Data Protection Policy

As a responsible party as defined by the Protection of Personal Information Act 4 of 2013 (“POPIA”), we at Anneke Whelan Attorneys (“AWA”) have prepared the following policy to protect our data subjects from suffering any loss because of our breach of POPIA. Data Protection compliance is a key function at AWA where we are committed to delivering services in compliance with the applicable law and regulations, accountable to our clients and data subjects for protecting their personal data and personal data breaches.

Anneke Whelan is the Information Officer (“IO”) for AWA. For queries, contact Anneke by email at or by telephone at 082 924 0500.

AWA collects the personal information of its clients as defined in terms of POPIA and, as required by the Financial Intelligence Centre Act 38 of 2001, as amended (“FICA”), e.g., the race, gender, sex and identity number, proof of address, company registration documents including shareholder registers and the race, gender, sex and identity number of its directors, trust documents including the race, gender, sex and identity number of trustees and beneficiaries).

Compliance Framework & Privacy Policy

These documents are kept in both electronic format and hard copy format in our offices situated at Suite 105, Level 1, Clock Tower Office Suites, Clock Tower, V & A Waterfront, Cape Town, 8001, Western Cape.

The hard copy format documents are stored in a lockable filing cabinet on our office premises which are monitored 24/7 by V & A Waterfront security personnel stationed opposite the main entrance to our offices and is further protected with an alarm system connected to a response unit.

The electronic copy format documents are stored in the cloud via Microsoft Cloud Storage software. AWA has a Microsoft 365 subscription which allows us to save documents in a personal vault. A personal vault is a protected folder within Microsoft OneDrive that can only be accessed with a two-step authentication verification. It gives us an added layer of protection for our most important files and personal information we hold. Please see Microsoft’s Trusted Data Protection guide for further information.

We accordingly secure the integrity and confidentiality of personal information in our possession or under our control by taking appropriate, reasonably practical, and organisational measures to prevent any loss or damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information. All documents containing the personal information of our clients, suppliers, employees, etc. that we are no longer required and/or authorised to retain, is discarded into a lockable bin, which is collected by our third-party supplier who removes the bin from our premises, and attends to document destruction at its premises, and who thereafter provides us with a certificate confirming compliance with POPIA in terms of destruction of personal information.

Should we discover an actual or suspected “security compromises” as defined in POPIA, we will immediately report such breach to our client, the Information Regulator, and notify the Legal Practice Council, accordingly.

AWA’s website – – only uses cookies insofar as the Google Virtual Tour add-on makes use of cookies. Our website makes provision for a ‘cookie notice’ and ‘cookie policy’.

Google tracks the number of virtual tour views and as the Google 360° Street View Virtual Tour is built on Google Maps by using Google Analytics to track the user information. We have not subscribed to Google’s marketing service. Please see Google Analytics Tracking Code overview for more information.

Individual roles and responsibilities from team members.

Each individual team member is responsible for complying in accordance with this policy and have indicated their acceptance by signing a copy hereof.

Each individual team member is responsible for complying in accordance with this policy and have indicated their acceptance by signing a copy hereof.

Vac students, interns and non-permanent staff are required to sign a confidentiality agreement, which incorporates the data protection policy.


Security and Reliability of Record Keeping

Data Centre
All records are kept on our self-managed servers at the underground Xneelo Data Centre in Cape Town and Johannesburg who enforce very strict security measures with respect to geotechnical audits, surveillance, access control, fire prevention, power outages, etc. More information is here:

All access to the server is possible only via HTTPS and SSH both of which are encrypted connections using industry standards. Only our senior developers would have any access to these production servers. All of whom have over 20 years’ experience in security on Linux-based servers. All customer records are kept in their distinct databases and thus mitigates against the risk of cross-database data leaks due to potential bugs in the software.

Redundancy & Backups
We replicate all database traffic to a backup server, with an additional 7-day rotational backup of the database. Uploaded files are also backed up on a 7-day rotational basis. Access to the backup servers are the same as the production servers.

Audit logs of access to the servers are logged (both locally and remotely) and we have fail2ban software installed to help against brute-force password guessing attacks. We have various testing systems that run periodically to test the stability of the servers as well as any database anomalies. Third-Party Data Sharing Data is not shared with any third party without explicit opt-in from the user, and then only the minimum data is shared for an integration to function. For example, the Gmail calendar integration shares matter names, diary dates and diary entry descriptions, and does not divulge anything to Google that isn’t necessary for each diary appointment. The integration with E4 gives their system the same access as a bookkeeper user as it is necessary for this integration to be able to query accounting transactions and post fees. In all cases third party access is granted explicitly to each firm database, there is no third-party API key with access to multiple databases.

By far the greatest know security risk is with the users themselves. Obtaining a username and password from an employee at the user’s workspace would allow someone access to the data.

Operating System Security Updates & Firewall
All our servers run Ubuntu Linux-based OS and security updates are applied regularly. Only a minimal set of secured ports are open to the public. Port 80 / HTTP is used only to issue redirect responses to Port 443 / HTTPS.

Retention Policy
We keep all records while the user is still a customer of LawPracticeZA and for 6 months after termination of their account. All records can be deleted upon request. Document Authored by: Edward van Kuik B.Sc. (Computer Science) UCT.

For more information, feel free to contact our Information Officer, Anneke Whelan at or 082 924 0500.