[ LEGAL ]

Privacy policy

Last updated: June 2026

PVB Group (Pty) Ltd ("PVB Group", "we", "us") provides background screening and vetting services across South Africa. The right to privacy is enshrined in the Constitution of the Republic of South Africa and protected by the Protection of Personal Information Act 4 of 2013 (POPIA). This policy explains how we collect, verify, use, store, and protect personal information, and the rights you hold over it.

For the purposes of POPIA, PVB Group is the Responsible Party for the personal information it processes. Our practice is governed by four internal policies, summarised below: data privacy, accuracy assurance, record retention, and technology and security.

[ Policy documents ] Read the full data policies Data privacy · Accuracy assurance · Record retention · Technology and security →

Data privacy and POPIA

We process personal information lawfully, for a specific and legitimate purpose, and with the security safeguards POPIA requires. Personal information means any information relating to an identifiable person, including identity numbers, contact details, employment history, qualifications, financial information, and biometric data such as fingerprints.

Information we process

We process information about two categories of data subject:

  • Clients — name, email address, company name, telephone number, and the content of enquiries submitted through this website or during the service relationship.
  • Candidates — identity document details, biometric information where a fingerprint check is requested, employment history, qualifications, and other information required to perform the screening checks instructed by an employing client. Candidate information is collected and processed only after written, informed consent has been obtained.

Your rights as a data subject

Under POPIA you have the right to:

  • Access the personal information we hold about you.
  • Request that we correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, or unlawfully obtained.
  • Object, on reasonable grounds, to the processing of your personal information.
  • Object to the use of your personal information for direct marketing.
  • Lodge a complaint with the Information Regulator.
  • Be informed that your personal information is being collected, and to be notified where it has been accessed by an unauthorised party.

How we guide our processing

Our handling of personal information is governed by the conditions for lawful processing in POPIA: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.

Special personal information and children

Some checks involve special personal information, such as criminal history or biometric data, and may involve the personal information of children. We process this information only where the law permits and where it is necessary for the specific verification instructed, with the appropriate consent and safeguards in place.

Making an access request

To access, correct, or delete personal information we hold about you, contact our Information Officer at [email protected]. Our Information Officer is Dylan Petzer ([email protected], +27 14 000 4442), supported by Deputy Information Officer Kevin Garth Van Bosch ([email protected]).

You may also lodge a complaint with the Information Regulator: Ms Mmamoroke Mphelo, 5 ALU Building, 316 Thabo Sehume Street, Pretoria, 0001.

Accuracy of verification results

A screening report is only useful if it is accurate. We take deliberate steps to ensure the information in our reports is correct, current, and verifiable.

  • Reliable sources. We collect information from reputable, authoritative sources and never rely on unverified information in a report.
  • Independent verification. Material information is confirmed through at least one independent source, and we cross-check across multiple sources where they are available.
  • Documented checks. We record the verification steps taken for each report and flag any inconsistencies found during the process.
  • Quality control. Reports undergo a quality assurance review before delivery. We run regular internal audits, conducted at least annually by trained, independent auditors, alongside random spot checks.
  • Trained people, supported by technology. Our staff are trained in verification practice and use data management systems, automated verification tools, and error-detection software to support accuracy.

Where suppliers or agents assist with a verification, we require corroboration from independent sources and a maintained audit trail. We treat accuracy as a process of continuous improvement.

How long we keep records

We retain records only for as long as the law and our regulatory obligations require, after which they are securely destroyed. Our retention periods are:

  • Client records — at least 5 years from the last interaction.
  • Candidate records — at least 5 years from completion of the screening.
  • Financial records — at least 7 years, in line with the Tax Administration Act.
  • Audit records — at least 5 years.
  • Legal and compliance records — at least 7 years.

Storage and disposal

Electronic records are stored on encrypted, secure servers; physical records are kept in locked storage. When a retention period ends, electronic data is securely wiped or shredded and physical records are shredded or incinerated. Records subject to a legal hold are retained until the hold is lifted. Our retention practice is reviewed annually.

How we protect your information

We maintain technical and organisational safeguards aligned with POPIA and ISO/IEC 27001 to keep personal information secure.

  • Access controls. Access is role-based and protected by multi-factor authentication. Access rights are audited quarterly, and third-party access is restricted.
  • Encryption. Data is encrypted in transit and at rest using AES-256, with managed encryption keys.
  • Network security. We use firewalls and intrusion detection and prevention systems, segment our networks, run penetration tests quarterly, and require VPN access for remote connections.
  • Endpoint security. Devices run antivirus and mobile device management, and critical patches are applied within 24 hours.
  • Backup and recovery. Backups are encrypted and taken daily, stored offsite, and supported by a disaster recovery plan that is tested twice a year.
  • People and process. Staff receive security training, including phishing simulations. Suspected incidents are reported immediately and investigated within one hour, and we conduct risk assessments twice a year.

Contact us

PVB Group (Pty) Ltd
Wigwam Estate, Rex Road, Rustenburg, 0299
[email protected]
+27 68 640 4779