POPIA Compliance

Your medical data is sacred. Here's how CPSA protects it under South Africa's POPIA.

What is POPIA?

The Protection of Personal Information Act (POPIA) is South Africa's data protection law. It requires organizations to handle personal information responsibly, transparently, and securely — especially sensitive information like medical records.

CPSA is fully committed to POPIA compliance. Your prescriptions, medical history, and personal data are protected under the strictest standards.

Our POPIA Obligations

Lawful Processing

We only process your data when we have a legal reason to do so (fulfilling orders, legal compliance, protecting your health).

Consent & Transparency

We ask for your explicit consent before collecting sensitive information. You always know what we're collecting and why.

Purpose Limitation

We use your data only for the purpose you provided it. We don't sell, share, or repurpose your medical information.

Further Processing Restriction

We don't use your data in ways that could be harmful or that you didn't expect.

Information Quality

We keep your data accurate and up-to-date. If you spot errors, you can request corrections.

Security Safeguards

We use encryption, access controls, and regular security audits to protect against unauthorized access.

Openness & Accountability

We document our data handling practices and are transparent about our processes.

Data Subject Rights

You have rights over your data, including access, correction, deletion, and objection. See below for details.

How We Handle Medical Data

Prescriptions & Medical Records: Stored in encrypted databases with access restricted to authorized clinical staff only.

Schedule 1 Compliance: We verify prescriptions are from licensed healthcare practitioners and store them securely per Schedule 1 requirements.

Data Retention: Medical records are retained for the period required by law (typically 5-7 years) and then securely destroyed.

Encryption: All sensitive data in transit and at rest is encrypted using industry-standard protocols (AES-256, TLS 1.2+).

Access Control: Only CPSA staff with a need-to-know can access your medical information. All access is logged and audited.

Your Rights Under POPIA

📋

Right to Access

Request a copy of all personal data CPSA holds about you.

✏️

Right to Correct

Ask us to fix inaccurate or incomplete information.

🗑️

Right to Delete

Request deletion of your data ("right to be forgotten") where legally permitted.

Right to Restrict

Ask us to limit how we process your data.

Right to Object

Opt out of certain processing activities (e.g., marketing communications).

📞

Right to Lodge Complaint

Report data protection concerns to the Information Regulator.

How to Exercise Your Rights

To request access, correction, deletion, or to lodge a complaint, contact our Data Protection Officer:

Email: privacy@compounding.co.za

Phone: +27 11 234 5678

Response Time: We'll respond to your request within 20 business days.

Data Breach Notification

In the unlikely event of a data breach, we are legally required to:

  • Notify affected individuals within 72 hours
  • Describe what information was compromised
  • Explain the measures we're taking to prevent it happening again
  • Report the breach to the Information Regulator if required by law

Information Regulator of South Africa

If you believe CPSA is not complying with POPIA, you have the right to lodge a complaint with the Information Regulator:

Email: complaints.IR@justice.gov.za

Website: www.justice.gov.za/inforeg/

Postal Address: The Information Regulator of South Africa, Postal Address: 547 Veale Street, New Muckleneuk, Pretoria, 0181

For more information about POPIA and your rights, see:

Last updated: 1 April 2026