Apply Now

Privacy Policy & Data Security

Comprehensive data protection framework ensuring POPIA and GDPR compliance for all stakeholders.

POPIA Compliant
GDPR Compliant
Updated: September 2025

Camino Bursary NPC – Privacy Policy & Data Security

Comprehensive data protection policy ensuring compliance with South African POPIA and Portuguese GDPR regulations.

Last Updated: September 2025 POPIA & GDPR Compliant

Purpose & Scope

Purpose

  • • Ensure POPIA/GDPR compliance and secure data handling
  • • Protect personal information of students, donors, and stakeholders
  • • Establish clear data processing procedures and responsibilities
  • • Maintain transparency in data collection and usage

Scope

  • • Applies to all staff, mentors, and Board members handling data
  • • Covers all personal data collected through our systems
  • • Includes data processing activities in South Africa and Portugal
  • • Extends to third-party service providers and partners

Legal Framework & Compliance

South African Law (POPIA)

  • Protection of Personal Information Act (POPIA) 2013
  • • Information Regulator oversight and compliance
  • • Lawful basis for processing personal information
  • • Data subject rights and consent requirements
  • • Cross-border data transfer restrictions

Portuguese/EU Law (GDPR)

  • General Data Protection Regulation (GDPR) 2016/679
  • • Portuguese Data Protection Authority (CNPD) compliance
  • • Data processing principles and lawful basis
  • • Enhanced data subject rights and protections
  • • Data breach notification requirements

Information We Collect

We collect information that you provide directly to us, such as when you apply for a bursary, contact us, or subscribe to our newsletter.

Personal Information

  • • Full name, email address, and phone number
  • • Portuguese passport and South African ID information
  • • Date of birth and nationality details
  • • Residential and postal addresses
  • • Emergency contact information

Academic & Financial Data

  • • Academic records, transcripts, and qualifications
  • • Financial information for need assessment
  • • Family income and financial hardship documentation
  • • Motivation letters and reference letters
  • • Community service and extracurricular activities

Special Categories of Personal Data

We may process special categories of personal data including:

  • • Health information (for disability accommodations)
  • • Financial circumstances (for need-based assessments)
  • • Ethnic origin (for Portuguese descent verification)

Processing of special categories requires explicit consent and additional safeguards under POPIA and GDPR.

Data Security Policy

Policy Statements

  • • All student/donor data encrypted and access-controlled
  • • Breaches reported to regulators within 72 hours
  • • Regular security assessments and vulnerability testing
  • • Multi-factor authentication for all system access
  • • Secure data transmission using TLS 1.3 encryption

Technical Safeguards

  • • AES-256 encryption for data at rest
  • • Role-based access control (RBAC) implementation
  • • Regular security patches and updates
  • • Intrusion detection and monitoring systems
  • • Secure backup and disaster recovery procedures

Data Breach Response Procedures

Immediate Response (0-24 hours)

  • • Contain and assess the breach
  • • Notify internal security team
  • • Document incident details

Regulatory Notification (24-72 hours)

  • • Report to Information Regulator (SA)
  • • Notify CNPD (Portugal) if applicable
  • • Submit detailed breach report

Data Subject Notification (72+ hours)

  • • Notify affected individuals
  • • Provide mitigation recommendations
  • • Offer support and assistance

How We Use Your Information

We use your personal information for the following lawful purposes:

Primary Purposes

  • • Process and evaluate bursary applications
  • • Communicate with you about your application
  • • Provide ongoing support and mentorship
  • • Disburse bursary funds to educational institutions
  • • Monitor academic progress and compliance

Secondary Purposes

  • • Comply with legal and regulatory requirements
  • • Generate statistical reports (anonymized)
  • • Improve our programs and services
  • • Conduct research and impact assessments
  • • Maintain historical records for audit purposes

Lawful Basis for Processing

We process your personal data based on:

  • Consent: Explicit consent for special categories of data
  • Contract: Processing necessary for bursary agreement
  • Legal Obligation: Compliance with POPIA/GDPR requirements
  • Legitimate Interest: Improving our services and programs

Information Sharing & Third Parties

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

Authorized Sharing

  • • With educational institutions for bursary disbursement
  • • With mentors and partners for program delivery
  • • With financial institutions for payment processing
  • • With auditors and compliance officers
  • • With your explicit consent

Legal Requirements

  • • When required by law or legal process
  • • To protect our rights and prevent fraud
  • • In case of emergency or safety concerns
  • • With regulatory authorities when mandated
  • • During business transfers or mergers

Third-Party Data Processors

We work with trusted third-party service providers who are bound by strict data protection agreements:

  • • Cloud hosting providers (AWS, Microsoft Azure)
  • • Email service providers (Mailchimp, SendGrid)
  • • Payment processors (PayPal, Stripe)
  • • Analytics providers (Google Analytics)

Your Rights Under POPIA & GDPR

You have comprehensive rights regarding your personal data:

Access & Portability Rights

  • Right to Access: Request copies of your personal data
  • Right to Portability: Receive data in structured format
  • Right to Rectification: Correct inaccurate information
  • Right to Erasure: Request deletion of your data

Control & Objection Rights

  • Right to Object: Object to processing of your data
  • Right to Restrict: Limit how we process your data
  • Right to Withdraw: Withdraw consent at any time
  • Right to Complain: Lodge complaints with regulators

How to Exercise Your Rights

To exercise any of these rights, please contact us using the information provided below. We will respond to your request within:

  • 30 days for standard requests (POPIA)
  • 1 month for complex requests (GDPR)
  • 72 hours for urgent data breach notifications

Data Retention & Deletion

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

Retention Periods

  • Active Applications: Duration of bursary program
  • Completed Programs: 7 years for audit purposes
  • Financial Records: 5 years (tax compliance)
  • Marketing Data: Until consent withdrawn
  • Legal Disputes: Until resolution + 2 years

Deletion Procedures

  • • Secure deletion using certified methods
  • • Removal from all systems and backups
  • • Notification to third-party processors
  • • Documentation of deletion process
  • • Verification of complete removal

International Data Transfers

We may transfer your personal data between South Africa and Portugal/EU for legitimate business purposes:

Transfer Mechanisms

  • Adequacy Decisions: EU adequacy for SA
  • Standard Contractual Clauses: EU-approved contracts
  • Binding Corporate Rules: Internal policies
  • Explicit Consent: Informed consent for transfers

Safeguards

  • • Encryption during transmission
  • • Secure data centers and facilities
  • • Regular security assessments
  • • Compliance monitoring and audits
  • • Data subject rights protection

Compliance & Accountability

Organizational Measures

  • • Data Protection Officer (DPO) appointment
  • • Regular staff training and awareness
  • • Annual IT security audit required
  • • Privacy Impact Assessments (PIAs)
  • • Data processing records maintenance

Consequences & Enforcement

  • • Breaches may result in disciplinary action
  • • Legal action for non-compliance
  • • Regulatory fines and penalties
  • • Reputation and trust implications
  • • Continuous improvement requirements

Regulatory Oversight

South Africa - Information Regulator

  • • Website: www.justice.gov.za/inforeg
  • • Email: inforeg@justice.gov.za
  • • Phone: +27 12 406 4818
  • • Address: 33 Hoofd Street, Pretoria

Portugal - CNPD

  • • Website: www.cnpd.pt
  • • Email: geral@cnpd.pt
  • • Phone: +351 21 392 8400
  • • Address: Av. D. Carlos I, 134, 1º, 1200-651 Lisboa

Contact Us

If you have questions about this privacy policy, wish to exercise your rights, or need to report a data breach, please contact us:

Data Protection Officer

Email: dpo@caminobursary.org

Phone: +27 11 123 4567

Address: [Physical Address], Johannesburg, South Africa

Available Monday-Friday, 9:00 AM - 5:00 PM SAST

General Privacy Inquiries

Email: privacy@caminobursary.org

Phone: +27 11 123 4568

Address: [Physical Address], Johannesburg, South Africa

Available Monday-Friday, 8:00 AM - 6:00 PM SAST

Emergency Data Breach Reporting

For urgent data breach notifications outside business hours:

Emergency Hotline: +27 82 123 4567 (24/7)

Policy Updates & Changes

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements:

Notification Process

  • • Email notification to all registered users
  • • Website banner announcement
  • • Updated "Last Modified" date
  • • 30-day notice period for material changes
  • • Option to withdraw consent if changes unacceptable

Version Control

  • • Version 2.0 - September 2025 (Current)
  • • Version 1.0 - January 2025 (Initial)
  • • Archive of previous versions available
  • • Change log maintained for transparency
  • • Regulatory approval for significant changes

Camino Bursary NPC Privacy Policy

Last updated: September 2025 | Version 2.0

This policy is effective immediately and supersedes all previous versions.