1. Policy Overview

• This Data Protection Policy outlines Vision Africa Research Services’ commitment to protecting personal data in accordance with international data protection regulations, including the General Data Protection Regulation (GDPR) and South Africa’s Protection of Personal Information Act (POPIA).
• As a market research organization operating across 7 Southern African countries and handling extensive demographic and survey data, we recognize our significant responsibilities as a data controller and processor.

2. Legal Basis for Processing

• We process personal data based on the following lawful grounds:
• 2.1 Consent (GDPR Art. 6(1)(a), POPIA s11(1)(a))

   

• We obtain explicit, informed consent for:
• Survey participation and response collection
• Demographic profiling and LSM data collection
• Marketing communications and research opportunity notifications
• Use of cookies and tracking technologies (where required)
• Processing of special categories of personal data (where applicable)
• 2.2 Contract Performance (GDPR Art. 6(1)(b), POPIA s11(1)(b))

   

• Processing necessary to fulfill contractual obligations:
• Client research project execution and delivery
• User account management and authentication
• Payment processing and reward distribution
• Mystery shopping visit assignments and reporting
• 2.3 Legitimate Interests (GDPR Art. 6(1)(f), POPIA s11(1)(f))

   

• Processing for our legitimate business interests:
• Fraud detection and prevention
• Platform security and abuse prevention
• Service improvement and analytics (using anonymized data)
• Internal research and quality control
• 2.4 Legal Obligations (GDPR Art. 6(1)(c), POPIA s11(1)(c))

   

• Processing required to comply with:
• Tax and accounting regulations
• Anti-money laundering (AML) requirements
• Law enforcement requests and court orders
• Industry-specific regulations (ESOMAR Code of Conduct)

3. Data Protection Principles

• We adhere to the following data protection principles (GDPR Art. 5, POPIA s4):
• 3.1 Lawfulness, Fairness, and Transparency

   

• All data processing is conducted lawfully, fairly, and transparently. We provide clear privacy notices and obtain appropriate consent before processing.
• 3.2 Purpose Limitation

   

• Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• 3.3 Data Minimization
• We collect only data that is adequate, relevant, and limited to what is necessary for the research purposes. Respondents are never asked for excessive information.
• 3.4 Accuracy

   

• Personal data is kept accurate and up to date. We provide mechanisms for users to update their information and implement validation processes.
• 3.5 Storage Limitation

   

• Personal data is retained only for as long as necessary for the purposes for which it was collected. We have clear data retention and deletion policies.
• 3.6 Integrity and Confidentiality (Security)

   

• Personal data is processed securely using appropriate technical and organizational measures to protect against unauthorized access, loss, or damage.
• 3.7 Accountability

   

• We are responsible for and can demonstrate compliance with all data protection principles through documentation, policies, and regular audits.

4. Data Subject Rights

• Under GDPR and POPIA, individuals have the following rights:
• 4.1 Right of Access (GDPR Art. 15, POPIA s23)

   

• You can request confirmation of whether we process your personal data and obtain a copy of your data.
• Response time: 30 days | No fee unless requests are manifestly unfounded or excessive
• 4.2 Right to Rectification (GDPR Art. 16, POPIA s24)

   

• You can request correction of inaccurate or incomplete personal data.
• Response time: 30 days | Available through account settings or by contacting us
• 4.3 Right to Erasure / “Right to be Forgotten” (GDPR Art. 17, POPIA s25)

   

• You can request deletion of your personal data in certain circumstances:
• Data no longer necessary for the purposes collected
• You withdraw consent (where consent was the lawful basis)
• You object to processing and there are no overriding legitimate grounds
• Data was unlawfully processed
• Legal obligation requires deletion
• Exceptions: Legal retention requirements, contractual obligations, active research projects
• 4.4 Right to Restriction of Processing (GDPR Art. 18, POPIA s25)

   

• You can request limitation of processing in certain situations:
• You contest the accuracy of the data (for period to verify accuracy)
• Processing is unlawful but you don’t want deletion
• We no longer need the data but you need it for legal claims
• You object to processing (pending verification of legitimate grounds)
• 4.5 Right to Data Portability (GDPR Art. 20, POPIA s26)

   

• You can receive your personal data in a structured, commonly used, machine-readable format (CSV, JSON, Excel) and transmit it to another controller.
• Applies to: Data provided by you, processed by automated means, based on consent or contract
• 4.6 Right to Object (GDPR Art. 21, POPIA s11(3))

   

• You can object to:
• Processing based on legitimate interests
• Direct marketing (absolute right, no exceptions)
• Profiling related to direct marketing
• Processing for research purposes (unless research serves public interest)
• 4.7 Rights Related to Automated Decision-Making (GDPR Art. 22)

   

• You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.
• Note: Our LSM scoring is automated but does not produce legal effects. Clients make final decisions, not algorithms.
• 4.8 Right to Withdraw Consent (GDPR Art. 7(3), POPIA s11(2))
• Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect lawfulness of processing before withdrawal.
• 4.9 Right to Lodge a Complaint (GDPR Art. 77, POPIA s74)
• You can lodge a complaint with supervisory authorities:
• EU/EEA residents: Your local Data Protection Authority
• South African residents: Information Regulator (POPIA)
• Other countries: Applicable national data protection authority

5. Data Security Measures

• We implement comprehensive technical and organizational measures (GDPR Art. 32, POPIA s19):
• 5.1 Technical Security Measures

   

• Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit; bcryptjs password hashing with salt rounds
• Access Controls: Role-based access control (RBAC); multi-factor authentication for admin accounts; least privilege principle
• Network Security: Firewalls and intrusion detection systems; DDoS protection; secure API endpoints with rate limiting
• Authentication: JWT tokens with 15-minute expiration; secure session management; automatic logout after inactivity
• Database Security: Parameterized queries (Prisma ORM); regular backups with encryption; separate production/development environments
• File Security: Type validation; size limits (10MB); malware scanning; secure storage with access logs
• Code Security: Input validation (express-validator); XSS protection; CSRF token implementation; security headers (Helmet.js)
• 5.2 Organizational Security Measures

   

• Staff Training: Regular data protection training for all staff; GDPR/POPIA awareness programs; secure handling procedures
• Access Management: Need-to-know access policies; regular access reviews; immediate revocation upon staff departure
• Confidentiality: Non-disclosure agreements (NDAs) for all staff; confidentiality clauses in employment contracts
• Incident Response: Data breach notification procedures (72-hour requirement); incident response team; regular drills
• Third-Party Management: Vendor due diligence; data processing agreements; regular audits of processors
• Documentation: Records of processing activities (GDPR Art. 30); data protection impact assessments (DPIAs); policy documentation
• Monitoring: Security event logging; regular vulnerability assessments; penetration testing; audit trails
• 5.3 Pseudonymization and Anonymization
• Where possible, we use:
• Pseudonymization: Replacing identifying information with pseudonyms for research analysis
• Anonymization: Irreversible removal of identifiers for aggregate reporting to clients
• Data Aggregation: Combining data to prevent individual identification in reports

6. International Data Transfers

• As we operate across 7 Southern African countries, personal data may be transferred internationally. We ensure adequate safeguards (GDPR Chapter V, POPIA s72):
• 6.1 Transfer Mechanisms

   

• Standard Contractual Clauses (SCCs): EU Commission-approved clauses for transfers outside EEA
• Adequacy Decisions: Transfers to countries deemed adequate by EU Commission or local regulators
• Binding Corporate Rules: Internal policies for intra-company transfers
• Explicit Consent: Obtained where required for specific transfers
• Derogations: Transfers necessary for contract performance or legal claims
• 6.2 Regional Data Localization

   

• Where local laws require data localization (e.g., certain countries may require survey data to remain in-country), we maintain regional data centers and processing infrastructure.

7. Data Protection Impact Assessments (DPIAs)

• We conduct DPIAs for high-risk processing activities (GDPR Art. 35):
• Large-scale processing of demographic and LSM data
• Systematic monitoring and profiling of respondents
• Processing of special categories of data (where applicable)
• New technologies or processing methods
• Cross-border data transfers to high-risk jurisdictions
• DPIAs are reviewed annually and updated when processing activities change significantly.

8. Data Breach Notification

• 8.1 Notification to Supervisory Authorities (GDPR Art. 33, POPIA s22)

   

• In the event of a personal data breach likely to result in risk to individuals’ rights and freedoms, we will:
• Notify the relevant supervisory authority within 72 hours of becoming aware
• Provide description of the breach, categories and numbers of data subjects affected, likely consequences, and measures taken
• Maintain a record of all data breaches
• 8.2 Notification to Data Subjects (GDPR Art. 34, POPIA s22)

   

• If the breach is likely to result in high risk to individuals, we will notify affected data subjects without undue delay, providing:
• Description of the breach in clear, plain language
• Contact details of our Data Protection Officer
• Likely consequences of the breach
• Measures taken and recommended steps for data subjects

9. Data Processing Records

• We maintain comprehensive records of processing activities (GDPR Art. 30) including:
• Name and contact details of controller and Data Protection Officer
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients (including international transfers)
• Retention periods
• Technical and organizational security measures

10. Third-Party Processors

• We only engage third-party processors that provide sufficient guarantees of GDPR/POPIA compliance:
• Written data processing agreements (DPAs) with all processors
• Processor obligations include processing only on documented instructions
• Confidentiality commitments from processor personnel
• Implementation of appropriate security measures
• Assistance with data subject rights requests
• Deletion or return of data at end of services
• Regular audits and compliance verification

11. Special Categories of Personal Data

• We generally avoid processing special categories of data (GDPR Art. 9, POPIA s26-32). However, if a client’s research requires processing:
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data
• Health data
• Sex life or sexual orientation
• We will obtain explicit consent and implement enhanced security measures.

12. Children’s Data

• Our platform is not intended for individuals under 18 years old. We do not knowingly process data of children without verifiable parental consent (GDPR Art. 8, POPIA s35).
• If we become aware of data collected from a child without consent, we will delete it immediately.

13. Data Protection Officer (DPO)

• We have appointed a Data Protection Officer responsible for:
• Monitoring compliance with GDPR, POPIA, and internal policies
• Advising on data protection impact assessments
• Serving as point of contact for supervisory authorities
• Handling data subject rights requests
• Coordinating data breach responses
• Conducting staff training and awareness programs
• Contact Our Data Protection Officer
• Email:
• Phone: +264 61 244 660
• Postal Address: Vision Africa Research Services, Klein Windhoek, Namibia

14. Policy Review and Updates

• This Data Protection Policy is reviewed annually and updated when:
• Changes in data protection laws or regulations
• New processing activities or technologies
• Guidance from supervisory authorities
• Internal audits identify areas for improvement
• Significant data breaches or incidents occur

15. Supervisory Authorities

• You have the right to lodge complaints with the following authorities:
• EU/EEA Residents: Your local Data Protection Authority (Find your DPA)
• South Africa: Information Regulator (POPIA) – justice.gov.za/inforeg
• Namibia: Namibia Data Protection Authority (contact details available upon establishment)

16. Related Policies

• Privacy Policy – Comprehensive privacy practices
• Cookie Policy – Cookie and tracking technology usage
• Terms and Conditions – Platform usage terms
• Our Commitment
• Vision Africa Research Services is committed to the highest standards of data protection and privacy. We recognize that trust is the foundation of market research, and we continuously invest in people, processes, and technology to safeguard the personal data entrusted to us.
• If you have any questions or concerns about our data protection practices, please contact our Data Protection Officer at .