Data policy

Last revision: 11 June 2026

Introduction and commitment to privacy

La Bonne Vie Consulting (Pty) Ltd, trading as LBVC, is a private company incorporated in South Africa under registration number 2006/004816/07, with its business address at 80 Strand St, Cape Town City Centre, Cape Town, 8000 (referred to in this policy as "LBVC", "we" or "us"). LBVC protects the privacy and the integrity of the personal and organisational information of its clients, partners and stakeholders, and processes that information lawfully and ethically. As a consulting firm operating in South Africa, the European Union, and the United States, we comply with all relevant data protection laws, including South Africa’s Protection of Personal Information Act (POPIA) and the EU’s General Data Protection Regulation (GDPR). We collect and process personal data only for legitimate purposes, with data subjects’ knowledge or consent. We do not sell personal data to third parties. Any data used by LBVC or its employees for research purposes is anonymised (unless explicit consent to be identified has been provided). This policy explains what data LBVC collects, why we use it, how we obtain consent, how we share and protect data, and the rights you have regarding your personal information.

The capacities in which we process data

LBVC processes personal information in two distinct capacities, and the duties we owe you differ slightly depending on which one applies in a given situation.

First, LBVC acts as a responsible party (the term used in POPIA; the GDPR calls this a controller). This is the case whenever we ourselves decide why and how personal information is processed. Examples include information submitted through our website or contact form, billing and contractual records, marketing lists, our own research, and engagements where an individual or organisation hires us in their own right.

Second, LBVC acts as an operator (a processor under the GDPR). This is typically the case when a client organisation commissions work that involves the personal information of its employees, candidates or other stakeholders, for example surveys, interviews, focus groups or psychometric assessments. In these engagements the client decides the purpose of the processing, and LBVC carries it out on the client's behalf and on its instructions.

Where LBVC acts as an operator, everything in this policy that concerns security, confidentiality, retention and breach response continues to bind us. In addition, we process the information only as instructed by the client and for no other purpose; we do not disclose it to anyone outside the engagement; we notify the client without delay if we become aware of a security compromise affecting its data; and we return, delete or anonymise the information when the engagement ends, subject to the retention rules set out in this policy.

Whichever capacity applies, individual participants are never left to rely on the client alone. Before any survey, interview or assessment begins, each participant receives an engagement-specific informed consent notice (see How we obtain consent below) describing what will be collected, what it will be used for, and who will see the results. Participation does not proceed until that consent has been recorded.

If you take part in work we perform for a client organisation and wish to exercise any of the rights described in this policy, you may contact either the client or LBVC directly. Where the client is the responsible party we may need to refer your request to them, but we will tell you if that happens and will assist with the request in either case.

Types of data we collect

We may collect various types of data in the course of our business, including:

Contact information: Names, email address, telephone number, and company details (for example, when you fill out our contact form or engage our services).
Professional information: Job title, organisational role, or other business-related information such as performance data, financial data, or operational data if you interact with us in a professional capacity.
Service data: Information provided to LBVC when we deliver consulting or advisory services. This may include survey responses, psychometric assessment data, or other data as part of a project. We anonymise or aggregate such data for analysis whenever possible.
Billing information: The particulars needed to issue invoices and keep accounting records, such as a payer's name, organisation, billing address and the amounts paid. We do not collect card or bank account details; see Payments and billing below.
Website usage data: When our website is visited, we may collect basic technical data like your IP address, browser type, and cookies for functionality. (Our site currently does not use extensive tracking cookies, and any non-essential cookies would be subject to your consent.)
Communication data: Correspondence records if you contact us (such as emails or messages), so we can respond to inquiries and maintain records of our communications.

We limit our collection to data that is relevant and necessary for the purposes described below (this follows the principle of data minimisation under POPIA/GDPR).

Purpose of data collection and use

We only use personal and organisational data for clear, legitimate reasons. The main purposes for which LBVC collects and uses data include:

Providing services: To fulfil our consulting and advisory engagements with individuals and organisations. For example, we use contact and professional information to communicate with clients and deliver reports or recommendations. If we conduct surveys or psychometric assessments, we use the responses to generate insights and advice.
Communications: To respond to inquiries clients send us via our website or email, and to keep you updated on our services. (For instance, if you submit the contact form, we use your email to reply to your message or schedule a consultation.)
Research and publications: To continue to improve our offerings and advance the science of people, we conduct regular research. Any personal data used for research is anonymised or aggregated. We may publish findings (e.g. in articles or whitepapers), but individuals will not be identifiable without explicit consent.
Legal and Compliance: To comply with legal obligations and regulatory requirements. For example, if required, we might use your data to fulfil know-your-client checks or respond to lawful requests by authorities. We also retain certain records as required by law (such as financial records for tax purposes).
Marketing (limited): We do not engage in mass marketing, but if you are an existing client or have subscribed to updates, we might send you relevant thought leadership content, new product information, or event invitations. This is done in line with applicable law (e.g., only with your consent or as allowed by a pre-existing business relationship). You can opt out of such communications at any time.

LBVC ensures that all use of personal and organisational data is supported by a lawful basis under data protection laws – such as your consent, a contractual necessity, compliance with a legal obligation, or our legitimate interest in running our business (balanced with your rights). We do not use data for any purpose that is incompatible with the original reasons it was collected, unless we obtain your consent. In line with POPIA’s purpose specification and GDPR’s purpose limitation principles, data will only be further processed in ways that are not contrary to the original purpose (or else we’ll seek permission).

How we obtain consent

All consent we rely on is given in writing and recorded electronically; we do not rely on verbal consent. Depending on the engagement, consent is captured through an online form (for example a tick-box on our website or at the start of an assessment) or through an electronic signing service such as Xodo Sign. Each consent record is stored so that we can show what was agreed to, by whom and when.

Website and marketing consent: Where we ask for consent on our website, for example a tick-box to receive updates, submitting the form with the box ticked is your consent, and every message we send afterwards includes a way to opt out.
Engagement consent: In consulting engagements, interviews, coaching sessions, feedback sessions and focus groups, participants receive a written notice describing the purpose of the exercise and what will happen to their input, and they record their agreement electronically before taking part.
Assessment consent: Assessments are subject to the two-layer consent described under Special personal information and engagement-specific consent and, for minors, the additional requirements under Personal information of minors.
Consent for special personal information: Where we process special personal information (what POPIA calls "special personal information", such as data about race, health or beliefs), we obtain explicit consent, unless POPIA or the GDPR provides another clear lawful ground.

Not everything we do rests on consent. Like most organisations, we also process personal information on other lawful grounds, and we want to be clear about which ground supports which purpose:

Providing services: performance of a contract with you, or steps taken at your request before entering into one (POPIA section 11(1)(b); GDPR Article 6(1)(b)).
Responding to enquiries: our legitimate interest in replying to people who contact us (POPIA section 11(1)(f); GDPR Article 6(1)(f)). If you email us or hand us a business card, we will use those details to respond and engage with you, and for nothing else; we will not add you to a mailing list without asking.
Research and publications: consent where the data is identifiable; otherwise we anonymise or aggregate the data so that no individual can be identified.
Legal and compliance: compliance with a legal obligation that applies to LBVC (POPIA section 11(1)(c); GDPR Article 6(1)(c)).
Marketing: your consent or, in the case of existing customers, the limited grounds that section 69 of POPIA allows, with an opt-out offered when the details are collected and in every message we send.
Assessments and special personal information: explicit consent, recorded per engagement as described above.

You may withdraw consent at any time; the consequences are set out under Withholding or withdrawing consent below. Withdrawal does not affect the lawfulness of processing that took place while the consent stood.

Withholding or withdrawing consent

Most of our services cannot be delivered without processing personal information. If the consent we need is withheld, we will not be able to begin the engagement, assessment or service concerned.

You may withdraw consent at any time, in writing, by contacting our Information Officer. On withdrawal we will stop the processing that rested on that consent and, where the processing was necessary for the service itself, the service will cease. Withdrawal does not affect the lawfulness of any processing carried out before it, and it does not prevent us from retaining information that the law requires us to keep.

Where consent is withheld or withdrawn for reasons not attributable to a breach of this policy or other fault on LBVC's part, fees already paid (including, without limitation, project fees, assessment fees and subscription fees) are not refundable, and fees for work already performed remain payable. LBVC may, in its sole and absolute discretion, refund any amount in whole or in part, but a refund granted in one instance creates no entitlement to, or expectation of, a refund in any other. Nothing in this paragraph limits any right to a refund that a consumer may have under legislation that cannot be excluded by agreement.

Special personal information and engagement-specific consent

Some of our services involve information that POPIA classifies as special personal information and that the GDPR treats as a special category, for example information about race, health or beliefs, and the results of psychometric assessment. We process this kind of information only with explicit consent, or where another lawful ground under POPIA or the GDPR clearly applies, and we keep it for shorter periods than ordinary records (see Data retention and deletion).

Consent for assessments works in two layers. Agreement to this policy is the first layer: it tells you, in general terms, who we are and how we treat personal information. It is not, on its own, consent to any particular assessment. Before each assessment, survey or similar exercise, every participant receives a separate informed consent notice specific to that engagement. That notice states what information will be collected, the purpose it will serve, how it will be analysed, who will receive the results and in what form, and how long the information will be kept. Because these details differ from one product or service to the next, a fresh notice is issued for every engagement, and consent given for one assessment never carries over to another.

To take one example: where a client organisation asks us to assess a group of candidates, each candidate first agrees to this policy and then, separately, consents to the processing of their assessment data, to their results being shared with the commissioning client, and to the results being used in an employment decision. A candidate who declines simply does not proceed with the assessment, and the rules under withholding or withdrawing consent apply.

Access to identifiable special personal information within LBVC is restricted to the registered professionals working on the engagement concerned. The consent records themselves are stored securely and separately from the assessment data.

Personal information of minors

Some of our services, most notably Vocatia, involve the personal information of high-school learners, typically between 15 and 17 years old. We do not knowingly process the personal information of any child outside this context, and none of our services is directed at children younger than this group.

Our handling of minors' information rests on the following rules:

No information about or from a minor is collected until we hold documented consent from a parent or legal guardian, the competent person contemplated by section 35 of POPIA.
We also require the informed consent of the minor. Consent from a parent or guardian alone is not sufficient; both consents must be recorded before an assessment begins.
The information collected can include psychometric data and biographical particulars such as age, gender, race and disability. Work involving this information is carried out by, or under the supervision of, psychologists and psychometrists registered with the Health Professions Council of South Africa (HPCSA), who are trained and licensed to work with it.
The engagement-specific consent notice for each assessment states exactly what will be collected, how the results will be used, and who will receive them. For Vocatia, individual results are shared with the minor and the parent or guardian only; the school that commissions and pays for the assessment receives results in aggregated form and cannot see any individual learner's results.
Either the parent or guardian, or the minor, may withdraw consent and ask that the minor's information be removed. On such a request the information is deleted from our systems and excluded from any aggregated outputs provided to the school thereafter.

Assessments, profiling and automated processing

Assessment results are a form of profiling: they describe aspects of a person's cognition, personality or behaviour and are used to inform decisions. We are open about this, and we apply specific safeguards to it.

Every assessment we use is designed using established scientific methods and is evaluated to confirm that it is valid, reliable and fair, the standard that section 8 of the Employment Equity Act sets for psychological testing in South Africa. Assessments are reviewed and updated regularly so that they continue to meet that standard.

Where automation or artificial intelligence forms part of the analysis, we use customised, fine-tuned or otherwise specialised tools that produce results in a systematic way, within defined rules and boundaries. We do not feed assessment results into general-purpose AI chatbots or other uncontrolled tools.

The output of this processing takes the form of reports or data dashboards. These are provided to the client and/or the data subject, and any decision based on them is made by a person, not by the system. Where a client prefers not to receive a report and asks us only for a recommendation, our registered psychologists or psychometrists review the profiling results themselves and formulate that recommendation. In no case is a decision with legal or similarly significant effects for a person taken solely by automated means.

If that position ever changes, we will say so in this policy in advance, and we will provide a means to obtain human intervention, to express your point of view and to contest the decision, as POPIA and the GDPR require.

Data sharing and disclosure policy

LBVC handles personal and organisational information confidentially. We do not sell or rent your data to third parties for any purpose. We will only share personal data under the following circumstances:

Within LBVC: Your data may be shared internally with LBVC team members who need it to perform their duties (on a need-to-know basis). All staff are bound by confidentiality obligations.
Psychometric and similar assessments: In certain engagements, LBVC administers psychometric or similar assessments to candidates or employees at the request of a client organisation. These results may include non-anonymised personal insights and are typically shared with the client organisation for recruitment or development purposes. This is done only with the explicit, informed consent of the individual being assessed, recorded separately for each engagement as described under Special personal information and engagement-specific consent. Where the person assessed is a minor, the rules under Personal information of minors apply instead, and individual results are not shared with a commissioning school. LBVC takes care to limit access to assessment results to authorised personnel within the client organisation.
Authorised service providers: We use reputable third-party platforms to support our operations, for example Microsoft 365 and Google Workspace for email, document storage and data analysis, Wix to host our website (including its contact and booking functions), Zoho for invoicing, and Anthropic and Google, whose language models underpin some of the specialised analysis tools described under Assessments, profiling and automated processing. Data might be stored or processed on those platforms, but always under LBVC's control and instructions. These providers act as our data "operators"/processors, and we have agreements in place that require them to protect your data and use it only for our specified purposes.
Professional advisors and partners: On occasion, we might share information with our attorneys, accountants, or similar specialists for advice or auditing, bound by confidentiality and legal privilege. If we collaborate with an external expert or partner on a project, we will ensure they are under a non-disclosure agreement (NDA) or data protection agreement before any personal data is shared.
Legally required sharing: If LBVC is compelled by regulatory requirements to disclose data (for example, in response to a court order, subpoena, or a request from the Information Regulator or an EU Data Protection Authority), we will do so. LBVC is also required to report on its business operations to regulatory bodies such as the South African Revenue Service (SARS), which may include data on our clients, partners and other stakeholders. Our policy is to verify any such request or requirement and only provide the minimum data necessary.
Business transfers: In the unlikely event that LBVC undergoes a significant business change (like a merger, acquisition, or sale of assets), personal and organisational data could be part of the transferred assets. If that happens, we will ensure the new owners continue to respect your rights under this policy, or we will seek your consent where required.

Payments and billing

LBVC does not collect, store or process card numbers, bank account numbers or any other payment credentials. Subscriptions and other services are invoiced as single payments, principally through Zoho Invoicing. From time to time we accept payment through third-party payment platforms, most often PayPal and occasionally PayFast or Peach Payments. When you pay through one of these platforms, your payment details are captured and handled by that platform under its own terms and privacy policy. What LBVC receives is confirmation that payment has been made, together with the ordinary billing particulars (such as the payer's name and the amount) needed for our invoicing and accounting records. Those records are retained as described under Data retention and deletion.

International data transfers

Given our global operations, personal or organisational data might be transferred across national borders. Our day-to-day systems run on cloud services from major providers, principally Microsoft, Google and Wix, each of which publishes current information about where its data centres are located, the certifications it holds and the safeguards it applies. That information is available on each provider's own privacy and trust pages and is kept up to date by the provider. Our agreements with these providers include data protection terms and, where needed, recognised transfer mechanisms. Beyond this, a cross-border transfer can also occur in the ordinary course of our work: for instance, if you are in the EU and we access your data from South Africa, or if you are in South Africa and LBVC team members in the EU or US work on your project. We take special care to protect personal data during such transfers:

Transfers from South Africa: POPIA prohibits transferring personal data outside South Africa unless certain conditions are met. LBVC will only send data abroad if (a) the recipient is subject to laws or agreements that ensure a level of data protection similar to POPIA, or (b) we have consent to do so, or (c) it’s necessary for fulfilling our contractual obligations with our clients, partners and stakeholders, or (d) another legal exception applies. In practice, many of our tools (Microsoft, Google, etc.) either host data in data centres with high security standards or in jurisdictions with strong privacy laws.
Transfers from the EU: If we handle any data from individuals or organisations in the European Economic Area (EEA), we comply with GDPR’s rules on international transfers. Since South Africa (and the US) are not currently on the EU’s “adequacy” list, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) in our agreements, or binding corporate rules, or explicit consent from data subjects, as applicable. These measures contractually ensure that EU data will receive the same level of protection even after it’s transferred to a third country. Copies of relevant safeguards, such as Standard Contractual Clauses, can be requested by contacting LBVC at info@lbvc.co.za.
USA operations: For any data transferred to or from the United States, LBVC similarly ensures compliance with relevant laws. Our cloud providers and tools often participate in privacy frameworks (e.g., EU-US data privacy frameworks) or we enforce contractual safeguards.
General security: Regardless of location, all personal data is handled securely. (See Data Security below for technical measures.)

Data security measures

We take data security very seriously. LBVC implements a range of technical and organisational measures to protect data from unauthorised access, loss, or misuse. These measures include:

Secure infrastructure: We use trusted cloud service providers (like Microsoft and Google) known for robust security. Data on these platforms is protected by encryption in transit (HTTPS/SSL) and often encryption at rest. We keep systems updated and patched against vulnerabilities.
Access control: Access to personal or organisational data is restricted to authorised personnel only. Internally, we use role-based access control – meaning employees can only access the data they genuinely need for their job role. For example, our consultants can access project-related data, but not HR records; our IT admin can manage systems but would not typically open client files. All user accounts are protected with strong passwords and multi-factor authentication wherever possible. These controls help prevent unauthorised access from inside or outside the company.
Confidentiality training: Every LBVC team member is trained on privacy and confidentiality duties. They sign confidentiality agreements as part of their employment or partnership with LBVC, committing them to protect client and research data.
Physical security: Although we primarily operate in the cloud, any physical records or devices are secured. Our offices have controlled access. Devices (laptops, external drives) are encrypted and password-protected. If we ever print documents containing personal data, we ensure they are not left unattended and are shredded when no longer needed.
Monitoring and testing: We regularly review our security practices. In line with POPIA’s requirements, we periodically assess foreseeable risks and verify that safeguards are effectively implemented and updated as needed. Similarly, GDPR requires appropriate security relative to risk; we follow industry best practices (such as guidelines from ISO 27001 and NIST) to continually improve.
Incident response: We have an internal incident response plan (see Data Breach Notification below) to handle any security breaches swiftly and mitigate any harm. We also maintain backups of important data to prevent loss, and those backups are secured and tested.

Our goal is to ensure the integrity and confidentiality of personal and organisational data, as required by law. POPIA specifically mandates taking “appropriate, reasonable technical and organisational measures” to prevent loss, damage, or unauthorised access to personal information – we adhere to this through the steps above. In the unlikely event of a security compromise, we will follow the steps in the next section.

Data breach notification and response

While we strive to prevent any data breaches, LBVC has a clear policy to handle such incidents in compliance with POPIA and GDPR:

Detection and containment: If LBVC suspects or becomes aware that personal data has been accessed by an unauthorised person or otherwise compromised, we will immediately investigate and take steps to contain the breach. This may include isolating affected systems, changing access credentials, and working with IT specialists to stop further unauthorised access.
Internal reporting: Our staff are trained to report any security incident (loss of a device, suspicious activity, etc.) to LBVC’s management without delay. We maintain an incident register to track and document all breaches, even attempted or minor incidents.
Notification of authorities: POPIA requires us to notify South Africa’s Information Regulator if there are reasonable grounds to believe a data breach occurred. We will do so as soon as reasonably possible after discovering the breach (taking into account time to secure our systems and determine the scope). If the breach involves personal data of individuals in the EU, we will also notify the relevant EU supervisory authority within 72 hours of becoming aware of the breach, as per GDPR. (For example, if the data concerns people in France, we’d contact the CNIL; if in the UK, the ICO, etc.) We will include all required information in these reports, such as the nature of the breach, data affected, and actions taken. Where the compromised information was being processed by LBVC as an operator on behalf of a client, we will also notify that client without delay so that the client can meet its own notification duties, and we will support the client in doing so.
Notification of affected individuals: If the breach poses a risk of harm (e.g., risk of identity theft, financial loss, or violation of your privacy), we will inform the affected parties directly and without undue delay. POPIA also places an obligation on LBVC to notify affected parties in writing “as soon as reasonably possible” after a data security compromise. We will reach out via the most appropriate channel (email, phone, or mail) to explain what happened, what data might be involved, and what steps we are taking. We will also advise on any steps one should consider to protect oneself (such as changing passwords or being vigilant of scams, if relevant).
Remediation: After a breach, LBVC will take remedial action to minimise any damage and prevent future incidents. This might include patching software, improving encryption, revising procedures, and providing additional staff training. We will also assist affected individuals or organisations with any reasonable measures to mitigate harm.
Record-keeping and evaluation: LBVC documents all breaches, including the root cause and our response, in accordance with the law. This helps us demonstrate compliance and learn from incidents. Our Information Officer will evaluate the incident and update our data protection measures as needed. We also review whether we fulfilled all notification duties properly.
Insurance: LBVC maintains cyber liability insurance. This insurance is intended to help cover costs associated with a data breach (such as notification expenses, remediation, and potential damages). While we hope never to need it, this provides an extra layer of protection for both LBVC and affected parties.
Dispute resolution: We are committed to transparency in the unfortunate event of a breach. If you have concerns or suffer any loss due to a breach, we will work with you to resolve any disputes amicably. You always have the right to lodge a complaint with the authorities (the Information Regulator in South Africa or a GDPR supervisory authority in Europe), but we welcome the opportunity to address your concerns directly and make things right. We will cooperate fully with any official investigations or inquiries into the incident.

Our prompt action and open communication in a breach situation reflect our commitment to accountability. Under POPIA and GDPR, we are accountable for your personal information and will take responsibility if something goes wrong.

Your rights as a data subject

As an individual or organisation whose data LBVC may hold (a “data subject”), one has a range of rights under data protection laws. LBVC is dedicated to upholding these rights. In summary, these rights include:

Right to be informed: Data subjects have the right to know what data LBVC collects and why, as we are doing through this policy.
Right of access: You can request a copy of the data we hold, as well as information on how we process it. This is sometimes called a “Subject Access Request.” We will provide our records of your data, usually within 1 month.
Right to rectification: If any data we have is incorrect or outdated, you have the right to ask us to correct or update it. We will promptly make the necessary corrections, if feasible, and let you know once done.
Right to erasure (deletion): Data subjects may, in certain circumstances, request that we delete your data. For example, if we no longer need your data, or if you withdraw consent and no other legal basis for processing applies, or if you object to processing and we have no overriding reason to keep it. We will comply with such requests where feasible, provided no legal obligation prevents us from doing so. POPIA explicitly gives you the right to request deletion or destruction of your information, and under GDPR this is known as the “right to be forgotten”.
Right to restrict processing: Data subjects can ask LBVC to limit how we use your data in certain cases – for instance, while a complaint or request is being resolved. We will mark the data as restricted and only use it for permitted purposes (like with one’s consent or for legal claims) during the restriction period.
Right to data portability: For data provided to LBVC, data subjects have the right (under GDPR) to get that data in a common, machine-readable format and/or have it transferred to another organisation where applicable. This typically applies to data processed based on consent or contract. If you need such portability, we will assist with exporting your data in CSV or a similar format, where feasible.
Right to object: Data subjects have the right to object to LBVC’s processing of their data in some situations. For example, you can object to direct marketing at any time, and we will stop sending such correspondence. Data subjects can also object if they contest that our legitimate interests should override their privacy rights – we will review and if we cannot satisfy your objection, we’ll cease the processing in question. Under POPIA, you may object on reasonable grounds to processing, and we will then reevaluate our reasons for processing your data.
Rights related to automated decision-making: Neither POPIA nor the GDPR permits decisions with legal or similarly significant effects to be taken about you solely by automated means, except in narrow circumstances. LBVC does not take such decisions. How we use automation and AI in assessments, and the human review that accompanies them, is described under Assessments, profiling and automated processing above.
Right to withdraw consent: If LBVC relies on consent for any processing, data subjects can withdraw that consent at any time (as noted earlier in the consent section). This will halt any processing that was based solely on said consent.
Right to complain: If one believes one’s data has been mishandled or their rights infringed upon, you have the right to lodge a complaint with the relevant data protection authority. In South Africa, that is the Information Regulator. In the EU, it could be an authority in the country of your residence or where the issue occurred. LBVC encourages all clients, partners and other stakeholders to contact us first, so we may try to address concerns directly. In South Africa, you may contact the Information Regulator at https://inforegulator.org.za, and in the EU, visit https://edpb.europa.eu/about-edpb/about-edpb/members_en to locate your national data protection authority.

To exercise any of these rights, contact our Information Officer, Dr Clifford P Lewis, at clif@lbvc.co.za, or our EU representative, Stefan H van Eeden, at stefan@lbvc.co.za (see Information Officer and EU representative below). We respond as quickly as we can and at the latest within one month, as the GDPR requires; requests governed by PAIA are handled within the periods that Act prescribes (ordinarily 30 days). There is no fee for making a request unless it is excessive or repetitive, in which case we may charge a reasonable fee or decline the request, and we will explain why if we do. PAIA prescribes certain request and access fees for formal records requests; these are set out in our PAIA Manual. Before acting on a request we may need to verify your identity so that information is not disclosed to the wrong person, which could involve asking for additional information or identification. If your request concerns work we performed for a client organisation, we may have to refer it to that client as the responsible party; we will tell you if we do, and we will assist with the request either way.

Access to information under PAIA

As a private body, LBVC maintains a manual under section 51 of the Promotion of Access to Information Act 2 of 2000 (PAIA). The manual describes the categories of records LBVC holds, the procedure for requesting access to a record, the prescribed request form, the applicable fees, and the grounds on which a request may be refused. It also explains how requests for access to personal information under POPIA are handled.

Our PAIA Manual can be downloaded here. Formal requests for access to records should be made using the form contained in the manual and sent to our Information Officer, whose details appear below under Information Officer and EU representative. If you simply want a copy of your own personal information, the quicker route is usually a subject access request as described under Your rights as a data subject above.

Data retention and deletion

LBVC retains data only for as long as necessary to fulfil the purposes for which it was collected, or to meet legal or business requirements. This means:

Contact form entries: If you contacted us but did not engage our services, we may keep your inquiry and our response for up to 24 months in case you reconnect or for our administrative records. After that, we delete or anonymise the details of the inquiry.
Client and project records: Records of consulting and advisory engagements, such as correspondence, deliverables and project files, are kept for five years after the engagement ends. This period matches South African tax record-keeping requirements and covers the three-year prescription period that applies to most contractual claims. Accounting records are kept for the periods that company and tax law require, generally between five and seven years. If a client asks us to delete project records sooner, we will do so unless a law requires us to keep them.
Assessment data: Identifiable assessment data, including psychometric results, is anonymised or deleted within twelve months of the final report or feedback being delivered, unless the record-keeping rules that apply to HPCSA-registered practitioners require a longer period. Where those rules apply, records are kept for at least six years after they become dormant and, in the case of a minor, until the person turns 21, after which they are securely destroyed.
Research data: Raw research data, such as survey responses, is anonymised or aggregated as soon as practical. Anonymised datasets no longer identify anyone, and we may keep them indefinitely for historical comparison. Where research data contains personal identifiers, we strip or code them so that the dataset is de-identified. Consent forms and records, which might contain names, are stored securely and separately, and deleted once they are no longer needed to demonstrate consent or for follow-up.
Marketing lists: After subscribing to any newsletter or update, LBVC retains this information until unsubscribed or the service ceases. Unsubscribed contacts are suppressed to ensure we don’t accidentally email them, and then deleted entirely on a periodic schedule.
General: In all cases, when the retention period ends, or if LBVC no longer needs the data, we will either delete it securely or irreversibly anonymise it. “Securely” means we will take appropriate measures such as permanent deletion from our databases, shredding physical documents, and ensuring backups are also deleted or overwritten. POPIA specifically requires that organisations do not retain personal information longer than necessary for the purpose and that they dispose of it in a secure manner when no longer needed.

If data deletion is requested, LBVC will also accommodate that right (as noted under Right to erasure) and erase data from our active systems, unless retention is required by law or overriding legitimate interest. In such cases, we’ll inform data subjects of the reason we cannot delete certain data and ensure it’s only retained securely for the required period.

Third-party websites

Our website may contain links to third-party websites (for example, links to our LinkedIn articles or partner sites in our publications section). Please note that those sites operate independently of LBVC and have their own privacy policies. LBVC is not responsible for the content or privacy practices of external sites. We recommend all clients, partners and stakeholders to review the privacy notices of any third-party sites you visit through our links.

Information Officer and EU representative

LBVC is registered with the South African Information Regulator under registration number 2026-027889. Our Information Officer, appointed under POPIA and PAIA, is:

Dr Clifford P Lewis
clif@lbvc.co.za

For individuals in the European Union, LBVC has designated an EU representative in terms of Article 27 of the GDPR:

Stefan H van Eeden (Germany)
stefan@lbvc.co.za

Any question, request or complaint about this policy or about our handling of your personal information may be directed to either of them. Data subjects in the EU may address the EU representative on all matters that the GDPR would otherwise require them to raise with LBVC, and EU supervisory authorities may do the same.

Updates to this policy

We may update this data policy from time to time to reflect changes in our practices or legal obligations. The latest revision date is always indicated under the policy header. If changes are significant, we might notify our clients, partners and stakeholders via email or a notice on our site. However, we will not reduce data subject rights under this policy without your consent. We encourage periodic review of this policy by all data subjects.