Privacy Pack

COMPREHENSIVE PRIVACY POLICY PACK

Deputy: Charlotte Choshane (COO / Operations & Project Manager)
Security Lead: Karabo Mphahlele (IT Specialist)
Review Cycle: Annual or upon material change

Purpose of this Pack
This master pack sets out Eyetrosoft’s privacy and data‑protection framework for all clients and industries we serve (public sector/SOEs, financial services, education, media/advertising & DOOH, healthcare‑adjacent campaigns, retail/e‑commerce, IT & managed services, HR/recruitment, analytics & research). It is POPIA‑centred and maps to global frameworks (GDPR, CCPA/CPRA) to support cross‑border engagements. It is client‑agnostic and may be appended to contracts, SOWs, and tenders.

Disclaimer
This pack is policy guidance and operational templates, not legal advice. Where a client or jurisdiction requires stricter rules, those take precedence. Specific client instructions (as Responsible Party/Controller) will be implemented via contract and project runbooks.

DOCUMENT CONTROL

Version	Date	Change Summary	Author	Approver
4.1	15 Oct 2025	Applicable to all industries	IO	COO

1) SCOPE, APPLICABILITY & DEFINITIONS

Scope: Applies to Eyetrosoft personnel, contractors, and sub‑processors handling company or client data across all services: strategy, content, media buying, DOOH operations, IT support, software/website development, analytics, recruitment support, and corporate services.

Key Definitions (plain language):

Personal Information (PI): any information that can identify a person (names, contact details, IDs, online identifiers, device IDs, geolocation, etc.).
Special PI: sensitive categories (e.g., health, children’s data, biometrics).
Responsible Party/Controller: decides “why” and “how” PI is processed (often our client).
Operator/Processor: processes PI on the Controller’s instructions (Eyetrosoft, when acting for clients).
POPIA/GDPR/CPRA: data‑protection laws in South Africa/EU‑UK/California.
Sub‑processor: a third‑party vendor engaged by Eyetrosoft to process PI for client work.

2) PRIVACY PRINCIPLES (POPIA‑LED, GLOBALLY MAPPED)

We commit to: lawfulness, fairness/transparency, purpose limitation, data minimality, accuracy, security/confidentiality, storage limitation, and accountability. Where multiple laws apply, we adopt the stricter control as our baseline.

Mapping Snapshot:

Principle	POPIA	GDPR	CPRA
Lawfulness & fairness	Conditions 2–4	Art. 5(1)(a)	Notice at collection; purpose compatibility
Purpose limitation	Condition 3	Art. 5(1)(b)	Notice/purpose limits
Data minimality	Condition 3	Art. 5(1)(c)	Data minimization
Accuracy	Condition 4	Art. 5(1)(d)	Reasonable accuracy
Storage limitation	Condition 3	Art. 5(1)(e)	Retention disclosure
Security	Condition 7	Art. 5(1)(f), 32	Reasonable safeguards
Accountability	Condition 1	Art. 5(2)	Accountability duties

3) GOVERNANCE & ACCOUNTABILITY

Information Officer (IO): overall compliance, liaison with regulators, approves policies, signs DPA/Operator undertakings.
Deputy IO: operational compliance, DSR coordination, training.
Security Lead: technical controls, incident response, access reviews.
Project Leads: maintain ROPA entries, DPIAs where needed, ensure vendor compliance.
All Staff: follow policies, complete training, report incidents immediately.

Oversight: Quarterly governance reviews (training uptake, incidents, DSR metrics, audit findings, vendor risk) and an annual management review with improvement actions.

4) LAWFUL BASES & SPECIAL CATEGORIES

Lawful bases we rely on (as Controller for our own operations or as Operator under client instruction):

Contract: performance of a contract or pre‑contract steps.
Legal Obligation: e.g., financial record‑keeping, employment law.
Legitimate Interests: proportionate processing for security, service improvement, limited direct marketing to existing customers (opt‑out), fraud prevention.
Consent: where required, e.g., new direct‑marketing lists, cookies, certain analytics, or public use of identifiable content.
Public Interest: where a public function is delegated.

Special PI & Children: processed only with explicit legal basis (consent, law, vital interests) and additional safeguards (minimisation, strict access, DPIA, parental consent when applicable). No facial recognition or biometric identification without explicit client/legal approval and DPIA.

5) DATA SUBJECT RIGHTS (DSR)

Supported rights include access, correction, deletion, objection, restriction, portability (where applicable), and rights related to automated decisions.

Process:

Intake via privacy inbox or client channels; log in DSR register within 1 business day.
Verify identity: proportionate KBA/ID checks.
Triage with client (if we are Operator).
Respond as soon as reasonably possible, sharing outcome/rationale; maintain evidentiary trail.

Exemptions: legal privilege, third‑party rights, regulatory hold. Minimal disclosure wherever an exemption is invoked.

6) RECORDS OF PROCESSING (ROPA)

We maintain a central ROPA covering our own operations and per‑client processing. Minimum fields: activity name, purpose, categories of PI, subjects, recipients, cross‑border transfers, retention, security measures, lawful basis, DPIA flag.

Template: see Appendix A.

7) DATA PROTECTION IMPACT ASSESSMENTS (DPIA)

A DPIA is required when processing is likely to result in high risk (e.g., large‑scale profiling/targeting, geolocation tracking, children’s data, special PI, DOOH sensors/cameras, new technologies). Output: risks, mitigations, residual risk, sign‑offs.

Template & triggers: Appendix B.

8) SECURITY MEASURES (PEOPLE • PROCESS • TECH)

People: vetted staff; mandatory training; NDAs; least privilege; 24‑hour access revocation SLA.
Process: joiner‑mover‑leaver; approvals workflow; content QA; vendor due diligence; retention & disposal.
Tech: MFA, encryption, EDR/AV, secure configuration, patching, audit logging, email security, password manager, network segmentation for DOOH players, secure dev practices (code reviews, secrets management).
Evidence: access registers, training logs, vulnerability/patch reports, incident records.

9) CROSS‑BORDER TRANSFERS

We minimise exports and use contractual safeguards (e.g., Standard Contractual Clauses/IDTA), adequacy mechanisms, or consent, in line with POPIA s72 and foreign laws. Data residency preferences: store work product in Microsoft 365 regional data centres where available; avoid bulk DM exports; use pseudonymised datasets for analytics.

10) RETENTION & DISPOSAL

Default retention (unless client/ law requires otherwise):

Client working content & approvals: 12 months after publication/end of campaign.
Reports, contracts, billing: 5 years minimum (finance/audit).
Access logs: 2 years.
Recruitment records: 12 months post‑process unless consent for talent pool (24 months).
Incident logs: 5 years.

Disposal: provider deletion plus purge; crypto‑erase for devices; destruction certificates for physical media. Deletion is suspended under legal hold.

11) VENDOR & SUB‑PROCESSOR MANAGEMENT

Maintain a vendor inventory with data flows. Before onboarding: security due diligence, DPA/NDA, minimal scopes/permissions, regional storage preference, incident notification clauses. Reviews: annually or on incident. Examples: Microsoft 365, Adobe CC, Meta/LinkedIn/Twitter, scheduling tools (Hootsuite/Buffer), analytics/BI, hosting/CDN, DOOH CMS/player providers.

12) INCIDENT RESPONSE & BREACH NOTIFICATION

SLA: Detect & contain (0–4h) → Assess (≤24h) → Notify client & regulator/data subjects as soon as reasonably possible (coordinated with client) → Remediate (≤72h) → Post‑incident review (≤5 days).
Runbooks: credential compromise, device loss, unauthorised platform access, malicious content injection, DOOH player intrusion, web/app breach.
Registers: incident log with actions, owners, timestamps.

13) DIRECT MARKETING, CONSENT & COOKIES/PIXELS

Electronic Direct Marketing (EDM):

Opt‑in required for new prospects (POPIA s69). Existing customers may be marketed about similar services with opt‑out in each message.
Maintain consent/opt‑out evidence (time, method, scope).
Respect Do Not Contact lists across channels (email, SMS, WhatsApp).

Cookies & Pixels:

Use a Consent Management Platform (CMP) for websites/apps where feasible.
Categorise: strictly necessary, functional, performance/analytics, advertising.
Delay non‑essential tags until consent. Provide a cookie notice and settings panel.
Document vendors (e.g., Meta Pixel, LinkedIn Insight Tag, Google Analytics/Ads) and data flows.

Social Advertising: audience targeting must avoid discrimination; apply frequency caps; perform DPIA for sensitive segments.

14) SOCIAL MEDIA & COMMUNITY MANAGEMENT

Use platform‑native tools or approved schedulers via OAuth; MFA on all accounts.
Business‑hours moderation SLAs; escalation matrix for high‑risk content (legal, safety, regulatory).
No collection of unnecessary PI in DMs; never ask for IDs/financial data unless explicitly required and approved.
Keep an audit trail of posts, approvals, edits, and takedowns.

15) DOOH / CCTV / SENSORS (OUT‑OF‑HOME)

Prefer anonymous/aggregated audience measurement; avoid raw face images/identifiers.
If cameras/sensors are deployed: clear signage, purpose limitation, minimisation (e.g., edge‑processing, no storage), DPIA, vendor controls, retention ≤ 72 hours unless incident.
No facial recognition or biometric identification without explicit lawful basis and prior approvals.

16) WEBSITE, APP & PLATFORM PRIVACY NOTICES (TEMPLATES)

Provide layered privacy notices: short‑form at point of collection + full privacy policy on site/app. Disclose identity/contact, purposes, lawful bases, recipients, transfers, retention, rights, complaints paths, and policy changes. Templates: Appendix C (Website/App Privacy Policy) & Appendix D (Short‑Form Notices).

17) HR / RECRUITMENT PRIVACY

Employee/Contractor Data: payroll, performance, device monitoring (limited, proportionate), access logs. Provide internal privacy notice and acceptable‑use policy.
Recruitment: collect candidate data only for the vacancy; consent for talent pool; verify references lawfully; delete on request unless lawful basis to retain.

18) CHILDREN & VULNERABLE PERSONS

Where campaigns may involve minors/learners: require parental/guardian consent, age‑appropriate content, heightened review, and minimal data collection. For vulnerable communities, apply additional ethical review and safeguards.

19) ANALYTICS, PROFILING & RESEARCH

Use pseudonymisation/anonymisation where feasible.
Avoid decisions producing legal or similarly significant effects without human review.
Provide opt‑outs for cross‑site advertising where supported; honour platform opt‑outs.

20) TRAINING & AWARENESS

Mandatory onboarding training plus annual refreshers. Quarterly micro‑modules for project teams (POPIA basics, phishing, DSR handling, social/DOOH risks). Track completions for 5 years.

21) COMPLAINTS & REGULATORS

Data subjects may lodge complaints with Eyetrosoft’s privacy contact and/or the relevant data‑protection authority (e.g., Information Regulator — South Africa; EU/UK authorities; California AG/CPPA). We provide guidance and links in client‑facing notices.

22) AUDIT, METRICS & CONTINUAL IMPROVEMENT

KPIs: incident rate/time‑to‑close, DSR SLA, training completion, access‑review closure, vendor assessment status. Annual internal audit; corrective actions tracked to closure.

23) PAIA ALIGNMENT (HIGH LEVEL)

We maintain/assist with a PAIA Manual (separate document) describing how to request access to records, categories of records held, and contact details. Cross‑references are maintained between PAIA and this privacy pack.

24) ROLES & CONTACTS

Information Officer: info@eyetrosoft.com
Privacy Inbox (DSR/Incidents): privacy@eyetrosoft.com
Security Operations: security@eyetrosoft.com

APPENDICES

Appendix A — ROPA (Record of Processing Activities) Template

Field	Description
Activity Name	e.g., Social media community management
Controller/Operator Role	Controller (Eyetrosoft) or Operator (for Client)
Purpose	Why processing occurs
Data Subjects	Customers, employees, social followers, website visitors
Categories of PI	Names, handles, emails, device IDs, geolocation, etc.
Special PI	Health, biometrics, minors (Y/N; basis)
Recipients	Platforms, vendors, agencies
Cross‑Border	Countries/regions, safeguards (SCC/IDTA/adequacy/consent)
Retention	Period/rationale
Security Measures	MFA, encryption, RBAC, logging
Lawful Basis	Contract, consent, legitimate interests, legal obligation
DPIA Required	Y/N + reference

Appendix B — DPIA Template & Triggers

Triggers: special PI, children, large‑scale profiling, geolocation, DOOH sensors, new tech, data matching, automated decisions, cross‑border + sensitive data.

Sections:

Overview & scope
Stakeholders & roles
Data flows & systems
Lawful bases & necessity/proportionality
Risks (confidentiality, integrity, availability, rights & freedoms)
Mitigations & residual risk
Sign‑off (IO, Security Lead, Client)

Appendix C — Website/App Privacy Policy (Client‑Agnostic Template)

1. Who we are — Eyetrosoft CC contact details.
2. What we collect — contact data, usage data, device info, cookies/pixels.
3. Why we collect — provide services, respond to queries, analytics, marketing with consent.
4. Legal bases — contract, consent, legitimate interests, legal obligations.
5. Sharing — service providers under contract; legal compliance; business transfers.
6. International transfers — safeguards described.
7. Retention — as per Section 10.
8. Security — measures summarised.
9. Your rights — access/correct/delete/object/restrict/portability where applicable.
10. Cookies — link to cookie policy; CMP controls.
11. Children — services not directed at children unless declared otherwise.
12. Contact & complaints — privacy inbox; regulator references.
13. Changes — how we’ll notify users.

Appendix D — Short‑Form Privacy Notices

Lead forms: brief qualifier + link to full policy, consent box for marketing.
Event/filming: signage wording; consent for identifiable recording when required.
Recruitment: purpose, retention, background checks, equal opportunities statement.
DOOH sensing: signage stating analytics only; no facial recognition; retention; contact.

Appendix E — Data Processing Agreement (DPA) — Operator (Processor) Template (Summary Clauses)

Subject matter, duration, nature & purpose.
Types of PI & data subjects.
Processor obligations (confidentiality, security, sub‑processing, assistance with DSRs, DPIA support).
Breach notification duties.
International transfers & safeguards.
Audits & certifications.
Return/Deletion on termination; certification.
Liability & indemnities (per contract).
Full DPA text available on request.

Appendix F — Cookie Policy & CMP Settings (Template)

Categories: strictly necessary; functional; performance; advertising.
Default: essential on; others off until consent.
Retention examples: analytics 13 months; advertising 6–12 months; CMP consent logs 24 months.
Granular controls: per‑vendor toggles; geo‑based consent where required.

Appendix G — Sector Annexes

G1. Public Sector & SOE Communications

Common PI: names, contact details, public social handles, demographics (aggregated).
Lawful bases: public interest/contract; consent for marketing lists.
Risks: reputational, policy misuse; Controls: approvals workflow, legal sign‑off, content archiving.
Retention: content working files 12 months; reports 5 years.

G2. Financial Services Campaigns (incl. savings/bonds awareness)

PI: audience segments (pseudonymised), campaign metrics; avoid account/ID numbers.
Lawful bases: legitimate interests; consent for new marketing lists.
Controls: do not solicit sensitive financial data in DMs; vetted links; fraud‑awareness content.
Retention: similar to Section 10; suppressions indefinite.

G3. Education (Universities/Students)

PI: names, student emails (if provided by Controller), content interactions.
Special care: minors in outreach; parental consent where applicable.
Controls: age gates where feasible; DPIA for any profiling.

G4. Media, Advertising & DOOH

PI: device IDs, coarse location, time‑of‑day exposure (via vendors); avoid persistent unique IDs unless consented.
Controls: aggregate reporting; frequency caps; no facial recognition.
Retention: raw logs minimal/short; aggregated KPIs longer.

G5. Healthcare‑Adjacent & Safety Campaigns

PI: avoid health data; if testimonials include health info, obtain explicit consent and minimisation.
Controls: legal review; remove identifiers where not necessary.

G6. Retail / e‑Commerce / Loyalty

PI: contact details, purchase preferences (from Controller), cookie IDs.
Bases: contract/legitimate interests; consent for new marketing.
Controls: suppression lists, secure payment gateways (Controller’s responsibility), CMP for tracking.

G7. IT & Managed Services / Software Development

PI: user accounts, logs, support tickets.
Controls: secure SDLC, secrets management, vulnerability management, least privilege, environment segregation.
Retention: logs 12–24 months; tickets 24 months.

G8. HR / Recruitment & Talent Pools

PI: CV data, references, background checks (lawful basis).
Controls: limited access; consent for talent pool; delete on request unless legal basis to retain.
Retention: 12 months; talent pool 24 months with consent.

Appendix H — Global Mapping Quick Reference

Topic	POPIA	GDPR (EU/UK)	CPRA (California)
Lawful Bases	Contract, legal duty, consent, legitimate interests, public interest	Art. 6 bases inc. legitimate interests, consent, legal duty	Notice/limited lawful bases; opt‑out/limit for “sale/share” and sensitive PI
DSRs	Access, correction, deletion, objection	Access, rectification, erasure, restrict, portability, object, automated decisions	Know, delete, correct, opt‑out of sale/share, limit sensitive PI
Cookies/Ads	Consent for EDM; implied rules for cookies via privacy law	ePrivacy + GDPR consent/legitimate interests	Notice and opt‑out for cross‑context advertising
Transfers	POPIA s72 adequacy/consent/contractual	SCCs/IDTA/Adequacy	Contracts; service provider restrictions

Appendix I — Glossary

Anonymisation, Pseudonymisation, CMP, Controller/Processor, DPA, DPIA, DSR, EDR, Legitimate Interests, Operator, PAIA, POPIA, ROPA, SCCs, Special PI, etc.

Sign‑Off

Approved by: Charlotte Choshane (COO / Deputy IO)