Legal & Trust Centre

POPIA and Data Protection

How MK Assist meets POPIA obligations and supports client compliance.

POPIA and Data Protection

Plain-language summary

Summarises POPIA roles, processing principles and shared client responsibilities.

1. Responsibility model

Processing context Primary POPIA role of MK Assist Primary POPIA role of client

Website visitors, prospects, client account contacts, billing and support administration Responsible party Independent responsible party for its own records

Customer conversations, customer details and client knowledge processed to provide the service Operator acting under documented client instructions, except where law requires independent action Responsible party

Platform security, fraud prevention, service integrity and legally required records Responsible party for the limited processing it independently determines Responsible party for its own corresponding obligations

Meta/WhatsApp processing under their own terms Separate recipient and, depending on the processing, operator/processor or independent responsible party/controller under its terms Responsible party for its customer communications and opt-in

The client decides why customer conversations and business knowledge are processed and is normally the responsible party. MK Assist processes that information to provide the contracted service and is normally the operator. MK Assist is independently responsible for its own website, account, billing, support, security and legal records.

2. POPIA conditions translated into controls

POPIA principle MK Assist control Client responsibility

Accountability Information Officer, processing register, DPA, control evidence and review Lawful purpose, notices, sector compliance and instructions

Processing limitation Business-specific use, role controls, no general-purpose chatbot and data minimisation Upload and collect only necessary, lawful information

Purpose specification Workspace-specific configuration and documented purposes Define customer-service purposes and avoid incompatible reuse

Further processing limitation No cross-client learning or shared model training Do not repurpose conversations unlawfully

Information quality Client approval of knowledge, testing and correction paths Keep prices, terms, hours and business information current

Openness Privacy notices, AI disclosure, subprocessor list and point-of-need copy Provide customer-facing business and sector notices

Security safeguards Tenant separation, RBAC, encryption, logs, incident response and deletion controls Protect credentials, manage users, secure endpoints and report concerns

Data-subject participation Request channel, client assistance, export and deletion tools Respond as responsible party and instruct MK Assist

3. Operator commitments

MK Assist processes client-controlled personal information only on documented instructions, treats it as confidential, ensures authorised persons are bound by confidentiality, applies appropriate technical and organisational measures, controls subprocessors, assists with rights and incidents, deletes or returns information on exit, and provides information reasonably required to demonstrate compliance.

4. Information Officer

Tondani Netili, Director, is the Information Officer contact for MK Assist. Requests and escalations must be sent to tondani@mkassist.co.za. The Information Officer oversees the compliance framework, impact assessment, PAIA Manual, request processes, awareness and evidence required by the Information Regulator.

5. Direct marketing

A client may send a business-initiated WhatsApp message only where it has the required opt-in or another lawful permission, uses an approved template where required, clearly identifies itself, gives a practical opt-out and honours the opt-out. MK Assist optional marketing consent is separately recorded and can be withdrawn.

6. Special information and children

The service does not permit unrestricted processing of health, biometric, criminal, financial credential or children's information. Regulated sectors and education involving children require manual review. A client must not use MK Assist for prohibited legal, medical, financial or eligibility decisions. Prior authorisation must be assessed where the proposed processing falls within POPIA sections 57 and 58.

7. Security compromise responsibilities

An operator must immediately notify the responsible party of a compromise affecting client-controlled information. MK Assist contractually commits to notify without undue delay and, where reasonably practicable, within 24 hours of sufficient awareness to provide a meaningful initial notice. The client remains responsible for regulator and data-subject notification unless MK Assist is the responsible party for the affected processing. All reportable compromises must be handled under the Information Regulator's current process.