Get free door to door delivery on orders over R300.

Get free door to door delivery on orders over R300.

Shopping Cart

0

Your shopping cart is empty

Go to the shop

Privacy Policy

PRIVACY STATEMENT

BATA/D-18/PRIV/2026/001 v2.2    May 2026

 

1.  Who We Are

Responsible Party

Bata South Africa (Pty) Ltd

Registration No.

M1985000219 (CIPC)

IR Registration No.

2024-006292

Registered Address

5A Rydall Vale Crescent, Rydall Park, La Lucia, KZN 4051

Trading As

Bata South Africa    Toughees    Bata Industrial SA

Information Officer

Lorraine Denise Dyer (Director and Country Manager)

IO Email

informationofficer@bata.com  (shared POPIA and PAIA inbox)

IO Tel

031 812 3600

Programme Administrator

Adv. Don Leffler — CDII / Leffler & Partners

Effective Date

May 2026

Replaces

Bata South Africa Website Privacy Statement, effective 01 November 2018

Review Cycle

Annually, or within 30 days of any material change in law, IO structure, or processing activities

Document Ref

BATA/D-18/PRIV/2026/001 v2.2

 

Bata South Africa (Pty) Ltd (“Bata SA”, “we”, “our” or “us”) is a responsible party as defined in the Protection of Personal Information Act 4 of 2013 (“POPIA”). This Privacy Statement explains how we collect, use, share, protect, and retain personal information relating to our customers, website visitors, loyalty programme members, job applicants, employees, suppliers, contractors, and other data subjects.

This Privacy Statement applies across all three of our trading brands: Bata South Africa, Toughees, and Bata Industrial SA. It covers personal information collected through our websites (www.bata.co.za and www.toughees.co.za), our physical retail stores, our loyalty programme, our e-commerce platform, and our employment and supplier relationships.

 

PLAIN LANGUAGE COMMITMENT

 

This Privacy Statement is written in plain language. If any term is unclear, please contact our Information Officer at informationofficer@bata.com or 031 812 3600. We are happy to explain any aspect of how we handle your personal information.

2.  Scope of This Privacy Statement

This Privacy Statement applies to personal information processed by Bata SA in the following contexts:

  Browsing our websites (www.bata.co.za and www.toughees.co.za)

  Purchasing products in store or online

  Registering for or using our loyalty programme

  Subscribing to or receiving our marketing communications

  Applying for employment with Bata SA

  Supplying goods or services to Bata SA as a contractor or supplier

  Interacting with Bata SA as a director, officer, or governance principal or compliance programme officer

 

This Privacy Statement does not apply to the websites, products, or services of third parties that may be linked from our websites. We encourage you to read the privacy policies of any third-party websites you visit.

3.  Lawful Bases for Processing Your Personal Information

We process personal information only where at least one of the following lawful bases under POPIA s11 applies:

 

Lawful Basis

When We Rely on It

Consent

Where you have given us specific, informed, freely given consent — for example, to receive direct marketing emails or SMS, or to allow non-essential cookies. You may withdraw consent at any time.

Performance of a contract

Where processing is necessary to fulfil an order, provide a service, or manage your account or loyalty membership.

Legal obligation

Where we are required to process your information to comply with applicable South African law, including tax law, employment law, and company law.

Legitimate interests

Where processing is necessary for our legitimate business interests (such as fraud prevention, network security, and improving our products and services), provided those interests do not override your rights and freedoms. We conduct a legitimate interests assessment before relying on this basis.

Protection of your vital interests

Where processing is necessary to protect your life or the life of another person.

Pursuit of the responsible party’s or a third party’s legitimate interests

In limited circumstances where processing is necessary in the public interest or for the administration of justice, subject always to POPIA’s conditions.

4.  What Personal Information We Collect and Why

4.1  Website Visitors

When you visit our websites, we automatically collect: IP address; device type, browser type, and operating system; pages visited and time spent; referring URL; cookie identifiers and session data. We use this information to operate and improve our websites, detect and prevent fraud, and analyse traffic patterns. Our Cookie Policy (below) provides further detail on cookie use.

4.2  Customers (In-Store and Online)

When you purchase from us, we collect: name, contact details, delivery address, and payment information (payment data is processed by our payment service providers and is not retained on our own systems beyond what is required by law). Where you shop in store, we may collect transaction data, and where you participate in our loyalty programme, we collect your loyalty account information, purchase history, and preferences.

4.3  Loyalty Programme Members

When you join our loyalty programme, we collect: name, contact details, date of birth (to validate age eligibility), purchase history, and reward redemption records. Your loyalty data belongs to you as a data subject. You have the right to access, correct, and request deletion of your loyalty programme data at any time — see Section 8 below.

4.4  Job Applicants

When you apply for a position with Bata SA, we collect: name, contact details, CV and qualifications, identity document, referee details, and any other information you choose to provide in your application. We use this information solely for recruitment and assessment purposes.

4.5  Employees

We collect and process employee personal information in accordance with our Employee Workplace Monitoring Notice (BSA-SN-001/2026) and as required by South African employment law, tax law, and skills development legislation. This includes identity, contact, payroll, banking, leave, performance, and IT system usage data.

4.6  Suppliers and Contractors

When you supply goods or services to Bata SA, we collect: contact details, banking information, company registration details, B-BBEE certificate, and tax compliance information. We use this information to manage our supplier relationships and to comply with our legal and financial obligations.

5.  Who We Share Your Information With

We do not sell your personal information to any third party. We share personal information only with:

  Service providers (operators) who process information on our behalf under written data processing agreements, including: payment processors; e-commerce platform providers; email and SMS marketing platforms; HR and payroll system providers; IT security providers; and website analytics providers.

  Bata Brands SA (Avenue d’Ouchy 61, 1006 Lausanne, Switzerland) — our group headquarters — for consolidated financial reporting, HR system management, and global IT platform operations. Cross-border transfer safeguards are described in Section 9 below.

  Government bodies, regulators, and courts where we are required to do so by law, including the South African Revenue Service, the Department of Employment and Labour, and the Information Regulator.

  Our professional advisors (attorneys, auditors, and consultants) bound by professional confidentiality obligations, including our Programme Administrator (CDII / Leffler & Partners — Adv. Don Leffler) who processes personal information in the course of administering the compliance programme.

 

We require all third parties with whom we share personal information to maintain appropriate security safeguards and to process information only in accordance with our instructions.

6.  Children’s Personal Information

 

  IMPORTANT: TOUGHEES AND BUBBLEGUMMERS

 

Bata SA’s Toughees and Bubblegummers brands are marketed to children and their parents. Where our website or loyalty programme is accessed by or on behalf of a person under the age of 18, POPIA s35 requires that we obtain consent from a competent person (parent or legal guardian) before processing that child’s personal information. If you are a parent or guardian and you believe that your child’s personal information has been collected without your consent, please contact us immediately at informationofficer@bata.com so that we can take appropriate action.

 

Our website uses a cookie consent banner. We are currently reviewing the age-appropriateness of this mechanism and will implement enhanced age-verification or parental consent workflows as required to comply with POPIA s35 and the Information Regulator’s Guidance Note on the processing of personal information of children.

We do not knowingly process the personal information of children under 18 without the consent of a competent person, except where this is permitted by law (for example, in the context of legitimate employment administration where the child is an employee).

7.  Direct Marketing

7.1  Our Marketing Activities

Bata SA conducts direct marketing through email, SMS, social media, and in-store communications. We operate a loyalty programme through which we communicate offers, promotions, and rewards to registered members.

7.2  Lawful Basis for Marketing

Channel

Lawful Basis

Electronic (email, SMS, WhatsApp, automated calls)

Consent required (POPIA s69). We will only contact you electronically for marketing purposes where you have given us your explicit prior consent, or where you are an existing customer who has not opted out. Automated telephone calls and robocalls are treated as electronic communications in accordance with the Information Regulator’s December 2024 Direct Marketing Guidance Note.

Non-electronic (postal, in-person)

Legitimate interests or consent (POPIA s11). We conduct a legitimate interests assessment before processing. You have the right to object at any time.

 

7.3  Your Rights Regarding Marketing

You have the right to opt out of direct marketing at any time, free of charge and without providing reasons. To exercise this right:

  Click the “Unsubscribe” link in any marketing email or SMS we send you.

  Send an email to informationofficer@bata.com with the subject line “Marketing Opt-Out”.

  Register a pre-emptive block under the Consumer Protection Act 68 of 2008 via the National Consumer Commission.

 

We will process your opt-out request within 5 business days and will not contact you again for direct marketing purposes thereafter, except as required by law.

8.  Your Rights as a Data Subject

POPIA ss23–26 and the April 2025 POPIA Regulation amendments give you the following rights in relation to your personal information:

 

Right

What It Means

Access (s23)

Request confirmation of whether we hold your personal information, and a copy of it.

Correction (s24)

Request correction of inaccurate, misleading, or out-of-date personal information.

Deletion (s24)

Request deletion of personal information that is no longer necessary for the purpose for which it was collected, or that is being processed unlawfully.

Objection (s11(3))

Object to processing of your personal information on reasonable grounds.

Withdrawal of consent (s26)

Withdraw consent to processing where processing is based on your consent.

Direct marketing opt-out (s69)

Opt out of direct marketing communications at any time, free of charge.

Automated decisions (s71)

Request human reconsideration of any fully automated decision that significantly affects you.

Complaint

Lodge a complaint with the Information Regulator (contact details in Section 12).

 

8.1  How to Submit a Request

In accordance with the April 2025 POPIA Regulation amendments, you may submit a data subject rights request through any of the following channels:

  Email: informationofficer@bata.com

  Post: Information Officer, Bata South Africa, 5A Rydall Vale Crescent, Rydall Park, La Lucia, KZN 4051

  Telephone: 031 812 3600

  In person: at any Bata SA store or our head office during normal business hours

 

For PAIA access-to-records requests, please use the prescribed Form 2 (GG 45057, 27 August 2021), available from our Information Officer on request or downloadable from the Information Regulator’s website (www.inforegulator.org.za) or from our Information Officer. A request fee of R140.00 plus VAT at 15% (total R161.00) applies to PAIA requests. No exemption exists for personal requesters. No fee applies to POPIA data subject rights requests.

8.2  Response Timeframe

We will acknowledge your request within 48 hours. We will respond substantively within 30 calendar days of receiving a complete and valid request. Where we require an extension, we will notify you in writing before the original 30-day deadline expires, stating our reasons.

9.  International Transfers of Personal Information

Bata SA is part of the Bata Group, headquartered at Bata Brands SA, Avenue d’Ouchy 61, 1006 Lausanne, Switzerland. We transfer personal information outside South Africa in the following circumstances:

 

Recipient

Purpose

Safeguards

Bata Brands SA — Lausanne, Switzerland

Group financial reporting, HR systems, global IT platforms

Note on Swiss law: Switzerland has its own national legislation: the Federal Act on Data Protection (FADP). A revised version (the nFADP) came into effect on September 1, 2023, specifically designed to align Swiss law with the EU’s GDPR, ensuring continued data flows between Switzerland and the EU. Transfers to Bata Brands SA (Lausanne) may therefore proceed on an adequate protection basis under POPIA s72(1)(a). Group binding corporate rules (BCR) and/or standard contractual clauses (SCC) to be documented once confirmed with Bata Group legal (A-32). Data: all employee, financial and operational data.

E-commerce platform providers (Shopify or equivalent — provider to be confirmed by DIO Randall A-35)

Online store hosting and transaction processing

Standard contractual clauses / processor DPA. Data: online customer data.

Analytics and advertising providers (Google Analytics, Meta Pixel and additional providers — full list pending cookie audit A-31/A-35)

Website analytics and advertising measurement

Standard contractual clauses; consent where applicable. Data: website visitor data.

Payroll and HR platform providers

Salary processing, leave management, HR administration

Processor DPA. Data: employee data.

Email and SMS marketing platforms

Loyalty programme and promotional communications

Processor DPA; consent obtained before marketing sent. Data: opt-in subscriber contact data.

 

All international transfers comply with POPIA s72. We ensure that recipient countries or organisations provide an adequate level of protection for personal information equivalent to that required under POPIA. Where binding corporate rules are not yet in place, we rely on contractual safeguards (standard contractual clauses or equivalent). Note on Switzerland: Switzerland has its own national legislation: the Federal Act on Data Protection (FADP). A revised version (the nFADP) came into effect on September 1, 2023, specifically designed to align Swiss law with the EU’s GDPR to ensure that data can continue to flow freely between Switzerland and the EU. Transfers to our group headquarters (Bata Brands SA, Lausanne) may therefore proceed on an adequate protection basis under POPIA s72(1)(a).

 

LOCAL LAW PREVAILS

 

Bata SA is a South African company subject to South African law. Where the Bata Group’s global privacy framework provides lesser protections to South African data subjects than those required by POPIA, the requirements of POPIA take precedence. This reflects the Information Regulator’s September 2024 enforcement notice against WhatsApp and confirms our commitment to applying the full protections of POPIA to all South African data subjects.

10.  Retention of Personal Information

We retain personal information for no longer than is necessary for the purpose for which it was collected, subject to statutory minimum retention requirements. The following category-specific schedule applies:

 

Category

Types of Information

Lawful Basis

Retention Period

Employees

Contact details, ID, banking, payroll, IT system logs, B-BBEE data, performance records

Contract, legal obligation, legitimate interests

Duration of employment + 5 years (Tax Administration Act); personnel records 3 years after termination (LRA and BCEA — minimum 3 years post-termination)

Retail customers

Name, contact details, purchase history, loyalty programme data

Contract, consent (loyalty), legitimate interests

Active customer relationship + 3 years (CPA)

Online / e-commerce customers

Name, contact details, delivery address, payment data, browsing behaviour, cookies

Contract, consent (cookies/analytics), legitimate interests

Active relationship + 3 years; payment records 5 years (Tax Administration Act)

Suppliers and contractors

Contact details, banking, BBBEE certificate, company registration

Contract, legal obligation

Duration of relationship + 5 years

Job applicants

Name, contact details, CV, qualifications, ID, referee information

Pre-contractual steps, consent (where not appointed)

3 months after recruitment decision (unsuccessful, without consent); duration of employment if appointed

Website visitors

IP address, device data, browsing behaviour, cookie identifiers

Consent (non-essential cookies), legitimate interests (necessary functions)

Session data: 24 hours; analytics: 14 months (target — configured per ROPA P-05); advertising: 12 months

Directors and officers

Identity, appointment records, CIPC filings, programme governance records

Legal obligation, contract

Statutory retention periods under Companies Act (7 years minimum)

 

At the end of the applicable retention period, personal information is securely deleted or anonymised. Backup copies are deleted on the next scheduled backup cycle.

11.  Security Safeguards

In compliance with POPIA s19, we maintain appropriate, reasonable technical and organisational security measures to protect personal information against loss, damage, unauthorised destruction, and unlawful access. These measures include:

  Four-tier data classification framework (Public, Internal, Confidential, Strictly Confidential) implemented through Microsoft Purview.

  Role-based access controls — access to personal information is granted only to authorised persons on a need-to-know basis, and is logged and auditable.

  Encryption of personal information in transit (TLS 1.2+) and at rest (AES-256) in accordance with our data classification framework and POPIA s19 security requirements.

  Regular security assessments and monitoring through DIO (IT Security), Allan Graham Randall (Africa Security and Global Data Protection Lead).

  Staff training on POPIA obligations and information security practices.

  A formal Breach Response Plan governing our response to security compromises.

 

11.1  Breach Notification

In the event of a security compromise that poses a real risk of harm to data subjects, we will:

  Notify the Information Regulator as soon as reasonably possible via the IR eServices portal (mandatory since 1 April 2025 — Form SCN1).

  Notify affected data subjects as soon as reasonably possible, in writing, with sufficient detail to enable them to take protective action.

  The IR may require us to make public the fact of a security compromise where this would benefit affected data subjects.

12.  Automated Processing and Artificial Intelligence

Where Bata SA uses automated systems or artificial intelligence tools to process personal information (for example, for personalised product recommendations or fraud detection), we:

  Disclose this fact in our communications with you where required by law.

  Ensure that meaningful human oversight is maintained over automated decisions that significantly affect data subjects.

  Provide an opportunity for human reconsideration of any such decision on request (POPIA s71).

 

We do not make fully automated decisions that produce legal effects or similarly significant effects on individuals without human oversight.

13.  Governance and Accountability

Bata SA’s Board of Directors bears ultimate accountability for information governance in accordance with the King V Report on Corporate Governance for South Africa 2024, Principle 10. The Board has adopted a formal information governance resolution confirming the designation of the Information Officer and Deputy Information Officers, the adoption of the POPIA and PAIA Compliance Programme, and the quarterly compliance reporting obligations of the Information Officer.

Our Information Officer (Lorraine Denise Dyer, Director and Country Manager) bears legal responsibility for POPIA and PAIA compliance and reports to the Board on a quarterly basis on compliance metrics, data subject requests, security incidents, and regulatory developments.

14.  Complaints and the Information Regulator

If you are not satisfied with our handling of your personal information or your data subject rights request, you may:

  Contact our Information Officer at informationofficer@bata.com or 031 812 3600.

  Lodge a formal complaint with the Information Regulator of South Africa.

 

Contact

Detail

General enquiries

enquiries@inforegulator.org.za

POPIA complaints

POPIAComplaints@inforegulator.org.za

PAIA complaints

PAIAComplaints@inforegulator.org.za

Telephone

010 023 5200

Toll free

0800 001 7160

Postal address

P.O. Box 31533, Braamfontein, Johannesburg 2017

eServices portal

https://eservices.inforegulator.org.za

15.  Version Control and Updates

This Privacy Statement is version 2.2, effective May 2026. It replaces the Bata South Africa Website Privacy Statement, effective 01 November 2018. We review this statement annually and will update it within 30 days of any material change in law, our processing activities, or our IO/DIO structure.

The current version of this Privacy Statement is always available at www.bata.co.za/privacy-policy/ and www.toughees.co.za/privacy-policy/. We will notify loyalty programme members and registered customers of material changes by email.

 

Version

Date

Summary of Changes

v2.2

May 2026

QA corrections applied: (1) IO sign-off capacity corrected to Director | Country Manager | Information Officer; (2) WordPress platform assumptions removed from Cookie Policy s2 (provider TBC pending cookie audit A-31); (3) LRA s31 reference corrected to LRA and BCEA; (4) Analytics retention 26 months → 14 months target per ROPA P-05; (5) Randall designation updated to DIO (IT Security) full format; (6) Cross-border table pending qualifiers added; (7) Programme Administrator added to s5 recipients; (8) Analytics cookie description corrected; (9) Automated telephone calls clarified; (10) Form 2 IR website URL corrected; (11) Encryption standards specified TLS 1.2+/AES-256; (12) Programme participant → governance principal; (13) Cookie Settings implementation note added; (14) Publication Instructions Randall title corrected.

v2.1

May 2026

Full rewrite. Previous document (November 2018) replaced in its entirety. POPIA s18 mandatory content added. IO updated to Lorraine Denise Dyer. Correct IR complaint address. All six lawful bases stated. Category-specific retention schedule. Children’s data clause (POPIA s35). Direct marketing framework per IR December 2024 Guidance Note. April 2025 POPIA Regulation amendments incorporated. Cross-border transfer disclosure. Breach notification process. AI clause. King V governance statement. Local-prevails clause.

v1.0

01 Nov 2018

Original document — superseded in its entirety by v2.1.

 

 

BATA/D-18/PRIV/2026/001 v2.2    May 2026    Bata South Africa (Pty) Ltd    Reg. M1985000219