Data policy

Last revision: 9 May 2025

Introduction and commitment to privacy

La Bonne Vie Consulting (Pty) Ltd (hereinafter "LBVC") is committed to protecting the privacy and integrity of all of our clients, partners, and stakeholders, by ensuring the ethical and lawful use of personal and organisational information. As a consulting firm operating in South Africa, the European Union, and the United States, we comply with all relevant data protection laws, including South Africa’s Protection of Personal Information Act (POPIA) and the EU’s General Data Protection Regulation (GDPR). We collect and process personal data only for legitimate purposes, with data subjects’ knowledge or consent. We do not sell personal data to third parties. Any data used by LBVC or its employees for research purposes is anonymised (unless explicit consent to be identified has been provided). This policy explains what data LBVC collects, why we use it, how we obtain consent, how we share and protect data, and the rights you have regarding your personal information.

Types of data we collect

We may collect various types of data in the course of our business, including:

Contact information: Names, email address, telephone number, and company details (for example, when you fill out our contact form or engage our services).
Professional information: Job title, organisational role, or other business-related information such as performance data, financial data, or operational data if you interact with us in a professional capacity.
Service data: Information provided to LBVC when we deliver consulting or advisory services. This may include survey responses, psychometric assessment data, or other data as part of a project. We anonymise or aggregate such data for analysis whenever possible.
Website usage data: When our website is visited, we may collect basic technical data like your IP address, browser type, and cookies for functionality. (Our site currently does not use extensive tracking cookies, and any non-essential cookies would be subject to your consent.)
Communication data: Correspondence records if you contact us (such as emails or messages), so we can respond to inquiries and maintain records of our communications.

We limit our collection to data that is relevant and necessary for the purposes described below (this follows the principle of data minimisation under POPIA/GDPR).

Purpose of data collection and use

We only use personal and organisational data for clear, legitimate reasons. The main purposes for which LBVC collects and uses data include:

Providing services: To fulfil our consulting and advisory engagements with individuals and organisation. For example, we use contact and professional information to communicate with clients and deliver reports or recommendations. If we conduct surveys or psychometric assessments, we use the responses to generate insights and advice.
Communications: To respond to inquiries clients send us via our website or email, and to keep you updated on our services. (For instance, if you submit the contact form, we use your email to reply to your message or schedule a consultation.)
Research and publications: To continue to improve our offerings and advance the science of people, we conduct regular research. Any personal data used for research is anonymised or aggregated. We may publish findings (e.g. in articles or whitepapers), but individuals will not be identifiable without explicit consent.
Legal and Compliance: To comply with legal obligations and regulatory requirements. For example, if required, we might use your data to fulfil know-your-client checks or respond to lawful requests by authorities. We also retain certain records as required by law (such as financial records for tax purposes).
Marketing (limited): We do not engage in mass marketing, but if you are an existing client or have subscribed to updates, we might send you relevant thought leadership content, new product information, or event invitations. This is done in line with applicable law (e.g., only with your consent or as allowed by a pre-existing business relationship). You can opt out of such communications at any time.

LBVC ensures that all use of personal and organisational data is supported by a lawful basis under data protection laws – such as your consent, a contractual necessity, compliance with a legal obligation, or our legitimate interest in running our business (balanced with your rights). We do not use data for any purpose that is incompatible with the original reasons it was collected, unless we obtain your consent. In line with POPIA’s purpose specification and GDPR’s purpose limitation principles, data will only be further processed in ways that are not contrary to the original purpose (or else we’ll seek permission).

How we obtain consent

LBVC is mindful of obtaining consent where required and appropriate:

Direct consent (opt-in): For example, on our website contact form, we may include a tick-box for you to agree to this data policy or to receive communications. By checking the box and submitting your details, you give us consent to use your data to respond to you and follow up.
Written or verbal consent: In consulting engagements, interviews, coaching sessions, feedback sessions, or focus groups, we might ask you to sign a consent form or verbally agree that we can collect and use information for specified purposes. For instance, if an authorised LBVC consultant conducts a focus group session with a client organisation’s employees, participants may be given a written notice or verbal explanation about the purpose of the session and asked for their consent to use their (anonymised) responses.
Contextual agreement: Sometimes consent is implied by context. If you hand us your business card or email us requesting information, we consider that you consent to us using those contact details to reply and engage with you. We will not use that information for unrelated purposes (like adding you to a mailing list) without asking.
Consent for special data: If we ever need to process sensitive personal information (what POPIA calls “special personal information,” such as data about race, health, or beliefs), we will obtain explicit consent or ensure it’s otherwise lawful to process under POPIA/GDPR.

You have the right to withdraw your consent at any time. For example, if you initially agreed to receive our newsletter but later change your mind, you can opt out (using an unsubscribe link or contacting us) and we will stop that processing. Withdrawing consent will not affect the lawfulness of any processing we already performed while we had your permission.

Data sharing and disclosure policy

LBVC handles personal and organisational information confidentially. We do not sell or rent your data to third parties for any purpose. We will only share personal data under the following circumstances:

Within LBVC: Your data may be shared internally with LBVC team members who need it to perform their duties (on a need-to-know basis). All staff are bound by confidentiality obligations.
Psychometric and similar assessments: In certain engagements, LBVC may administer psychometric or similar assessments to candidates or employees at the request of a client organisation. These results may include non-anonymised personal insights and are typically shared with the client organisation for recruitment or development purposes. This is done only with the explicit, informed consent of the individual being assessed. LBVC takes care to limit access to such results only to authorised personnel within the client organisation.
Authorised service providers: We use reputable third-party platforms to support our operations – for example, Microsoft 365 and Google Workspace cloud services for email, document storage, and data analysis. Data might be stored or processed on those platforms, but always under LBVC’s control and instructions. These providers act as our data “operators”/processors, and we have agreements in place to ensure they protect your data and use it only for our specified purposes.
Professional advisors and partners: On occasion, we might share information with our attorneys, accountants, or similar specialists for advice or auditing, bound by confidentiality and legal privilege. If we collaborate with an external expert or partner on a project, we will ensure they are under a non-disclosure agreement (NDA) or data protection agreement before any personal data is shared.
Legally required sharing: If LBVC is compelled by regulatory requirements to disclose data (for example, in response to a court order, subpoena, or a request from the Information Regulator or an EU Data Protection Authority), we will do so. LBVC is also required to report on its business operations to regulatory bodies such as the South African Revenue Service (SARS), which may include data on our clients, partners and other stakeholders. Our policy is to verify any such request or requirement and only provide the minimum data necessary.
Business transfers: In the unlikely event that LBVC undergoes a significant business change (like a merger, acquisition, or sale of assets), personal and organisational data could be part of the transferred assets. If that happens, we will ensure the new owners continue to respect your rights under this policy, or we will seek your consent where required.

International data transfers

Given our global operations, personal or organisational data might be transferred across national borders (this is in addition to LBVC’s use of cloud storage services from reputable providers – we do not have knowledge regarding the physical location of the providers’ cloud servers). For instance, if you are in the EU and we store data on a cloud server or access it from South Africa, or if you’re in South Africa and we have LBVC team members in the EU or US working on your project, a cross-border transfer occurs. We take special care to protect personal data during such transfers:

Transfers from South Africa: POPIA prohibits transferring personal data outside South Africa unless certain conditions are met. LBVC will only send data abroad if (a) the recipient is subject to laws or agreements that ensure a level of data protection similar to POPIA, or (b) we have consent to do so, or (c) it’s necessary for fulfilling our contractual obligations with our clients, partners and stakeholders, or (d) another legal exception applies. In practice, many of our tools (Microsoft, Google, etc.) either host data in data centres with high security standards or in jurisdictions with strong privacy laws.
Transfers from the EU: If we handle any data from individuals or organisations in the European Economic Area (EEA), we comply with GDPR’s rules on international transfers. Since South Africa (and the US) are not currently on the EU’s “adequacy” list, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) in our agreements, or binding corporate rules, or explicit consent from data subjects, as applicable. These measures contractually ensure that EU data will receive the same level of protection even after it’s transferred to a third country. Copies of relevant safeguards, such as Standard Contractual Clauses, can be requested by contacting LBVC at info@lbvc.co.za.
USA operations: For any data transferred to or from the United States, LBVC similarly ensures compliance with relevant laws. Our cloud providers and tools often participate in privacy frameworks (e.g., EU-US data privacy frameworks) or we enforce contractual safeguards.
General security: Regardless of location, all personal data is handled securely. (See Data Security below for technical measures.)

Data security measures

We take data security very seriously. LBVC implements a range of technical and organisational measures to protect data from unauthorised access, loss, or misuse. These measures include:

Secure infrastructure: We use trusted cloud service providers (like Microsoft and Google) known for robust security. Data on these platforms is protected by encryption in transit (HTTPS/SSL) and often encryption at rest. We keep systems updated and patched against vulnerabilities.
Access control: Access to personal or organisational data is restricted to authorised personnel only. Internally, we use role-based access control – meaning employees can only access the data they genuinely need for their job role. For example, our consultants can access project-related data, but not HR records; our IT admin can manage systems but would not typically open client files. All user accounts are protected with strong passwords and multi-factor authentication wherever possible. These controls help prevent unauthorised access from inside or outside the company.
Confidentiality training: Every LBVC team member is trained on privacy and confidentiality duties. They sign confidentiality agreements as part of their employment or partnership with LBVC, committing them to protect client and research data.
Physical security: Although we primarily operate in the cloud, any physical records or devices are secured. Our offices have controlled access. Devices (laptops, external drives) are encrypted and password-protected. If we ever print documents containing personal data, we ensure they are not left unattended and are shredded when no longer needed.
Monitoring and testing: We regularly review our security practices. In line with POPIA’s requirements, we periodically assess foreseeable risks and verify that safeguards are effectively implemented and updated as needed. Similarly, GDPR requires appropriate security relative to risk; we follow industry best practices (such as guidelines from ISO 27001 and NIST) to continually improve.
Incident response: We have an internal incident response plan (see Data Breach Notification below) to handle any security breaches swiftly and mitigate any harm. We also maintain backups of important data to prevent loss, and those backups are secured and tested.

Our goal is to ensure the integrity and confidentiality of personal and organisational data, as required by law. POPIA specifically mandates taking “appropriate, reasonable technical and organisational measures” to prevent loss, damage, or unauthorised access to personal information – we adhere to this through the steps above. In the unlikely event of a security compromise, we will follow the steps in the next section.

Data breach notification and response

While we strive to prevent any data breaches, LBVC has a clear policy to handle such incidents in compliance with POPIA and GDPR:

Detection and containment: If LBVC suspects or becomes aware that personal data has been accessed by an unauthorised person or otherwise compromised, we will immediately investigate and take steps to contain the breach. This may include isolating affected systems, changing access credentials, and working with IT specialists to stop further unauthorised access.
Internal reporting: Our staff are trained to report any security incident (loss of a device, suspicious activity, etc.) to LBVC’s management without delay. We maintain an incident register to track and document all breaches, even attempted or minor incidents.
Notification of authorities: POPIA requires us to notify South Africa’s Information Regulator if there are reasonable grounds to believe a data breach occurred. We will do so as soon as reasonably possible after discovering the breach (taking into account time to secure our systems and determine the scope). If the breach involves personal data of individuals in the EU, we will also notify the relevant EU supervisory authority within 72 hours of becoming aware of the breach, as per GDPR. (For example, if the data concerns people in France, we’d contact the CNIL; if in the UK, the ICO, etc.) We will include all required information in these reports, such as the nature of the breach, data affected, and actions taken.
Notification of affected individuals: If the breach poses a risk of harm (e.g., risk of identity theft, financial loss, or violation of your privacy), we will inform the affected parties directly and without undue delay. POPIA also places an obligation on LBVC to notify affected parties in writing “as soon as reasonably possible” after a data security compromise. We will reach out via the most appropriate channel (email, phone, or mail) to explain what happened, what data might be involved, and what steps we are taking. We will also advise on any steps one should consider to protect oneself (such as changing passwords or being vigilant of scams, if relevant).
Remediation: After a breach, LBVC will take remedial action to minimise any damage and prevent future incidents. This might include patching software, improving encryption, revising procedures, and providing additional staff training. We will also assist affected individuals or organisations with any reasonable measures to mitigate harm.
Record-keeping and evaluation: LBVC documents all breaches, including the root cause and our response, in accordance with the law. This helps us demonstrate compliance and learn from incidents. Our Information Officer will evaluate the incident and update our data protection measures as needed. We also review whether we fulfilled all notification duties properly.
Insurance: LBVC maintains cyber liability insurance. This insurance is intended to help cover costs associated with a data breach (such as notification expenses, remediation, and potential damages). While we hope never to need it, this provides an extra layer of protection for both LBVC and affected parties.
Dispute resolution: We are committed to transparency in the unfortunate event of a breach. If you have concerns or suffer any loss due to a breach, we will work with you to resolve any disputes amicably. You always have the right to lodge a complaint with the authorities (the Information Regulator in South Africa or a GDPR supervisory authority in Europe), but we welcome the opportunity to address your concerns directly and make things right. We will cooperate fully with any official investigations or inquiries into the incident.

Our prompt action and open communication in a breach situation reflect our commitment to accountability. Under POPIA and GDPR, we are accountable for your personal information and will take responsibility if something goes wrong.

Your rights as a data subject

As an individual or organisation whose data LBVC may hold (a “data subject”), one has a range of rights under data protection laws. LBVC is dedicated to upholding these rights. In summary, these rights include:

Right to be informed: Data subjects have the right to know what data LBVC collects and why, as we are doing through this policy.
Right of access: You can request a copy of the data we hold, as well as information on how we process it. This is sometimes called a “Subject Access Request.” We will provide our records of your data, usually within 1 month.
Right to rectification: If any data we have is incorrect or outdated, you have the right to ask us to correct or update it. We will promptly make the necessary corrections, if feasible, and let you know once done.
Right to erasure (deletion): Data subjects may, in certain circumstances, request that we delete your data. For example, if we no longer need your data, or if you withdraw consent and no other legal basis for processing applies, or if you object to processing and we have no overriding reason to keep it. We will comply with such requests where feasible, provided no legal obligation prevents us from doing so. POPIA explicitly gives you the right to request deletion or destruction of your information, and under GDPR this is known as the “right to be forgotten”.
Right to restrict processing: Data subjects can ask LBVC to limit how we use your data in certain cases – for instance, while a complaint or request is being resolved. We will mark the data as restricted and only use it for permitted purposes (like with one’s consent or for legal claims) during the restriction period.
Right to data portability: For data provided to LBVC, data subjects have the right (under GDPR) to get that data in a common, machine-readable format and/or have it transferred to another organisation where applicable. This typically applies to data processed based on consent or contract. If you need such portability, we will assist with exporting your data in CSV or a similar format, where feasible.
Right to object: Data subjects have the right to object to LBVC’s processing of their data in some situations. For example, you can object to direct marketing at any time, and we will stop sending such correspondence. Data subjects can also object if they contest that our legitimate interests should override their privacy rights – we will review and if we cannot satisfy your objection, we’ll cease the processing in question. Under POPIA, you may object on reasonable grounds to processing, and we will then reevaluate our reasons for processing your data.
Rights related to automated decision-making: LBVC does not use individual or organisational data for automated decisions with legal or significant effects (like profiling algorithms) without human involvement. Many of LBVC’s business processes including reporting and data visualisations are indeed automated, but decisions based on such reports or data visualisations must include human involvement. POPIA and GDPR give data subjects the right not to be subject to fully automated decisions unless certain conditions are met. If LBVC ever engages in automated decision-making that has legal or similarly significant effects, we will inform you in advance and provide a means to obtain human intervention, express your point of view, and contest the decision.
Right to withdraw consent: If LBVC relies on consent for any processing, data subjects can withdraw that consent at any time (as noted earlier in the consent section). This will halt any processing that was based solely on said consent.
Right to complain: If one believes one’s data has been mishandled or their rights infringed upon, you have the right to lodge a complaint with the relevant data protection authority. In South Africa, that is the Information Regulator. In the EU, it could be an authority in the country of your residence or where the issue occurred. LBVC encourages all clients, partners and other stakeholders to contact us first, so we may try to address concerns directly. In South Africa, you may contact the Information Regulator at https://inforegulator.org.za, and in the EU, visit https://edpb.europa.eu/about-edpb/about-edpb/members_en to locate your national data protection authority.

To exercise any of these rights, please contact Dr Clif P Lewis at clif@lbvc.co.za. We will respond as quickly as possible, and at most within one month as required by GDPR. There is no fee for making a request, unless it is excessive or repetitive, in which case LBVC is allowed to charge a reasonable fee or refuse (but we will explain why if that happens). When a request is made, LBVC may need to verify your identity to ensure we don’t disclose data to the wrong person. This could involve asking for additional information or identification.

Data retention and deletion

LBVC retains data only for as long as necessary to fulfil the purposes for which it was collected, or to meet legal or business requirements. This means:

Client data: For LBVC’s consulting clients, we retain project-related data for a reasonable period after the project ends. This allows us to provide follow-up support and refer back to insights if needed by the client. Typically, we keep such data for up to 10 years after project completion, to support client continuity, defend potential legal claims, or comply with tax regulations, unless asked to delete it sooner. If law requires retaining records (e.g., financial invoices must be kept for at least 5 years under tax laws), or require deletion sooner, we abide by those laws.
Contact form entries: If you contacted us but did not engage our services, we may keep your inquiry and our response for up to 24 months in case you reconnect or for our administrative records. After that, we delete or anonymise the details of the inquiry.
Marketing lists: After subscribing to any newsletter or update, LBVC retains this information until unsubscribed or the service ceases. Unsubscribed contacts are suppressed to ensure we don’t accidentally email them, and then deleted entirely on a periodic schedule.
Research data: Raw research data (like survey responses or psychometric data) is anonymised or aggregated as soon as practical. We might keep anonymised datasets indefinitely for historical comparison, since they no longer identify individuals. If research data contains personal identifiers, LBVC strips or code them such that the dataset is de-identified. Any consent forms or records (which might have names) are stored securely and separately, and deleted once they are no longer needed to demonstrate consent or for follow-up.
General: In all cases, when the retention period ends, or if LBVC no longer needs the data, we will either delete it securely or irreversibly anonymise it. “Securely” means we will take appropriate measures such as permanent deletion from our databases, shredding physical documents, and ensuring backups are also deleted or overwritten. POPIA specifically requires that organisations do not retain personal information longer than necessary for the purpose and that they dispose of it in a secure manner when no longer needed.

If data deletion is requested, LBVC will also accommodate that right (as noted under Right to erasure) and erase data from our active systems, unless retention is required by law or overriding legitimate interest. In such cases, we’ll inform data subjects of the reason we cannot delete certain data and ensure it’s only retained securely for the required period.

Third-party websites

Our website may contain links to third-party websites (for example, links to our LinkedIn articles or partner sites in our publications section). Please note that those sites operate independently of LBVC and have their own privacy policies. LBVC is not responsible for the content or privacy practices of external sites. We recommend all clients, partners and stakeholders to review the privacy notices of any third-party sites you visit through our links.

Updates to this policy

We may update this data policy from time to time to reflect changes in our practices or legal obligations. The latest revision date is always indicated under the policy header. If changes are significant, we might notify our clients, partners and stakeholders via email or a notice on our site. However, we will not reduce data subject rights under this policy without your consent. We encourage periodic review of this policy by all data subjects.