Privacy Statement
Information Officer: Louw Allan · information.officer@wemindfoundation.co.za · +27 83 399 9911
1. Who We Are
Community Development Initiatives International NPC (CDII) is a South African non-profit company focused on education, skills development, enterprise development, and community upliftment programmes. CDII operates We MiND Foundation as a division and delivers programmes through www.wemindfoundation.co.za.
| Full legal name | Community Development Initiatives International NPC |
| Registration | 2012/201981/08 |
| SARS PBO | 930 041 456 |
| SARS Tax Reference | 9162706189 |
| IR Registration | 2025-008244 |
| Registered address | 02 Hotel Road, Cullinan 1000, Tshwane, Gauteng |
| Information Officer | Louw Allan (Johannes Lodewikus Allan) |
| Deputy IO | Donald Bernard Leffler (designated under POPIA s17(1)) |
| IO email | information.officer@wemindfoundation.co.za |
| IO telephone | +27 83 399 9911 |
2. Scope
This statement applies to all personal information processed by CDII in connection with education, skills development, enterprise, and community programmes; donor and partner relationships; our websites; and administrative, governance, and compliance functions. It applies to all data subjects: programme participants, staff and volunteers, directors, donors, service providers, and website visitors.
3. Information We Collect
| Category | Types of Information | How Collected |
|---|---|---|
| Programme participants | Name, ID/passport, contact details, educational history, assessment data, digital signatures, photographs, cultural preferences | Registration forms, assessment submissions, facilitator records |
| Staff & volunteers | Name, contact details, employment records, bank details, tax references | Employment contracts, HR records |
| Directors | Name, appointment date, contact details (ID numbers held internally, not published publicly) | MOI, CIPC filings |
| Donors & sponsors | Name, organisation, contact details, donation records | Donation forms, correspondence |
| Website visitors | IP address, browser type, pages visited, time and date, cookie data | Automatic collection; consent banner for non-essential cookies |
4. Lawful Bases for Processing (POPIA s11)
| Lawful Basis | POPIA | How CDII relies on this |
|---|---|---|
| Consent | s11(1)(a) | Participant data; optional marketing; AI-assisted learning; photography. Consent is voluntary, specific, informed, and withdrawable at any time. |
| Contractual necessity | s11(1)(b) | Fulfilling obligations under programme enrolment, employment, and partnership agreements. |
| Legal obligation | s11(1)(c) | PAIA, POPIA, Companies Act, Income Tax Act, SARS PBO requirements, SETA/QCTO/SAQA obligations. |
| Legitimate interests | s11(1)(f) | Programme quality assurance, fraud prevention, security, governance and audit — balanced against data subject rights. |
| Vital interests | s11(1)(d) | Health or emergency contact information where safety is at risk and consent cannot be obtained. |
| Public interest | s11(1)(e) | Community development research where processing serves broader public benefit and meets ethical standards. |
5. Purposes of Processing
We collect and use personal information only for: delivering and administering education, training, and skills development programmes; assessing learners and issuing certificates; managing donor relationships; fulfilling statutory obligations; operating digital platforms and AI-assisted tools; communicating programme updates where you have consented; conducting anonymised research; and safety, security, and fraud prevention. We will not use your information for any incompatible purpose without fresh consent or a new lawful basis.
6. Artificial Intelligence and Automated Processing (POPIA s71)
You have the right under POPIA s71 to request that any automated decision affecting you be reconsidered by a human being. Contact our Information Officer to exercise this right.
7. Children's Personal Information (POPIA s35)
8. Sharing Your Information
We share personal information only where necessary. We do not sell your personal information and do not share it with third parties for their own marketing purposes.
| Recipient | Purpose | Safeguards |
|---|---|---|
| SETA / QCTO / SAQA | Learner registration, certification | Statutory obligation (s11(1)(c)) |
| SARS / CIPC | Tax compliance, NPC statutory reporting | Statutory obligation |
| We MiND Foundation | Joint programme delivery | Partnership agreement; consent where required |
| Auditors / legal advisers | Financial audit, legal compliance | Written confidentiality agreement |
| Technology providers | Platform hosting, AI tools, IT support | Data processing agreements; POPIA-compliant contracts |
| Information Regulator | POPIA / PAIA compliance; breach notification | Statutory obligation |
| Employers (participants) | Learner progress reporting | Participant's prior written consent only |
9. Cross-Border Transfer (POPIA s72)
CDII's primary operations and data storage are in South Africa. Where cross-border processing occurs — website hosting via Netlify, Inc. (USA), web font delivery via Google Fonts (USA), and Google Analytics 4 once activated (USA) — CDII ensures POPIA s72 compliance through the provider's standard data processing terms, supplemented by a written data processing agreement where personal information is involved. See the Cookie Policy for full details of each third-party service.
10. Data Retention (POPIA ss14–15)
| Category | Retention Period | Authority |
|---|---|---|
| Programme / training records | 5 years from completion | SAQA Act; QCTO regulations |
| Assessment records | 7 years from date of assessment | SAQA Act; SETA accreditation requirements |
| Financial records (donations, invoices) | 7 years | Income Tax Act s73; Companies Act s24 |
| Employment records | 3 years post-employment (minimum) | Basic Conditions of Employment Act; SARS requirements |
| Website visitor logs | 12 months, then anonymised | Legitimate interests; security audit requirements |
| Consent records | 3 years from last interaction | POPIA s11; burden of proof requirements |
11. Security
We implement appropriate technical and organisational measures to protect personal information against unlawful access, loss, destruction, or damage. In the event of a data breach affecting your rights and interests, we will notify the Information Regulator within 72 hours and notify you as soon as reasonably practicable.
12. Direct Marketing
We send marketing communications only to persons who have consented (new contacts) or where an existing relationship permits (current participants — POPIA s69(2)). You may opt out at any time by replying UNSUBSCRIBE to any email, or by contacting the Information Officer. Opt-out is actioned within 5 business days.
13. Your Rights Under POPIA
| Right | POPIA | How to exercise | Our response |
|---|---|---|---|
| Access | s23 | Written request to IO; PAIA Form 2 required; R140 request fee (no exemption for personal records — GG 45057) | Within 30 days (extendable by 30 days) |
| Correction / deletion | s24 | Written request to IO | Correct inaccurate or delete unlawfully held information within 30 days |
| Object to processing | s11(3) | Written objection to IO | Stop processing unless overriding legitimate ground demonstrated |
| Withdraw consent | s26 | Written notice to IO | Immediate effect; does not affect prior lawful processing |
| Object to direct marketing | s69 | Reply UNSUBSCRIBE / STOP, or contact IO | Actioned within 5 business days |
| Automated decision review | s71 | Written request to IO | Reconsidered by qualified human; outcome within 30 days |
| Lodge a complaint | s74 | Contact Information Regulator directly (see Section 16) | IR has jurisdiction — you may complain without approaching CDII first |
Submission channels: Email: information.officer@wemindfoundation.co.za · Post: Information Officer, CDII, 02 Hotel Road, Cullinan 1000, Tshwane · Tel: +27 83 399 9911 · In person: by appointment
14. Governance and Board Accountability
CDII's Board of Directors has adopted this Privacy Statement and the CDII POPIA Compliance Programme. The Information Officer (Louw Allan) reports to the Board on POPIA compliance matters. The Deputy Information Officer (Donald Leffler) assists and acts in the IO's absence.
15. Updates to This Statement
Reviewed annually or within 30 days of any material change in law, processing activities, IO structure, or a security incident. Previous versions are available from the Information Officer on request.
16. Information Regulator Contact Details
You have the right to lodge a complaint with the Information Regulator of South Africa:
Version History
| Version | Date | Summary |
|---|---|---|
| 1.0 | 16 Aug 2025 | Initial version |
| 3.0 | 1 Jun 2026 | Full revision: lawful bases table; retention schedule; AI/s71 disclosure; children's data clause; cross-border transfer table; complete IR contact details; Deputy IO designation; plain language commitment |
| 3.1 | 1 Jun 2026 | Removed Hivekeeper references; added www.cdii.org.za as second website |
| 3.2 | 1 Jun 2026 | Both websites added throughout |
| 3.3 | 10 Jun 2026 | Phone corrected to +27 72 7113 277 throughout (CC-01). |
| 3.4 | 16 Jun 2026 | Domain consolidated to www.wemindfoundation.co.za (CDII's own, independently-operated domain); IO/DIO email addresses updated to the @wemindfoundation.co.za standard (CF-113/CF-116). Section 9 (Cross-Border Transfer) rewritten to reflect actual current technical arrangements — Netlify hosting, Google Fonts, and Google Analytics 4 replace the prior generic Cloudflare CDN reference. Current operative version. |
Cookie Policy
What Are Cookies?
A cookie is a small text file placed on your device when you visit a website. Under POPIA, any cookie that can identify you — directly or indirectly — is personal information and must be processed lawfully.
This Policy applies only to www.wemindfoundation.co.za, which CDII registered and operates independently. It does not apply to www.wemindfoundation.com or cdii.org.za — those domains remain on infrastructure controlled by a third party under an unresolved ownership dispute, and CDII cannot certify what cookies that infrastructure deploys.
Cookie Consent Banner
Once implemented, a consent banner will be displayed on your first visit, allowing you to accept all cookies (including Google Analytics), reject all non-essential cookies, or customise by category. Your preference will be stored for 12 months. CDII will not place Google Analytics or any other non-essential cookie on your device until the banner is live and you have made a choice — declining will never prevent you from accessing the content of this website.
PAIA Manual
This Manual is published in compliance with section 51 of the Promotion of Access to Information Act 2 of 2000 (PAIA), read with the PAIA Regulations, 2021 (GG 45057, 27 August 2021) and the Protection of Personal Information Act 4 of 2013 (POPIA). It describes the records held by Community Development Initiatives International NPC (CDII) and its division We MiND Foundation, the procedure for requesting access, applicable fees, and grounds on which access may be refused.
Includes Schedule 1 (Records Classification) and all Annexures
The key operative provisions are summarised below. The downloadable PDF above is the authoritative, complete, signed version as required under PAIA s51. Both are published on www.wemindfoundation.co.za. A printed copy is available on request from the Information Officer.
Automatically Available Records (PAIA s52)
The following records are automatically available and do not require a formal PAIA request:
| Record | Access Method |
|---|---|
| This PAIA Manual v2.2 | Download PDF · Summary on this page · www.wemindfoundation.co.za · Hard copy on request from IO |
| PAIA Form 2 (prescribed request form) | Annexure 1 to the full Manual · www.inforegulator.org.za · On request from IO |
| Privacy Statement v3.4 | This page · www.wemindfoundation.co.za · On request from IO |
| Cookie Policy v2.0 FINAL | This page · www.wemindfoundation.co.za · On request from IO |
| NPO/NPC Registration (MOI) | Available from CIPC · On request from IO |
| B-BBEE Certificate | On request from IO |
| SARS PBO Certificate (PBO 930 041 456) | On request from IO |
| PAIA Annual Report (most recent: April 2026) | On request from IO · Submitted to IR eServices portal |
Categories of Records Held (PAIA s51)
CDII holds records in the following categories. The listing of a category does not create an entitlement to access — all requests are assessed against the grounds for refusal in PAIA Chapter 4.
| Category | Examples |
|---|---|
| Corporate & governance | Memorandum of Incorporation; Board resolutions; director appointments; CIPC filings; minutes of meetings |
| Financial records | Financial statements; bank records; donation receipts; invoices; s18A certificates; tax returns |
| Programme records | Learner enrolment registers; assessment records; certificates issued; SETA submissions; training registers |
| Staff & HR records | Employment contracts; payroll records; leave records; disciplinary files; skills development plans |
| PAIA & POPIA records | PAIA access requests and responses; POPIA consent records; incident reports; IO correspondence |
| Correspondence | Programme communication; donor correspondence; government and regulatory correspondence |
| Website & digital records | Website logs; cookie consent records; digital platform access logs |
| SmartCommute™ programme | Programme Participation Agreements; Disbursement Notices; Employee Acceptance Forms; payroll records; s18A certificates; B-BBEE SED letters |
How to Request Access to Records
Download complete PAIA Manual v2.2 (PDF, 21 pages) — includes PAIA Form 2 as Annexure 1.
To request access to a record, submit a written request using PAIA Form 2 (prescribed form under Regulation 4 of the PAIA Regulations, 2021). The form is available from the Information Officer on request.
We will respond to PAIA requests within 30 days (extendable by 30 days where necessary, with written notice). PAIA access requests and POPIA rights requests are separate processes with different procedures and fees.
Fees
| Fee type | Amount | Notes |
|---|---|---|
| Request fee | R140.00 | Payable before the request is processed. No exemptions — applies to all requesters including data subjects requesting their own records (GG 45057). No VAT applies. |
| Access fee | Per prescribed schedule | Charged on granting access — covers reproduction and search costs. Current schedule: GG 45057, 27 August 2021. See Annexure 2 of the full Manual. |
| Deposit | Up to 1/3 of estimated access fee | Required where estimated search time exceeds 6 hours or access fee likely to exceed R600. Must be paid before processing continues. |
| Fee waiver | At IO discretion | The IO may waive or reduce fees where payment would cause the requester financial hardship. A written application for a waiver may be submitted with the request. |
| POPIA rights requests | No charge | POPIA rights requests (correction, deletion, objection, consent withdrawal) are processed at no charge. These are entirely separate from PAIA access requests. |
Grounds for Refusal of Access (PAIA Ch.4)
| Ground | PAIA | Mandatory / Discretionary |
|---|---|---|
| Protection of third-party personal information | s63 | Mandatory — IO has no discretion |
| Protection of commercial information of a third party | s64 | Mandatory |
| Protection of confidential information of a third party | s65 | Mandatory |
| Protection of safety of individuals or property | s66 | Mandatory |
| Records privileged from production in legal proceedings | s67 | Mandatory — applies to legal professional privilege |
| Commercial information of CDII itself | s68 | Discretionary — IO may still grant access |
| Research information | s69A | Discretionary — IO may still grant access |
| Record cannot be found or does not exist | s56(3) | IO must certify in writing |
Complaint to the Information Regulator
If you are dissatisfied with our response to a PAIA request, you may lodge a complaint with the Information Regulator at PAIAComplaints@inforegulator.org.za or contact the IR using the details in Section 16 of the Privacy Statement.
Tshwane, Gauteng, South Africa