Tuffias Sandberg
privacy notice


This Privacy Notice applies to Tuffias Sandberg, a Chartered Accountant and Auditing Firm in the Republic of South Africa (“Tuffias Sandberg”, “we” or “us”), in respect of all persons that it processes personal information in respect of, including its clients, suppliers, recruitment applicants, third-parties and website visitors (“you”).

Tuffias Sandberg is committed to protecting the confidentiality and privacy of the personal information it processes. This Privacy Notice explains how we process and protect your personal information.

As a South African firm, all our data processing activities are primarily regulated by the Protection of Personal Information Act, No. 4 of 2013 (“POPIA”), as amended from time to time. For the purposes of this Privacy Notice, the terms “personal information” and “process”, are as defined in POPIA.


Tuffias Sandberg, a Chartered Accountant and Auditing Firm in the Republic of South Africa. Our offices are situated at Building No. 8, Greenstone Hill Office Park, Emerald Boulevard, Greenstone Hill Ext. 22, Edenvale, 1609.


This Privacy Notice applies to all persons (both natural and juristic) that Tuffias Sandberg collects and process personal information from or about, including but not limited to website visitors, clients, suppliers, employees, consultants and recruitment candidates.


POPIA defines personal information as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • information relating to the education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

While using our website, or engaging with us for any reason, you may be required to provide us with your personal information. This may happen when, for example, you send through an enquiry on a contact form on our website, you contract with us for the provision of any of our services, you submit a job application to us through our career page (or by other means), you become employed by us, it is necessary for the provision of any services provided by us or you, or when concluding a contract with us.

In certain instances, you may also be required to provide us with sensitive information that is classified by POPIA as special personal information. The collection of this information from you, when required, will be necessary in order to achieve the purpose that we are collecting and processing it for.

Some of the personal information that we may collect from you, could include:

  • Identification details such as name, surname, ID/Passport Number;
  • Contact details, such as phone numbers, email addresses, physical and postal addresses;
  • Demographical details, such as race, and age groups;
  • Biometric information (in relation to employees);
  • Financial information, such as account numbers;
  • Credit information;
  • Background information;
  • Qualification information, CV’s and other personal information that may be requested throughout the recruitment process to assess and consider your job application (in relation to recruitment applicants);
  • Professional body registration information;
  • When visiting our website, anonymised data relating to your location and your browser type, browser version, the pages of our website that you visit, the date and time of your visit, the duration of time spent on the website pages and other applicable statistics which are recorded by Google Analytics to analyse user behaviour on our website. No personally identifiable Information is collected at any point;
  • When you use one of our contact forms on our website, personal information may be requested and once submitted will be stored in the database of our website.

Generally, we collect your personal information directly from you. However, in certain circumstances we may also collect your personal information from other sources, where this is necessary to achieve the purpose that such information is being collected for.

Generally, the collection of personal information from you and the other sources referred to above is mandatory in order to achieve the purpose for which it is being collected by us (as set out below). We will notify you where the collection of certain personal information is voluntary and not mandatory. The refusal to provide us with the mandatory personal information that we may require, may have an impact on our ability to provide you with our services or to achieve the purpose that we require the personal information for.


We may collect, use, share and/or generally process your personal information (including, where applicable your special personal information) for the following purposes (“Permitted Purposes”):

  • To provide you with our services;
  • To comply with all legislative and legal requirements placed on us, which may include, but not be limited to, legislative reporting and document retention periods and where the law requires that information be notified to third parties (such as government institutions or statutory bodies);
  • To conclude or perform a contract with you, or to take any take steps linked to or necessary for the conclusion or performance of a contract with you;
  • Where applicable, for general marketing and communication purposes, where you are a previous or existing client of Tuffias Sandberg or where you have signed up to receive our newsletters on or through our website or any contact forms available on our website. In instances where you sign up to receive our newsletters through our website or on any of our contact forms, the contact details and/or email address that you provide us with for the purposes of the newsletter is solely used for the purposes of our newsletter database. All general marketing and communications will be in compliance with the provisions of POPIA. You will be given the opportunity to unsubscribe from any marketing communications, general communications and/or newsletters at any time, and with each communication received;
  • Where necessary, for any purposes which are in our, your, or a third party’s legitimate interest;
  • To perform general administrative, operational, management and performance functions and activities relating to the operation and running of our business and of our website, and for the purposes of managing our legal and operational affairs;
  • For any purposes which are required or authorised by law;
  • To respond to requests by government, statutory bodies, a court of law, or law enforcement authorities conducting an investigation;
  • For reporting, statistical, analytical, research and historical purposes;
  • Where you are applying for a vacancy with us, to process your application throughout our recruitment process;
  • Where you are an employee or consultant of Tuffias Sandberg, to perform our obligations to you under our employment agreement or consultancy agreement and to manage and administer your employment or consultancy with us;
  • In relation to the use of our website, to identify, investigate and attend to any technical issues, support and user queries;
  • To detect, prevent or deal with any actual or alleged fraud, security breach, or the abuse, misuse or unauthorised use of the website and/or contravention of this Privacy

We may also collect, use, share and/or generally process personal information or data that has been de-identified and/or aggregated, for example statistical or demographic data, for any purpose. Aggregated or de-identified data is not considered personal information in terms of POPIA, as this information is de-identified and does not, directly or indirectly, reveal your identity.


We value and respect the confidentiality and privacy of the personal information that you entrust us with. We are not in the business of selling your personal information and we will not share or disclose your personal information to anyone except as provided in this Privacy Notice and/or any contracts or terms and conditions of service concluded with us.

By using our website and/or engaging with us for the provision of our services, you acknowledge and agree that we may share your personal information (including, where applicable your special personal information) in the following instances:

  • If it is necessary in order to provide you with a service that have you have requested or contracted us to provide or source on your behalf;
  • If it is in your legitimate interest;
  • If it is necessary for the proper performance of a public law duty by a public body;
  • If it is required or authorised by law;
  • If you have provided us with your consent;
  • With our service providers (including our suppliers, subcontractors, affiliates, partners, agents, consultants and professional advisors), in order to provide you with our services, for reporting purposes or generally as required for the administration and management of our business. In these instances, we will ensure that the necessary security safeguards and confidentiality undertakings are in place to secure your personal information. We will only allow third parties to process your personal information for a specific purpose, in accordance with our instructions and in accordance with the requirements of POPIA and any other applicable data privacy laws;
  • With our employees, who may require that information to do their jobs;
  • With regulators, government authorities and statutory bodies in connection with our compliance procedures and legal obligations;
  • With a purchaser or prospective purchaser of all or part of our assets or our business, and their professional advisers, in connection with the purchase;
  • With a third party, in order to enforce or defend our rights, or to address financial or reputational risks.

Securing the personal information you give us, or that we receive about you, is a priority for Tuffias Sandberg.

We have appropriate and reasonable physical, technical and organisational security measures in place to protect the personal information that we process, in accordance with the requirements of POPIA and the applicable professional industry body codes and standards that apply to our business. 


We will not retain your personal information longer than necessary. We will retain the personal information you provide to us or that we receive about you for as long as is needed to achieve the purpose that it was collected for, or for an extended period of time, even after the personal information is no longer needed to achieve the purpose that it was collected for, if the retention of your personal information records is:

  • required by law or any code of conduct;
  • required to meet regulatory requirements;
  • needed for evidentiary purposes, to resolve disputes, to prevent or investigate fraud and abuse, or to enforce any contract concluded with you;
  • reasonably required for lawful purposes that are related to Tuffias Sandberg’s functions, operations or activities;
  • determined necessary in accordance with our internal document retention and destruction policies;
  • required for historical, research or statistical purposes. In these circumstances we will take measures to de-identify this personal information as far as reasonably possible.

Where applicable, personal information that has been included on our newsletter and communications database and that is used for marketing and communication purposes will be retained by us. When you request to unsubscribe from these communications, your contact information contained in this database will be placed into an unsubscribe list, to enable us to manage and honour your unsubscribe request. Should you require us to delete your information completely from our newsletter and communication data base, you understand that we will no longer be able to manage your unsubscribe request (as we will no longer have a record of your unsubscribe request available in our database).


Generally, Tuffias Sandberg does not use personal information for direct marketing purposes. Tuffias Sandberg may however send out newsletters and informative communications to its clients and those subscribed to its newsletter database, from time to time. Any communications sent out by Tuffias Sandberg for the purposes of direct marketing would however be done in compliance with the requirements of POPIA.


We may store both hard copy and electronic records containing personal information.

Hard copy personal information records may be stored at our premises, or when archived, at a third-party document retention service provider for the duration of the applicable document retention period. We will take reasonable and appropriate measures to ensure that hard copy personal information records stored or retained by third party service providers (if applicable) is done in compliance with POPIA.

Electronic personal information records may be stored on Tuffias Sandberg’s servers and/or on third party servers, including servers used for cloud-based software and applications used by Tuffias Sandberg for the Permitted Purposes as set out earlier in this Privacy Notice.

While Tuffias Sandberg endeavours, as far as reasonably possible, to store your personal information locally in South Africa, we may be required to transfer to and/or store your personal information on servers located outside of South Africa. Tuffias Sandberg may also have third party service providers that are located outside of South Africa, which may result in your personal information being transferred and processed outside of South Africa. Some of this personal information may be special personal information.

Tuffias Sandberg will take reasonable and appropriate measures to ensure that any personal information, including special personal information, that is transferred outside of the borders of South Africa is transferred in compliance with the requirements of POPIA and that an adequate level of privacy protection is in place between us and these third-party service providers. 


In certain limited instances, Tuffias Sandberg may be required to collect and process special personal information and/or children’s personal information, particularly in relation to our employees and the management of their employment with us.

Any special personal information and children’s personal information that is required to be collected and processed by Tuffias Sandberg will be done in compliance with the provisions of POPIA.


As a data subject, POPIA provides you with a number of rights in relation to how your personal information is used and processed. In terms of POPIA, you are entitled, in the prescribed manner and form, to:

  • request a copy of the personal information that we hold about you (subject to and in accordance with the provisions of the Promotion of Access to Information Act);
  • update the personal information you have given to us, in the event that the personal information is inaccurate or outdated;
  • request the correction, destruction or deletion of personal information we hold about you (where legally permissible and subject to our right not to correct or delete the personal information record in certain circumstances);
  • object to your personal information being processed by us (on reasonable and lawful grounds), in instances where you have a legitimate reason to believe that we are not processing your personal information in accordance with the provisions of POPIA; and to
  • object to any processing of your personal information for the purpose of direct marketing by electronic communication, in the prescribed manner and form, or to unsubscribe from receiving any marketing or communication emails received from us by clicking the “unsubscribe” link at the bottom of any email.

We will make commercially reasonable efforts to provide you reasonable access to any of your personal or other account information that we process and/or retain. In certain circumstances, such as when we are required retain or withhold the disclosure of certain personal information by law, we may not be able to provide you with access to all your personal information or we may not be able to change, rectify or delete your personal information at your request. In these circumstances, we will provide you with reasons as to why your request cannot be complied with.

Generally, all personal information records will only be made available in accordance with the Promotion of Access to Information Act, 2 of 2002 (“PAIA”), and such requests are required to be made in terms of PAIA, through the completion and submission of the prescribed PAIA Form C . These requests will be addressed and dealt with in accordance with the provisions of PAIA and in accordance with the processes and timelines that have been put in place by Tuffias Sandberg to address data subject access requests and complaints.


If you have a complaint about how we are processing your personal information, or if you wish to object to us processing your personal information or request the correction, deletion or destruction of any of the personal information records we hold about you please contact our Information Officer at info@tsza.co.za (Attention: Information Officer), in the first instance, so that we can resolve the complaint or attend to your request.

All requests need to be submitted on the prescribed forms, as set out in the POPIA Regulations.

All requests for access to personal information records must be done through the completion and submission of the prescribed PAIA Form C, as prescribed in terms of PAIA.

The prescribed form for reporting complaints regarding the use or processing of your personal information by us, must be addressed on Form 1.

The prescribed form for requesting the correction, deletion or destruction of your personal information records by us, must be addressed on Form 2. You acknowledge that in some instances Tuffias Sandberg may not be able to comply with your request to correct or delete your personal information, where this request conflicts with any applicable laws.

In terms of POPIA, you are also entitled to direct a compliant to the Office of the Information Regulator, South Africa, if you feel that your complaint has not been adequately addressed directly with us. Complaints to be addressed to the Information Regulator must be completed in the prescribed manner and form (on prescribed Form 5 Part II, as set out in the POPIA Regulations).

The Office of the Information Regulator may be contacted at inforeg@justice.gov.za (general enquiries) or
POPIAcomplaints.IR@justice.gov.za  (complaints).

Their website is: http://www.justice.gov.za/inforeg/.


Changes may need to be made to this Privacy Notice, from time to time. We will endeavour to only make changes to this Privacy Notice where they are material, necessary and/or required as a result of legislative or regulatory changes or guidance, or any code of conducts published that may be relevant to the industry in which our business operates.

Any changes made to this Privacy Notice will be posted through an updated Privacy Notice that is loaded onto this website page. Please check this page to keep informed of any updated or revised Privacy Notice that may be posted. 


This Privacy Notice is governed by the laws of the Republic of South Africa, and you hereby consent to the jurisdiction of the South African courts in respect of any dispute which may arise out of or in connection with the formation, interpretation, substance or application of this Privacy Notice.