NeftalyApp Courses Partner Invest Corporate Charity Divisions

Neftaly Staff

Neftaly Email: sayprobiz@gmail.com Call/WhatsApp: + 27 84 313 7407

Neftaly Human Capital GDPR Management Policy, Procedures, Processes, Templates, Documents and Forms NeftalyP214

Document Code: NeftalyP214
Approved By: Neftaly Malatjie, Chief Executive Officer
Date Approved: 28 November 2025
Next Review Date: 28 November 2026
Neftaly Policy Owner: Neftaly Chief Technology Officer (NeftalyCTR)

NeftalyP214-1: Neftaly CEO Neftaly Malatjie Address on the Purpose and Rationale for Launching the Neftaly Human Capital GDPR Management Policy

To the Chairperson of Neftaly, all Neftaly Royal Committee, all Neftaly Royal Chiefs, and all Neftaly Human Capital,

Kgotso a ebe le lena.

As the world becomes increasingly digital, data privacy and protection have never been more critical. Neftaly values the trust of our Human Capital, clients, contractors, and all stakeholders, and we are fully committed to complying with the General Data Protection Regulation (GDPR). The introduction of the Neftaly Human Capital GDPR Management Policy (NeftalyP214) reinforces our commitment to safeguarding personal data and ensuring the privacy rights of our Human Capital are respected.

This policy sets the standards for how Neftaly handles personal data across the organisation. It outlines our procedures, processes, and frameworks for data collection, processing, retention, and disposal. By launching this policy, we aim to create a secure, compliant, and transparent data management environment.

My message shall end here.

Neftaly Malatjie | CEO | Neftaly

NeftalyP214-2: Neftaly Scope

NeftalyP214-2-1 This policy applies to:

  • NeftalyP214-2-1-1 All Neftaly departments, programs, events, platforms, and business units.
  • NeftalyP214-2-1-2 All Human Capital, contractors, and third-party service providers who handle personal data on behalf of Neftaly.
  • NeftalyP214-2-1-3 All digital platforms, including internal websites, apps, and external communications channels.
  • NeftalyP214-2-1-4 All personal data collected and processed by Neftaly.

NeftalyP214-3: Neftaly Definitions

  • NeftalyP214-3-1 Personal Data: Any information that relates to an identified or identifiable natural person (e.g., name, contact details, identification numbers).
  • NeftalyP214-3-2 Sensitive Data: Special categories of personal data, including racial or ethnic origin, political opinions, religious beliefs, health data, and more.
  • NeftalyP214-3-3 Data Subject: The individual whose personal data is being processed.
  • NeftalyP214-3-4 Data Processing: Any operation performed on personal data, such as collection, storage, use, or deletion.
  • NeftalyP214-3-5 Data Controller: Neftaly, the entity determining the purposes and means of processing personal data.
  • NeftalyP214-3-6 Data Processor: A third party contracted by Neftaly to process personal data on our behalf.
  • NeftalyP214-3-7 GDPR: The General Data Protection Regulation (EU 2016/679), a regulation governing data protection and privacy in the European Union.

NeftalyP214-4: Neftaly Objectives

  • NeftalyP214-4-1 To ensure that all personal data is collected, processed, and stored in compliance with GDPR.
  • NeftalyP214-4-2 To protect the privacy and data security of all Neftaly Human Capital.
  • NeftalyP214-4-3 To establish clear procedures for handling requests related to data access, rectification, and deletion.
  • NeftalyP214-4-4 To promote transparency in the collection and processing of personal data.
  • NeftalyP214-4-5 To provide a framework for responding to data breaches and incidents effectively.
  • NeftalyP214-4-6 To maintain records of data processing activities.

    NeftalyP214-5: Neftaly Roles and Responsibilities

    NeftalyP214-5-1 Neftaly CEO (NeftalyCER)

    • NeftalyP214-5-1-1 Final approval of GDPR compliance initiatives and reports.
    • NeftalyP214-5-1-2 Oversight of data privacy and protection practices.

    NeftalyP214-5-2 Neftaly Chief Technology Officer (NeftalyCTR)

    • NeftalyP214-5-2-1 Policy owner, custodian, and overall coordinator of GDPR management.
    • NeftalyP214-5-2-2 Ensuring the implementation of data protection controls and processes.

    NeftalyP214-5-3 Neftaly Human Capital Department

    • NeftalyP214-5-3-1 Ensuring that all Human Capital data is processed according to GDPR guidelines.
    • NeftalyP214-5-3-2 Managing data subject rights requests (access, rectification, deletion).

    NeftalyP214-5-4 Neftaly IT Department

    • NeftalyP214-5-4-1 Implementing data protection measures, including encryption and access controls.
    • NeftalyP214-5-4-2 Monitoring for security vulnerabilities and incidents.

    NeftalyP214-5-5 Neftaly Compliance and Legal Team

    • NeftalyP214-5-5-1 Ensuring compliance with GDPR during data processing.
    • NeftalyP214-5-5-2 Conducting periodic audits and assessments.

    NeftalyP214-6: Neftaly Procedures

    NeftalyP214-6-1 Data Collection and Consent

    • NeftalyP214-6-1-1 Obtain explicit consent from data subjects for the collection and processing of their personal data.
    • NeftalyP214-6-1-2 Consent must be clear, informed, and freely given.
    • NeftalyP214-6-1-3 Use NeftalyT214-01 Consent Form for capturing consent.

    NeftalyP214-6-2 Data Minimization

    • NeftalyP214-6-2-1 Only collect personal data necessary for the specified purpose.
    • NeftalyP214-6-2-2 Avoid excessive or irrelevant data collection.

    NeftalyP214-6-3 Data Processing and Storage

    • NeftalyP214-6-3-1 Process data securely, ensuring that it is protected against unauthorized access, alteration, or loss.
    • NeftalyP214-6-3-2 Store personal data only for the period necessary to fulfill the purpose.
    • NeftalyP214-6-3-3 Use encrypted storage solutions and secure access protocols.

    NeftalyP214-6-4 Data Subject Rights

    • NeftalyP214-6-4-1 Allow data subjects to exercise their rights, including:
      • Right to Access (NeftalyT214-02 Request Form)
      • Right to Rectification
      • Right to Deletion
      • Right to Restriction of Processing
    • NeftalyP214-6-4-2 Process requests within the GDPR-required timeframes (30 days).

    NeftalyP214-6-5 Data Transfers

    • NeftalyP214-6-5-1 Ensure that any transfer of personal data to a third party complies with GDPR guidelines, particularly where data is transferred outside the EU.
    • NeftalyP214-6-5-2 Use contractual safeguards such as Data Processing Agreements (NeftalyT214-03).

    NeftalyP214-6-6 Data Breaches

    • NeftalyP214-6-6-1 Immediately report any data breach to the Data Protection Officer (DPO) and relevant authorities.
    • NeftalyP214-6-6-2 Document and assess the breach, and inform affected data subjects if required.
    • NeftalyP214-6-6-3 Complete NeftalyT214-04 Data Breach Report Form.

    NeftalyP214-6-7 Staff Training and Awareness

    • NeftalyP214-6-7-1 Ensure all Neftaly staff are trained on GDPR principles and personal data protection practices.
    • NeftalyP214-6-7-2 Conduct periodic refresher training and awareness sessions.

    NeftalyP214-7: Neftaly Templates, Documents, and Forms

    NeftalyP214-7-1 Core Templates and Documents

    • NeftalyP214-7-1-1 NeftalyT214-01 Data Subject Consent Form
    • NeftalyP214-7-1-2 NeftalyT214-02 Data Access Request Form
    • NeftalyP214-7-1-3 NeftalyT214-03 Data Processing Agreement
    • NeftalyP214-7-1-4 NeftalyT214-04 Data Breach Report Form
    • NeftalyP214-7-1-5 NeftalyT214-05 Data Retention Schedule
    • NeftalyP214-7-1-6 NeftalyT214-06 Data Subject Deletion Request Form
    • NeftalyP214-7-1-7 NeftalyT214-07 Privacy Impact Assessment (PIA) Template
    • NeftalyP214-7-1-8 NeftalyT214-08 Data Protection Impact Report
    • NeftalyP214-7-1-9 NeftalyT214-09 Vendor Data Protection Questionnaire

      (Additional templates and documents are available on request or through the Neftaly GDPR Portal.)

      NeftalyP214-8: Neftaly Compliance

      NeftalyP214-8-1 All personnel at Neftaly who interact with personal data must adhere to the following GDPR compliance rules:

      • NeftalyP214-8-1-1 Collect data only for specific, legitimate purposes.
      • NeftalyP214-8-1-2 Ensure data is accurate, up-to-date, and complete.
      • NeftalyP214-8-1-3 Implement appropriate security measures for data protection.
      • NeftalyP214-8-1-4 Adhere to principles of transparency and accountability in data processing.
      • NeftalyP214-8-1-5 Respond promptly to data subject requests within the prescribed timeframes.

        NeftalyP214-8-2 Failure to comply with GDPR requirements may result in disciplinary action, including termination of employment or contracts, and financial penalties. Non-compliance will also be reported to relevant authorities as required by law.

        NeftalyP214-9: Neftaly Frequently Asked Questions (FAQs)

        1. What is GDPR?
          GDPR is a regulation in EU law on data protection and privacy. It provides a framework for protecting personal data and gives individuals greater control over their personal information.
        2. What data does Neftaly collect?
          Neftaly collects data necessary for operational activities, including employee details, personal identifiers, contact information, and professional qualifications.
        3. How do I exercise my data rights?
          Submit a request through the Data Subject Rights Form (NeftalyT214-02), which will be processed within 30 days.
        4. How does Neftaly ensure data security?
          Neftaly uses encrypted systems, secure networks, and regular audits to ensure the confidentiality and security of personal data.
        5. Can Neftaly transfer my data outside the EU?
          Neftaly will only transfer data outside the EU under strict conditions, ensuring adequate safeguards such as Data Processing Agreements.
        6. What happens if my data is breached?
          If there is a breach, Neftaly will inform you within the required timeframe and take corrective actions.
        7. Who can I contact for more information on GDPR?
          Contact the Neftaly Data Protection Officer via the GDPR portal or email at dpo@saypro.com.