ICFF Privacy Policy
Effective: 29-03-2026
Privacy Policy
Effective Date: 22 March 2026 | Last Updated: 22 March 2026
1. Introduction
The Institute of Customs & Freight Forwarding (ICFF) is committed to protecting the personal information of our members, prospective members, and website visitors in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and its regulations.
This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we retain it, and what rights you have regarding your data.
By using the ICFF Members Portal or any ICFF services, you acknowledge that you have read and understood this Privacy Policy.
2. Information We Collect
2.1 Identity Data
- Full name
- National identity number (South African ID or passport number)
- National ID type
- Gender
- Ethnicity (for industry reporting and transformation tracking)
- Profile photograph
2.2 Contact Data
- Email address
- Phone number(s)
- Physical and postal addresses
2.3 Professional Data
- Educational qualifications (institution, qualification, year, NQF level)
- Work experience (employer, role, duration)
- Professional references and reference letters
- Continuing Professional Development (CPD) submissions and points
- Designation applications, evaluations, and awarded designations
- Membership tier and status
2.4 Financial Data
- Invoices and billing records
- Payment reference numbers and transaction IDs
- Subscription status and billing frequency
2.5 Usage Data
- Login timestamps and session identifiers
- Portal activity and page navigation
- Event registration and attendance records (including QR check-in data)
2.6 Uploaded Documents
- Curriculum vitae (CV)
- Certified copies of identity documents
- Educational certificates and transcripts
- Professional reference letters
- Other supporting documents submitted for membership or designation applications
3. How We Use Your Information
| Purpose | Legal Basis (POPIA) | Data Categories |
|---|---|---|
| Process and manage your membership application and renewal | Performance of a contract (Section 11(1)(b)) | Identity, Contact, Professional, Financial |
| Administer designation applications and evaluations | Performance of a contract (Section 11(1)(b)) | Identity, Professional, Uploaded Documents |
| Track and record CPD points and compliance | Legitimate interest / contractual obligation (Section 11(1)(d)/(b)) | Identity, Professional |
| Process payments and generate invoices | Performance of a contract (Section 11(1)(b)) | Identity, Contact, Financial |
| Send membership-related communications and newsletters | Legitimate interest (Section 11(1)(d)) | Identity, Contact |
| Manage event registrations and attendance | Performance of a contract (Section 11(1)(b)) | Identity, Contact, Usage |
| Provide access to the Knowledge Base and helpdesk | Legitimate interest (Section 11(1)(d)) | Identity, Contact |
| Maintain security and prevent fraud | Legitimate interest (Section 11(1)(d)) | Identity, Usage |
| Comply with legal and regulatory obligations | Legal obligation (Section 11(1)(c)) | All categories as required |
| Generate anonymised statistical reports for industry bodies | Legitimate interest (Section 11(1)(d)) | Anonymised/aggregated data only |
4. Who We Share Data With
ICFF does not sell your personal information. We share data only with the following parties, and only to the extent necessary:
4.1 PayFast (Pty) Ltd
- Data shared: Name, email address, payment amounts, subscription identifiers
- Purpose: Payment processing and recurring subscription management
- Location: South Africa
- Safeguards: PCI DSS Level 1 certified; governed by their own privacy policy
4.2 Email Service Provider
- Data shared: Email address, name (for personalisation)
- Purpose: Delivery of transactional and membership communications
- Safeguards: Data processing agreement in place
4.3 Contabo GmbH (Hosting Provider)
- Data shared: All data stored on the ICFF platform (encrypted at rest and in transit)
- Purpose: Infrastructure hosting for the ICFF Members Portal
- Location: Germany / European Union
- Safeguards: GDPR compliant. POPIA Section 72 permits transfers to jurisdictions with adequate data protection laws. The EU's General Data Protection Regulation (GDPR) provides an adequate level of protection as recognised under POPIA.
4.4 Regulatory and Legal Authorities
- Data shared: As required by law
- Purpose: Compliance with South African law, court orders, or regulatory requirements
- Safeguards: Disclosed only when legally compelled
5. Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Active member records | Duration of membership + 2 years | Contractual and administrative purposes |
| Expired/lapsed member records | 2 years after expiry | Re-activation window and dispute resolution |
| Designation records | Permanent | Professional credential verification (industry requirement) |
| CPD records | CPD cycle duration + 3 years | Compliance auditing and verification |
| Financial records (invoices, payments) | 5 years | Tax Administration Act and Companies Act requirements |
| Application error logs | 90 days | Technical troubleshooting |
| System backups | 7 days (rolling) | Disaster recovery |
After the applicable retention period, personal information is securely deleted or anonymised.
6. Your Rights Under POPIA
As a data subject, you have the following rights under POPIA:
- Right of access (Section 23): Request confirmation of whether we hold your personal information, and request a copy of it.
- Right to correction (Section 24): Request that inaccurate, irrelevant, excessive, out-of-date, incomplete, or misleading personal information be corrected or deleted.
- Right to deletion (Section 24): Request deletion of your personal information where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
- Right to object (Section 11(3)(a)): Object to the processing of your personal information on reasonable grounds.
- Right to withdraw consent (Section 11(2)(b)): Where processing is based on consent, withdraw your consent at any time (this does not affect the lawfulness of processing before withdrawal).
- Right to complain (Section 74): Lodge a complaint with the Information Regulator if you believe your rights have been infringed.
How to Exercise Your Rights
Submit your request in writing to:
Email: privacy@icff.co.za
Subject line: POPIA Data Subject Request - [Your Full Name]
We will acknowledge your request within 5 business days and respond substantively within 30 days, as required by POPIA. We may request proof of identity before processing your request to protect your personal information from unauthorised disclosure.
7. Security Measures
ICFF implements appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit: All data transmitted between your browser and the ICFF portal is encrypted using TLS (Transport Layer Security).
- Role-based access control (RBAC): Access to personal information is restricted to authorised personnel based on their role and the principle of least privilege.
- Private file storage: Uploaded documents are stored as private files with access controlled by document-level permissions.
- Daily encrypted backups: Automated daily backups with 7-day rotation, ensuring data recovery capability.
- Container isolation: Application services run in isolated containers with defined resource limits, reducing the attack surface.
- Intrusion prevention: Fail2ban is deployed to detect and block brute-force login attempts and other suspicious activity.
- Firewall: Network-level firewall rules restrict access to only necessary ports and services.
- Secure authentication: Session cookies are configured with HttpOnly, Secure, and SameSite attributes to prevent session hijacking.
8. Cookies
The ICFF Members Portal uses only essential cookies required for the platform to function. We do not use third-party tracking cookies, analytics cookies, or advertising cookies.
| Cookie | Purpose | Type | Attributes |
|---|---|---|---|
sid | Session identifier for authenticated users | Essential | HttpOnly, Secure, SameSite |
system_user | Indicates whether the user has system (administrative) access | Essential | Secure, SameSite |
user_id | Stores the logged-in user's identifier | Essential | Secure, SameSite |
full_name | Stores the user's display name for UI personalisation | Essential | Secure, SameSite |
These cookies are set upon login and cleared upon logout. No personal information is shared with third parties through cookies.
9. Information Officer
In terms of POPIA, ICFF has appointed the following Information Officer:
Name: [To be confirmed]
Email: privacy@icff.co.za
Organisation: Institute of Customs & Freight Forwarding
If you are not satisfied with our response to your data subject request, you have the right to lodge a complaint with:
The Information Regulator (South Africa)
Website: https://inforegulator.org.za
Email: enquiries@inforegulator.org.za
10. Changes to This Policy
ICFF reserves the right to update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy
- Notify active members via email or portal notification where appropriate
We encourage you to review this policy periodically to stay informed about how we protect your personal information.
Institute of Customs & Freight Forwarding
privacy@icff.co.za
Institute of Customs & Freight Forwarding
privacy@icff.co.za