outdated information be corrected or updated. Contact us with the specific correction required.

Right to Deletion Request erasure of personal information that is no longer necessary. We action all deletion requests within 30 days.

Right to Object Object to the processing of your personal information in certain circumstances. Notify our Information Officer in writing.

Right to Complain Lodge a complaint directly with the Information Regulator of South Africa at inforegulator.org.za or call 010 023 5207.

Right to Withdraw Withdraw consent to the processing of your personal information at any time where consent is the lawful basis for processing.

SECTION 05 — INFORMATION OFFICER

In accordance with POPIA, Handover BPO Services has designated an Information Officer responsible for all data protection compliance, data subject requests, and regulatory communications.

Organisation — Handover BPO Services Role — Information Officer Email — hello@handoverbpo.com Jurisdiction — Republic of South Africa Regulator — Information Regulator of South Africa | inforegulator.org.za

SECTION 06 — SECURITY BREACH RESPONSE

In the event of a suspected or confirmed data breach, Handover BPO Services will:

Investigate the incident promptly and contain the breach where possible to limit exposure.
Notify the affected client within a reasonable timeframe, and no later than the period required under POPIA.
Assist in notifying the Information Regulator and affected data subjects where required by law.
Document the incident, its impact, and the remedial steps taken in our incident register.
Review and strengthen security measures to prevent recurrence.

This policy is reviewed at least annually, or whenever there is a material change to our services, technology, or the applicable legal framework. Clients are notified of any significant amendments.