S.A.M.D.A. CHAMPIONSHIPS
PRIVACY NOTICE & POLICY
Effective Date: 26 August 2025 | Next Review Date: 26 August 2026
1. WHO WE ARE
The South African Music, Dance & Dramatic Arts Championships (Pty) Ltd (“S.A.M.D.A.”, “we”, “us”, “our”) is the responsible party (in POPIA terms) for all personal information collected in connection with our competitions, website (https://samda.co.za), mobile platforms, ticketing, marketing and archival activities.
2. SCOPE & RELATIONSHIP TO TERMS & CONDITIONS
This Privacy Notice is incorporated by reference into the S.A.M.D.A. Championships Terms & Conditions. Any capitalised terms not defined herein bear the same meaning as in the Terms & Conditions.
3. WHAT PERSONAL INFORMATION WE COLLECT
We only collect information that is adequate, relevant and limited to what is necessary for the purposes described in Section 4.
| Category | Examples | Source |
|---|---|---|
| Identity Data | Full name, date of birth, passport/ID number, gender, age division. | Registration forms, uploaded documents. |
| Contact Data | Email, cell number, physical address, emergency contact details. | Same as above. |
| Parent/Guardian Data | Name, relationship, contact details, consent record. | Provided by parent/guardian where participant is <18. |
| Special Categories (Health) | Medical conditions, allergies, disabilities relevant to safe participation. | Voluntary disclosure on medical form. |
| Transaction Data | Bank account, proof of payment, VAT invoices. | Payment gateway, EFT confirmations. |
| Technical Data | IP address, browser type, device identifiers, cookie IDs, usage logs. | Website, Google Analytics. |
| Performance Data | Category entered, scores, adjudicator comments, recordings, photos. | Event systems, judges’ tablets. |
| Marketing Data | Opt-in/out preferences, competition history, survey responses. | Direct interaction, email clicks. |
4. PURPOSES & LAWFUL BASES OF PROCESSING (POPIA Sec 11)
| Purpose | Lawful Basis (POPIA) | Retention Trigger |
|---|---|---|
| Registration, seeding, scheduling, accreditation. | Contractual necessity. | Duration of event + 3 yrs. |
| Payment, refunds, tax compliance. | Legal obligation (Tax Act). | 5 yrs per SARS. |
| Health & safety, emergency response. | Vital interests / legal duty. | Duration of event. |
| Live-streaming, photography, press releases. | Consent (can withdraw). | 10 yrs for archival purposes. |
| Post-event statistics, academic research. | Legitimate interest (anonymised). | Indefinite (de-identified). |
| Direct marketing of future S.A.M.D.A. events. | Consent (opt-in tick-box). | Until withdrawn. |
5. COOKIES & ONLINE TRACKING
5.1 Types: Strictly necessary, performance (Google Analytics), functional, and marketing cookies.
5.2 Consent: First-time users see a layered banner; analytics/marketing cookies fire only after opt-in.
5.3 Browser controls: Instructions to disable are linked in the banner.
5.4 Third-party processors: Google LLC (USA) – Standard Contractual Clauses in place.
6. RECIPIENTS & TRANSFERS
6.1 Internal: Event managers, adjudicators, finance, IT support.
6.2 External (under written contracts):
Payment gateway (PayFast, ZA)
Medical personnel & emergency services (if on-site incident)
6.3 Transfers outside SA: Only to countries with an adequacy decision or under SCCs.
6.4 Law enforcement disclosures: Only when obliged by South African court order or legislation.
7. SECURITY MEASURES (POPIA Sec 19)
TLS 1.3 encryption in transit; AES-256 at rest.
Role-based access with MFA for administrators.
Annual penetration testing and vulnerability scans.
Incident response plan (24-hour notification to Regulator if breach > threshold).
Backup retention: encrypted daily to off-site facility for 30 days.
8. DATA RETENTION & DELETION
| Record Type | Retention Period | Deletion Method |
|---|---|---|
| Registration forms | 3 yrs after last event | Secure shredding (hard) / NIST 800-88 wipe (digital). |
| Financial/tax records | 5 yrs after fiscal year end | Redacted then deleted. |
| Photos/video (marketing) | 10 yrs (unless consent withdrawn) | Permanent deletion from all platforms on request. |
| CCTV footage (venues) | 30 days unless incident | Overwritten automatically. |
Deletion requests can be made via samddac@gmail.com and will be actioned within 30 days unless overriding legal basis exists.
9. YOUR RIGHTS (POPIA Chap 3)
| Right | How to Exercise | Timeline |
|---|---|---|
| Access | Email request with copy of ID | 30 days |
| Rectification | Use update portal or email evidence | 15 days |
| Objection to processing | Complete Objection Form | 30 days |
| Withdraw consent | Opt-out link or email | Immediate effect (no retroactive impact). |
| Data portability | Export button or email | 30 days |
| Lodge complaint | info.reg@justice.gov.za | Regulator investigates. |
10. CHILDREN & PARENTAL CONSENT
10.1 For participants under 18, we collect parental/guardian contact details and verifiable consent.
10.2 Marketing emails are never sent directly to children under 13.
10.3 Parent/guardian may withdraw consent on the child’s behalf at any time.
11. DIRECT MARKETING
11.1 Opt-in tick-box appears on every registration form.
11.2 Each marketing email contains a one-click unsubscribe.
11.3 SMS marketing includes “STOP” reply option.
12. CHANGES TO THIS NOTICE
12.1 Material changes will be notified via email and prominent notice on the Website 30 days before taking effect.
12.2 Non-material (e.g., contact details update) are posted on the Website.
13. COMPLAINTS & CONTACT
14. ACCEPTANCE
By ticking “I accept the Privacy Notice” on any S.A.M.D.A. form or by attending an event, you acknowledge that you have read and understood this Privacy Notice and agree to the processing of your personal information as described.