PRIVACY STATEMENT
BATA/D-18/PRIV/2026/001 v2.2 • May 2026
|
Responsible Party
|
Bata South Africa (Pty) Ltd
|
|
Registration No.
|
M1985000219 (CIPC)
|
|
IR Registration No.
|
2024-006292
|
|
Registered Address
|
5A Rydall Vale Crescent, Rydall Park, La Lucia, KZN 4051
|
|
Trading As
|
Bata South Africa • Toughees • Bata Industrial SA
|
|
Information Officer
|
Lorraine Denise Dyer (Director and Country Manager)
|
|
IO Email
|
informationofficer@bata.com (shared POPIA and PAIA inbox)
|
|
IO Tel
|
031 812 3600
|
|
Programme Administrator
|
Adv. Don Leffler — CDII / Leffler & Partners
|
|
Effective Date
|
May 2026
|
|
Replaces
|
Bata South Africa Website Privacy Statement, effective 01 November 2018
|
|
Review Cycle
|
Annually, or within 30 days of any material change in law, IO structure, or processing activities
|
|
Document Ref
|
BATA/D-18/PRIV/2026/001 v2.2
|
Bata South Africa (Pty) Ltd (“Bata SA”, “we”, “our” or “us”) is a responsible party as defined in the Protection of Personal Information Act 4 of 2013 (“POPIA”). This Privacy Statement explains how we collect, use, share, protect, and retain personal information relating to our customers, website visitors, loyalty programme members, job applicants, employees, suppliers, contractors, and other data subjects.
This Privacy Statement applies across all three of our trading brands: Bata South Africa, Toughees, and Bata Industrial SA. It covers personal information collected through our websites (www.bata.co.za and www.toughees.co.za), our physical retail stores, our loyalty programme, our e-commerce platform, and our employment and supplier relationships.
|
PLAIN LANGUAGE COMMITMENT
This Privacy Statement is written in plain language. If any term is unclear, please contact our Information Officer at informationofficer@bata.com or 031 812 3600. We are happy to explain any aspect of how we handle your personal information.
|
2. Scope of This Privacy Statement
This Privacy Statement applies to personal information processed by Bata SA in the following contexts:
• Browsing our websites (www.bata.co.za and www.toughees.co.za)
• Purchasing products in store or online
• Registering for or using our loyalty programme
• Subscribing to or receiving our marketing communications
• Applying for employment with Bata SA
• Supplying goods or services to Bata SA as a contractor or supplier
• Interacting with Bata SA as a director, officer, or governance principal or compliance programme officer
This Privacy Statement does not apply to the websites, products, or services of third parties that may be linked from our websites. We encourage you to read the privacy policies of any third-party websites you visit.
3. Lawful Bases for Processing Your Personal Information
We process personal information only where at least one of the following lawful bases under POPIA s11 applies:
|
Lawful Basis
|
When We Rely on It
|
|
Consent
|
Where you have given us specific, informed, freely given consent — for example, to receive direct marketing emails or SMS, or to allow non-essential cookies. You may withdraw consent at any time.
|
|
Performance of a contract
|
Where processing is necessary to fulfil an order, provide a service, or manage your account or loyalty membership.
|
|
Legal obligation
|
Where we are required to process your information to comply with applicable South African law, including tax law, employment law, and company law.
|
|
Legitimate interests
|
Where processing is necessary for our legitimate business interests (such as fraud prevention, network security, and improving our products and services), provided those interests do not override your rights and freedoms. We conduct a legitimate interests assessment before relying on this basis.
|
|
Protection of your vital interests
|
Where processing is necessary to protect your life or the life of another person.
|
|
Pursuit of the responsible party’s or a third party’s legitimate interests
|
In limited circumstances where processing is necessary in the public interest or for the administration of justice, subject always to POPIA’s conditions.
|
4. What Personal Information We Collect and Why
When you visit our websites, we automatically collect: IP address; device type, browser type, and operating system; pages visited and time spent; referring URL; cookie identifiers and session data. We use this information to operate and improve our websites, detect and prevent fraud, and analyse traffic patterns. Our Cookie Policy (below) provides further detail on cookie use.
4.2 Customers (In-Store and Online)
When you purchase from us, we collect: name, contact details, delivery address, and payment information (payment data is processed by our payment service providers and is not retained on our own systems beyond what is required by law). Where you shop in store, we may collect transaction data, and where you participate in our loyalty programme, we collect your loyalty account information, purchase history, and preferences.
4.3 Loyalty Programme Members
When you join our loyalty programme, we collect: name, contact details, date of birth (to validate age eligibility), purchase history, and reward redemption records. Your loyalty data belongs to you as a data subject. You have the right to access, correct, and request deletion of your loyalty programme data at any time — see Section 8 below.
When you apply for a position with Bata SA, we collect: name, contact details, CV and qualifications, identity document, referee details, and any other information you choose to provide in your application. We use this information solely for recruitment and assessment purposes.
We collect and process employee personal information in accordance with our Employee Workplace Monitoring Notice (BSA-SN-001/2026) and as required by South African employment law, tax law, and skills development legislation. This includes identity, contact, payroll, banking, leave, performance, and IT system usage data.
4.6 Suppliers and Contractors
When you supply goods or services to Bata SA, we collect: contact details, banking information, company registration details, B-BBEE certificate, and tax compliance information. We use this information to manage our supplier relationships and to comply with our legal and financial obligations.
5. Who We Share Your Information With
We do not sell your personal information to any third party. We share personal information only with:
• Service providers (operators) who process information on our behalf under written data processing agreements, including: payment processors; e-commerce platform providers; email and SMS marketing platforms; HR and payroll system providers; IT security providers; and website analytics providers.
• Bata Brands SA (Avenue d’Ouchy 61, 1006 Lausanne, Switzerland) — our group headquarters — for consolidated financial reporting, HR system management, and global IT platform operations. Cross-border transfer safeguards are described in Section 9 below.
• Government bodies, regulators, and courts where we are required to do so by law, including the South African Revenue Service, the Department of Employment and Labour, and the Information Regulator.
• Our professional advisors (attorneys, auditors, and consultants) bound by professional confidentiality obligations, including our Programme Administrator (CDII / Leffler & Partners — Adv. Don Leffler) who processes personal information in the course of administering the compliance programme.
We require all third parties with whom we share personal information to maintain appropriate security safeguards and to process information only in accordance with our instructions.
6. Children’s Personal Information
|
⚠ IMPORTANT: TOUGHEES AND BUBBLEGUMMERS
Bata SA’s Toughees and Bubblegummers brands are marketed to children and their parents. Where our website or loyalty programme is accessed by or on behalf of a person under the age of 18, POPIA s35 requires that we obtain consent from a competent person (parent or legal guardian) before processing that child’s personal information. If you are a parent or guardian and you believe that your child’s personal information has been collected without your consent, please contact us immediately at informationofficer@bata.com so that we can take appropriate action.
|
Our website uses a cookie consent banner. We are currently reviewing the age-appropriateness of this mechanism and will implement enhanced age-verification or parental consent workflows as required to comply with POPIA s35 and the Information Regulator’s Guidance Note on the processing of personal information of children.
We do not knowingly process the personal information of children under 18 without the consent of a competent person, except where this is permitted by law (for example, in the context of legitimate employment administration where the child is an employee).
7.1 Our Marketing Activities
Bata SA conducts direct marketing through email, SMS, social media, and in-store communications. We operate a loyalty programme through which we communicate offers, promotions, and rewards to registered members.
7.2 Lawful Basis for Marketing
|
Channel
|
Lawful Basis
|
|
Electronic (email, SMS, WhatsApp, automated calls)
|
Consent required (POPIA s69). We will only contact you electronically for marketing purposes where you have given us your explicit prior consent, or where you are an existing customer who has not opted out. Automated telephone calls and robocalls are treated as electronic communications in accordance with the Information Regulator’s December 2024 Direct Marketing Guidance Note.
|
|
Non-electronic (postal, in-person)
|
Legitimate interests or consent (POPIA s11). We conduct a legitimate interests assessment before processing. You have the right to object at any time.
|
7.3 Your Rights Regarding Marketing
You have the right to opt out of direct marketing at any time, free of charge and without providing reasons. To exercise this right:
• Click the “Unsubscribe” link in any marketing email or SMS we send you.
• Send an email to informationofficer@bata.com with the subject line “Marketing Opt-Out”.
• Register a pre-emptive block under the Consumer Protection Act 68 of 2008 via the National Consumer Commission.
We will process your opt-out request within 5 business days and will not contact you again for direct marketing purposes thereafter, except as required by law.
8. Your Rights as a Data Subject
POPIA ss23–26 and the April 2025 POPIA Regulation amendments give you the following rights in relation to your personal information:
|
Right
|
What It Means
|
|
Access (s23)
|
Request confirmation of whether we hold your personal information, and a copy of it.
|
|
Correction (s24)
|
Request correction of inaccurate, misleading, or out-of-date personal information.
|
|
Deletion (s24)
|
Request deletion of personal information that is no longer necessary for the purpose for which it was collected, or that is being processed unlawfully.
|
|
Objection (s11(3))
|
Object to processing of your personal information on reasonable grounds.
|
|
Withdrawal of consent (s26)
|
Withdraw consent to processing where processing is based on your consent.
|
|
Direct marketing opt-out (s69)
|
Opt out of direct marketing communications at any time, free of charge.
|
|
Automated decisions (s71)
|
Request human reconsideration of any fully automated decision that significantly affects you.
|
|
Complaint
|
Lodge a complaint with the Information Regulator (contact details in Section 12).
|
8.1 How to Submit a Request
In accordance with the April 2025 POPIA Regulation amendments, you may submit a data subject rights request through any of the following channels:
• Email: informationofficer@bata.com
• Post: Information Officer, Bata South Africa, 5A Rydall Vale Crescent, Rydall Park, La Lucia, KZN 4051
• Telephone: 031 812 3600
• In person: at any Bata SA store or our head office during normal business hours
For PAIA access-to-records requests, please use the prescribed Form 2 (GG 45057, 27 August 2021), available from our Information Officer on request or downloadable from the Information Regulator’s website (www.inforegulator.org.za) or from our Information Officer. A request fee of R140.00 plus VAT at 15% (total R161.00) applies to PAIA requests. No exemption exists for personal requesters. No fee applies to POPIA data subject rights requests.
We will acknowledge your request within 48 hours. We will respond substantively within 30 calendar days of receiving a complete and valid request. Where we require an extension, we will notify you in writing before the original 30-day deadline expires, stating our reasons.
9. International Transfers of Personal Information
Bata SA is part of the Bata Group, headquartered at Bata Brands SA, Avenue d’Ouchy 61, 1006 Lausanne, Switzerland. We transfer personal information outside South Africa in the following circumstances:
|
Recipient
|
Purpose
|
Safeguards
|
|
Bata Brands SA — Lausanne, Switzerland
|
Group financial reporting, HR systems, global IT platforms
|
Note on Swiss law: Switzerland has its own national legislation: the Federal Act on Data Protection (FADP). A revised version (the nFADP) came into effect on September 1, 2023, specifically designed to align Swiss law with the EU’s GDPR, ensuring continued data flows between Switzerland and the EU. Transfers to Bata Brands SA (Lausanne) may therefore proceed on an adequate protection basis under POPIA s72(1)(a). Group binding corporate rules (BCR) and/or standard contractual clauses (SCC) to be documented once confirmed with Bata Group legal (A-32). Data: all employee, financial and operational data.
|
|
E-commerce platform providers (Shopify or equivalent — provider to be confirmed by DIO Randall A-35)
|
Online store hosting and transaction processing
|
Standard contractual clauses / processor DPA. Data: online customer data.
|
|
Analytics and advertising providers (Google Analytics, Meta Pixel and additional providers — full list pending cookie audit A-31/A-35)
|
Website analytics and advertising measurement
|
Standard contractual clauses; consent where applicable. Data: website visitor data.
|
|
Payroll and HR platform providers
|
Salary processing, leave management, HR administration
|
Processor DPA. Data: employee data.
|
|
Email and SMS marketing platforms
|
Loyalty programme and promotional communications
|
Processor DPA; consent obtained before marketing sent. Data: opt-in subscriber contact data.
|
All international transfers comply with POPIA s72. We ensure that recipient countries or organisations provide an adequate level of protection for personal information equivalent to that required under POPIA. Where binding corporate rules are not yet in place, we rely on contractual safeguards (standard contractual clauses or equivalent). Note on Switzerland: Switzerland has its own national legislation: the Federal Act on Data Protection (FADP). A revised version (the nFADP) came into effect on September 1, 2023, specifically designed to align Swiss law with the EU’s GDPR to ensure that data can continue to flow freely between Switzerland and the EU. Transfers to our group headquarters (Bata Brands SA, Lausanne) may therefore proceed on an adequate protection basis under POPIA s72(1)(a).
|
LOCAL LAW PREVAILS
Bata SA is a South African company subject to South African law. Where the Bata Group’s global privacy framework provides lesser protections to South African data subjects than those required by POPIA, the requirements of POPIA take precedence. This reflects the Information Regulator’s September 2024 enforcement notice against WhatsApp and confirms our commitment to applying the full protections of POPIA to all South African data subjects.
|
10. Retention of Personal Information
We retain personal information for no longer than is necessary for the purpose for which it was collected, subject to statutory minimum retention requirements. The following category-specific schedule applies:
|
Category
|
Types of Information
|
Lawful Basis
|
Retention Period
|
|
Employees
|
Contact details, ID, banking, payroll, IT system logs, B-BBEE data, performance records
|
Contract, legal obligation, legitimate interests
|
Duration of employment + 5 years (Tax Administration Act); personnel records 3 years after termination (LRA and BCEA — minimum 3 years post-termination)
|
|
Retail customers
|
Name, contact details, purchase history, loyalty programme data
|
Contract, consent (loyalty), legitimate interests
|
Active customer relationship + 3 years (CPA)
|
|
Online / e-commerce customers
|
Name, contact details, delivery address, payment data, browsing behaviour, cookies
|
Contract, consent (cookies/analytics), legitimate interests
|
Active relationship + 3 years; payment records 5 years (Tax Administration Act)
|
|
Suppliers and contractors
|
Contact details, banking, BBBEE certificate, company registration
|
Contract, legal obligation
|
Duration of relationship + 5 years
|
|
Job applicants
|
Name, contact details, CV, qualifications, ID, referee information
|
Pre-contractual steps, consent (where not appointed)
|
3 months after recruitment decision (unsuccessful, without consent); duration of employment if appointed
|
|
Website visitors
|
IP address, device data, browsing behaviour, cookie identifiers
|
Consent (non-essential cookies), legitimate interests (necessary functions)
|
Session data: 24 hours; analytics: 14 months (target — configured per ROPA P-05); advertising: 12 months
|
|
Directors and officers
|
Identity, appointment records, CIPC filings, programme governance records
|
Legal obligation, contract
|
Statutory retention periods under Companies Act (7 years minimum)
|
At the end of the applicable retention period, personal information is securely deleted or anonymised. Backup copies are deleted on the next scheduled backup cycle.
In compliance with POPIA s19, we maintain appropriate, reasonable technical and organisational security measures to protect personal information against loss, damage, unauthorised destruction, and unlawful access. These measures include:
• Four-tier data classification framework (Public, Internal, Confidential, Strictly Confidential) implemented through Microsoft Purview.
• Role-based access controls — access to personal information is granted only to authorised persons on a need-to-know basis, and is logged and auditable.
• Encryption of personal information in transit (TLS 1.2+) and at rest (AES-256) in accordance with our data classification framework and POPIA s19 security requirements.
• Regular security assessments and monitoring through DIO (IT Security), Allan Graham Randall (Africa Security and Global Data Protection Lead).
• Staff training on POPIA obligations and information security practices.
• A formal Breach Response Plan governing our response to security compromises.
In the event of a security compromise that poses a real risk of harm to data subjects, we will:
• Notify the Information Regulator as soon as reasonably possible via the IR eServices portal (mandatory since 1 April 2025 — Form SCN1).
• Notify affected data subjects as soon as reasonably possible, in writing, with sufficient detail to enable them to take protective action.
• The IR may require us to make public the fact of a security compromise where this would benefit affected data subjects.
12. Automated Processing and Artificial Intelligence
Where Bata SA uses automated systems or artificial intelligence tools to process personal information (for example, for personalised product recommendations or fraud detection), we:
• Disclose this fact in our communications with you where required by law.
• Ensure that meaningful human oversight is maintained over automated decisions that significantly affect data subjects.
• Provide an opportunity for human reconsideration of any such decision on request (POPIA s71).
We do not make fully automated decisions that produce legal effects or similarly significant effects on individuals without human oversight.
13. Governance and Accountability
Bata SA’s Board of Directors bears ultimate accountability for information governance in accordance with the King V Report on Corporate Governance for South Africa 2024, Principle 10. The Board has adopted a formal information governance resolution confirming the designation of the Information Officer and Deputy Information Officers, the adoption of the POPIA and PAIA Compliance Programme, and the quarterly compliance reporting obligations of the Information Officer.
Our Information Officer (Lorraine Denise Dyer, Director and Country Manager) bears legal responsibility for POPIA and PAIA compliance and reports to the Board on a quarterly basis on compliance metrics, data subject requests, security incidents, and regulatory developments.
14. Complaints and the Information Regulator
If you are not satisfied with our handling of your personal information or your data subject rights request, you may:
• Contact our Information Officer at informationofficer@bata.com or 031 812 3600.
• Lodge a formal complaint with the Information Regulator of South Africa.
|
Contact
|
Detail
|
|
General enquiries
|
enquiries@inforegulator.org.za
|
|
POPIA complaints
|
POPIAComplaints@inforegulator.org.za
|
|
PAIA complaints
|
PAIAComplaints@inforegulator.org.za
|
|
Telephone
|
010 023 5200
|
|
Toll free
|
0800 001 7160
|
|
Postal address
|
P.O. Box 31533, Braamfontein, Johannesburg 2017
|
|
eServices portal
|
https://eservices.inforegulator.org.za
|
15. Version Control and Updates
This Privacy Statement is version 2.2, effective May 2026. It replaces the Bata South Africa Website Privacy Statement, effective 01 November 2018. We review this statement annually and will update it within 30 days of any material change in law, our processing activities, or our IO/DIO structure.
The current version of this Privacy Statement is always available at www.bata.co.za/privacy-policy/ and www.toughees.co.za/privacy-policy/. We will notify loyalty programme members and registered customers of material changes by email.
|
Version
|
Date
|
Summary of Changes
|
|
v2.2
|
May 2026
|
QA corrections applied: (1) IO sign-off capacity corrected to Director | Country Manager | Information Officer; (2) WordPress platform assumptions removed from Cookie Policy s2 (provider TBC pending cookie audit A-31); (3) LRA s31 reference corrected to LRA and BCEA; (4) Analytics retention 26 months → 14 months target per ROPA P-05; (5) Randall designation updated to DIO (IT Security) full format; (6) Cross-border table pending qualifiers added; (7) Programme Administrator added to s5 recipients; (8) Analytics cookie description corrected; (9) Automated telephone calls clarified; (10) Form 2 IR website URL corrected; (11) Encryption standards specified TLS 1.2+/AES-256; (12) Programme participant → governance principal; (13) Cookie Settings implementation note added; (14) Publication Instructions Randall title corrected.
|
|
v2.1
|
May 2026
|
Full rewrite. Previous document (November 2018) replaced in its entirety. POPIA s18 mandatory content added. IO updated to Lorraine Denise Dyer. Correct IR complaint address. All six lawful bases stated. Category-specific retention schedule. Children’s data clause (POPIA s35). Direct marketing framework per IR December 2024 Guidance Note. April 2025 POPIA Regulation amendments incorporated. Cross-border transfer disclosure. Breach notification process. AI clause. King V governance statement. Local-prevails clause.
|
|
v1.0
|
01 Nov 2018
|
Original document — superseded in its entirety by v2.1.
|
BATA/D-18/PRIV/2026/001 v2.2 • May 2026 • Bata South Africa (Pty) Ltd • Reg. M1985000219