How Imbeko Global Certification collects, uses, and protects your personal information.
This Privacy Policy explains how Imbeko Global Certification (Pty) Ltd handles personal information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and applicable data protection laws across Africa. Last updated: 12 May 2026.
Who we are
Responsible party
Imbeko Global Certification (Pty) Ltd is a South Africa-registered company providing ISO certification support, audit readiness, and management system advisory services to organisations across Africa. As the responsible party under POPIA, we determine the purpose and means of processing your personal information.
Registered details
Company: Imbeko Global Certification (Pty) Ltd
Address: 15 Pony Street, Emwill House, Silver Lakes, Pretoria, 0054
Email: info@imbekocertification.com
Jurisdiction: Republic of South Africa
Scope of this policy
This policy applies to all personal information we collect through our website, contact forms, email correspondence, consultation engagements, and any other channel through which individuals or organisations interact with us. It applies to clients, prospective clients, website visitors, and any other person whose personal information we process.
Our commitments
POPIA compliant
We process personal information in accordance with the eight conditions set out in POPIA.
Secure handling
Personal information is stored and transmitted securely with appropriate technical and organisational safeguards.
No selling of data
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
Transparency
We tell you clearly what we collect, why, and for how long before or at the time of collection.
Data minimisation
We collect only the personal information that is necessary for the specific purpose disclosed.
Your rights respected
We support your right to access, correct, object to, and request deletion of your personal information.
Section 2
Personal information we collect
We collect personal information only for specified, explicit, and legitimate purposes. The following categories of information may be collected depending on how you interact with us.
Contact information
Examples
Full name, business email address, telephone number, company name, job title
Purpose
To respond to enquiries, prepare quotes, and communicate about certification services
Business information
Examples
Organisation size, industry sector, current certification status, target standards
Purpose
To tailor certification advice, scoping, and readiness support to your organisation
Website usage data
Examples
Pages visited, time on site, referring URL, browser type (via cookies and analytics tools)
Purpose
To understand how visitors use our website and improve user experience
Communication records
Examples
Emails, form submissions, and records of consultations
Purpose
To maintain a record of our engagement and service history with your organisation
Sensitive information
We do not intentionally collect special categories of personal information (such as health data, racial or ethnic origin, political opinions, or financial records) through our standard website and enquiry processes. If any such information is shared voluntarily during a consultation, it is treated with the highest level of confidentiality and is not retained beyond the immediate engagement.
Section 3
Legal basis for processing
Under POPIA, we must have a lawful basis for processing your personal information. We rely on the following grounds, depending on the nature of the processing activity.
Contractual necessity
Processing is necessary to prepare, enter into, or perform a contract with you or your organisation — including preparing quotes, scoping certification engagements, and delivering advisory services.
Consent
Where you subscribe to communications or submit optional enquiry forms, processing is based on your explicit consent. You may withdraw consent at any time without affecting previous processing.
Legitimate interest
We may process personal information for purposes that serve our legitimate business interests — such as improving our services, maintaining records of client engagements, and website analytics — provided these interests are not overridden by your rights.
Legal obligation
We process certain information to comply with our legal and regulatory obligations, including record-keeping requirements under South African company and tax law.
Section 4
Sharing of personal information
We do not sell, rent, or share your personal information with third parties for commercial purposes. We may share personal information in the following limited circumstances.
Service providers and operators
We engage trusted third-party service providers (such as website hosting, email platforms, and analytics tools) who process personal information on our behalf as operators under POPIA. These parties are bound by data processing agreements and may not use your information for their own purposes.
Professional advisors
We may share information with legal, financial, or compliance advisors where necessary for our business operations, subject to professional confidentiality obligations.
Regulatory and legal authorities
We may disclose personal information to law enforcement agencies, courts, or regulators when required to do so by applicable law, legal process, or to protect our legal rights.
Business transfers
In the event of a merger, acquisition, or sale of business assets, personal information we hold may be transferred to the acquiring entity, subject to equivalent privacy protections.
Section 5
African data protection frameworks
As a certification support business operating across Africa, we are aware of the growing landscape of national data protection laws across the continent. Where we engage with individuals or organisations in these jurisdictions, we apply standards consistent with the applicable local framework in addition to POPIA.
Country
South Africa
Regulator
Information Regulator (South Africa)
Applicable law and notes
Protection of Personal Information Act (POPIA), Act 4 of 2013
POPIA is the primary legislation governing our processing of personal information. It came into full effect on 1 July 2021 and sets out eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.
Country
Nigeria
Regulator
Nigeria Data Protection Commission (NDPC)
Applicable law and notes
Nigeria Data Protection Regulation (NDPR) 2019 and Nigeria Data Protection Act 2023
Where we engage with organisations or individuals in Nigeria, we apply data handling practices consistent with the NDPR and the 2023 Data Protection Act, including requirements around lawful basis, data minimisation, and individual rights.
Country
Kenya
Regulator
Office of the Data Protection Commissioner (ODPC)
Applicable law and notes
Data Protection Act, 2019 (No. 24 of 2019)
Kenya's Data Protection Act aligns closely with GDPR principles. It establishes rights for data subjects and obligations for data controllers and processors operating in or targeting Kenyan residents.
Country
Ghana
Regulator
Data Protection Commission of Ghana
Applicable law and notes
Data Protection Act, 2012 (Act 843)
Ghana's framework requires organisations to register with the Data Protection Commission and process personal data only for specified, lawful purposes with appropriate security measures in place.
Country
Egypt
Regulator
Personal Data Protection Centre (PDPC)
Applicable law and notes
Personal Data Protection Law No. 151 of 2020
Egypt's law governs the collection, processing, storage, and transfer of personal data with requirements for informed consent and data subject rights applicable to cross-border engagements.
Country
Rwanda
Regulator
Rwanda Utilities Regulatory Authority (RURA)
Applicable law and notes
Law No. 058/2021 relating to the protection of personal data and privacy
Rwanda's framework establishes core obligations around data processing, cross-border transfer restrictions, and data subject rights for individuals within Rwanda.
Cross-border transfers
Where personal information is transferred outside of South Africa, we ensure that the receiving country, territory, or organisation provides an adequate level of protection consistent with POPIA Section 72. We will only transfer personal information across borders if: (a) the data subject consents; (b) the transfer is necessary for a contract; or (c) appropriate safeguards — such as contractual clauses — are in place. The African Union's Convention on Cyber Security and Personal Data Protection (Malabo Convention) also informs our approach to pan-African data flows.
Section 6
Data retention
We retain personal information only for as long as is necessary for the purposes for which it was collected, or as required by applicable law.
Enquiry records
24 months from last contact if no engagement is initiated
Active client records
Duration of the engagement plus 5 years after completion
Financial and invoice records
7 years in accordance with South African tax legislation
Website analytics data
Up to 26 months, subject to cookie consent settings
Email subscription records
Until unsubscribe is actioned or consent is withdrawn
Section 7
Security safeguards
We take reasonable technical and organisational measures to protect personal information against loss, theft, unauthorised access, use, disclosure, alteration, or destruction.
Encrypted transmission of data via HTTPS across our website and communications
Access controls limiting personal information to authorised personnel only
Periodic review of data handling practices and third-party operator agreements
Prompt notification to the Information Regulator and affected data subjects in the event of a material security compromise, in accordance with POPIA Section 22
Section 8
Your rights as a data subject
Under POPIA and applicable data protection laws across African jurisdictions, you have the following rights with respect to your personal information. To exercise any of these rights, contact us at info@imbekocertification.com.
Right to access
You may request a record of all personal information we hold about you. We will respond within a reasonable period as required by POPIA.
Right to correction
You may request that we correct or update any personal information that is inaccurate, out of date, incomplete, misleading, or obtained unlawfully.
Right to object
You may object, on reasonable grounds, to the processing of your personal information for purposes other than those for which it was originally collected.
Right to deletion
You may request the deletion or destruction of personal information we hold about you, subject to any legal obligations we have to retain records.
Right to withdraw consent
Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
Right to lodge a complaint
You have the right to lodge a complaint with the Information Regulator of South Africa if you believe we have not handled your personal information in accordance with POPIA.
Information Regulator — South Africa
If you believe we have not handled your personal information in compliance with POPIA, you have the right to lodge a complaint with the Information Regulator of South Africa. The Regulator can be contacted at inforeg@justice.gov.za or through the official website at www.justice.gov.za/inforeg. We encourage you to contact us directly in the first instance so that we can resolve any concerns promptly.
Section 9
Cookies and tracking technologies
Our website uses cookies and similar technologies to improve user experience and understand how visitors interact with our content. You can manage your cookie preferences at any time using the cookie settings available on this website.
Strictly necessary cookies
Required for the website to function correctly. These cannot be disabled as they are essential to core functionality such as security and session management.
Analytics cookies
Help us understand how visitors use our site — which pages are most visited, how long sessions last, and where visitors arrive from. Used only with your consent.
Marketing cookies
Used to deliver relevant content and track the effectiveness of communications. Only deployed with your explicit consent and can be withdrawn at any time.
Section 10
Updates to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. The revised policy will be published on this page with an updated effective date. We encourage you to review this policy periodically.
Where changes are material, we will provide notice through appropriate channels — such as a banner on our website or direct communication to active clients — before the changes take effect.
Privacy enquiries
For any questions or requests relating to this Privacy Policy or the handling of your personal information, contact our responsible party representative.
Email: info@imbekocertification.com
Address: 15 Pony Street, Emwill House, Silver Lakes, Pretoria, 0054
We aim to respond within 10 business days
Start your certification journey
Questions about how we handle your personal information?
Contact Imbeko Global Certification directly — we are committed to transparent, lawful, and respectful handling of all personal information.