PAIA Manual
Document ID: PRIV-POL-IO-002 | Version: 2.0 | Effective Date: 1 February 2026 | Review Date: 1 February 2027
1. Document Control
| Field | Value |
|---|---|
| Document ID | PRIV-POL-IO-002 |
| Document Title | PAIA Manual |
| Applicable Law | Promotion of Access to Information Act 2 of 2000 |
| Version | 2.0 |
| Owner | Information Officer |
| Approval | Managing Director |
| Effective Date | 1 February 2026 |
| Review Date | 1 February 2027 |
| Classification | Public |
| Retention Category | Permanent |
2. Introduction
This manual is prepared in accordance with Section 51 of the Promotion of Access to Information Act, 2000 (“PAIA”).
Purpose — To:
- Promote transparency and accountability
- Provide access to records
- Enable exercise and protection of rights
PAIA gives effect to Section 32 of the Constitution, enabling access to:
- Information held by the State
- Information held by private bodies required to exercise or protect rights
3. Organisation Details
| Field | Details |
|---|---|
| Legal Name | Metatrans Business Services PTY Ltd |
| Trading Name | Metatrans |
| Registration Number | 2014/165571/07 |
| Business Type | Data Privacy & Compliance Consulting |
| Website | www.metatrans.co.za |
| io@metatrans.co.za | |
| Telephone | +27 82 900 4293 |
| Physical Address | Maria Street, Fontainebleau, Randburg |
| Postal Address | Same as physical address |
4. Information Officer Registration Information
4.1 Information Officer Details
| Field | Details |
|---|---|
| Full Name | Christelle Bure |
| Designation | Information Officer |
| io@metatrans.co.za | |
| Telephone | +27 82 900 4293 |
4.2 Deputy Information Officer Details
None appointed.
4.3 Access to Information General Contacts
Email: io@metatrans.co.za
5. Guide of the Information Regulator
The official PAIA Guide is available from:
Information Regulator (South Africa) Website: https://www.justice.gov.za/inforeg/ Email: enquiries@inforegulator.org.za
The Guide explains:
- How to request access
- Forms required
- Rights and remedies
6. Records Automatically Available
The following records are available without a formal request:
Public Information
- Website content
- Marketing materials
- Service descriptions
- Published policies (where applicable)
Operational Information
- General service offerings
- High-level compliance methodologies
7. Records Held by the Organisation
7.1 Categories of Records
| Category | Description |
|---|---|
| Governance | Policies, procedures, compliance frameworks |
| Client Records | Contracts, reports, assessments |
| Financial | Invoices, accounting records |
| HR | Personal records, training records |
| IT Systems | Access logs, security configurations |
| Legal & Compliance | Regulatory filings, audit documentation |
| Third Parties | Third-party operator agreements |
| Incident Management | Incident management records |
8. Processing of Personal Information (POPIA Section 13 Alignment)
8.1 Purpose of Processing
- Deliver data privacy consulting services
- Regulatory compliance (PAIA, POPIA, GDPR, ISO 27001)
- Client onboarding and management
8.2 Categories of Data Subjects
- Clients
- Client employees
- Service providers
- Website users
8.3 Categories of Personal Information
- Identification information
- Contact details
- Professional information
- Compliance-related information
8.3.1 Lawful Basis for Processing
Processing of personal information is conducted on one or more of the following lawful bases, as defined under Section 11 of the Protection of Personal Information Act (POPIA):
- Consent: where the data subject has voluntarily agreed to processing.
- Contract: where processing is necessary to perform or conclude a contract with the data subject.
- Legal Obligation: where processing is required by law or regulation.
- Legitimate Interest (as recognised under POPIA interpretation, aligned to Section 11(1)(f)): where processing supports the organisation’s lawful business operations and does not infringe data subject rights.
8.3.2 Retention Periods
Personal information is retained only for as long as necessary to fulfil the purpose for which it was collected or as required by law.
Typical retention periods include:
- Client records: 5 years post-contract completion.
- Financial records: 7 years in accordance with tax legislation.
- Employee records: for the duration of employment plus 5 years.
- Audit and compliance records: minimum 5 years post-audit cycle.
Retention schedules are reviewed annually and aligned with ISO 27001 A.5.32 (Retention and Disposal).
8.3.3 Data Subject Rights
Data subjects have the following rights under POPIA Chapter 3:
- Access: to request confirmation and copies of personal information held.
- Correction: to request updates or rectification of inaccurate information.
- Deletion: to request erasure where information is no longer required or lawfully processed.
- Objection: to object to processing on reasonable grounds relating to their particular situation.
Requests may be submitted to the Information Officer using Form 2 under the PAIA Regulations.
8.4 Recipients of Information
- Regulatory authorities (where required)
- Service providers (IT, cloud platforms)
- Professional advisors
8.5 Transborder Transfers (POPIA Section 72 Compliance)
Where personal information is transferred across borders, such transfers are conducted in accordance with Section 72 of POPIA.
Transfers may occur to:
- EU / UK / global cloud service providers supporting operational delivery.
- Regulatory or client counterparties located outside South Africa.
Appropriate safeguards are applied, including:
- Contractual data protection clauses and standard contractual terms.
- Verification of adequacy status under applicable jurisdictions.
- Technical and organisational security measures consistent with ISO 27001 controls.
8.6 Security Measures
- Access controls
- Encryption where appropriate
- Secure cloud platforms
- Internal governance controls
8.7 Storage
- Internal systems
- Approved cloud platforms
- Secure records repositories
Note: This section intentionally reflects summary-level processing only (audit-compliant with PAIA public disclosure constraints).
9. Request Procedure
9.1 Submission of Requests
Requests must be made using:
- Form 2 (PAIA – access requests) — see Annexure A
- Form 1 (POPIA – correction/deletion requests, where applicable) — see Annexure B
- and sent to the Information Officer.
Required Information:
- Identity of requester
- Description of record
- Form of access requested
- Contact details
For Private Bodies:
The requester must:
- Identify the right being exercised or protected
- Explain why the record is required
10. Fees
Fees may apply for:
- Searching records
- Reproduction
- Administrative processing
Fees are prescribed under the PAIA Regulations, 2021 and may be updated from time to time.
11. Response Timeframes
| Action | Timeframe |
|---|---|
| Initial response | 30 days |
| Extension (if required) | Additional 30 days |
| Failure to respond | Deemed refusal — requester may lodge complaint within 180 days |
12. Grounds for Refusal
Mandatory Refusal (Examples)
- Protection of personal information of third parties
- Commercial confidentiality
- Legal privilege
- Safety and security risks
Discretionary Refusal
- Frivolous requests
- Operational impact
- Confidential research
13. Third Party Notification
Where required:
- Third parties will be notified
- They may object or consent
- Decision follows representation process
14. Remedies Available
No Internal Appeal (Private Body)
Requester may:
- Lodge complaint with Information Regulator
- Apply to Court
Regulator Complaint
- Must be filed within 180 days
15. Availability of the Manual
This manual is available:
- On this website
- On request from the Information Officer
- On the Information Regulator eServices portal
Required under PAIA Section 51.
16. Compliance Statement
This manual:
- Has been reviewed against PAIA Regulations, 2021
- Aligns with POPIA requirements and Information Regulator guidance
- Is subject to annual review and update upon legislative change
- Meets Section 51 requirements for private bodies
17. Declaration
I confirm that this PAIA Manual is accurate and compliant with applicable legislation.
Name: Christelle Bure Designation: Information Officer Date: 1 February 2026
Annexures
The following forms are available on request from the Information Officer at io@metatrans.co.za:
- Annexure A — Form 2: Request for Correction or Deletion of Personal Information (POPIA Section 24(1))
- Annexure B — Form 1: Objection to the Processing of Personal Information (POPIA Section 11(3))
- Annexure C — Form 3: Outcome of Request and Fees Payable (PAIA Regulation 8)