- Who we are
- Scope and application
- Information Officer
- Personal information we collect
- How we collect personal information
- Purposes and lawful bases
- Special personal information
- Legal professional privilege
- Sharing and operators / processors
- Cross-border transfers
- Retention of personal information
- Security safeguards
- Your rights
- Exercising your rights
- Complaints and supervisory authorities
- Cookies and website data
- Children's information
- Automated decision-making
- Changes to this Policy
- Contact
01Who We Are
Goshen Attorneys Inc. (registration number 2020/229649/21) is an incorporated law firm established in 2020, practising from 80 Greenvale Rd, Wilbart, Meadowbrook, Johannesburg, 1611, South Africa. The firm is directed by Jesse Goshen (LLB, CIPP/E), an admitted attorney of the High Court of South Africa, regulated under the Law Society of the Northern Provinces, practice number F66466.
For the purposes of POPIA, Goshen Attorneys Inc. is the "responsible party" in respect of personal information processed in connection with our practice and this website. Where the GDPR applies to our processing (see section 2), we act as the "controller" within the meaning of Article 4(7) GDPR.
We are not a firm that treats privacy as boilerplate. Our director holds the Certified Information Privacy Professional/Europe (CIPP/E) designation from the International Association of Privacy Professionals, and privacy and data protection advisory is a core practice area of the firm. This Policy is written to the standard we would demand of our own clients.
02Scope and Application
This Policy applies to personal information processed by Goshen Attorneys Inc. in the course of:
- operating the website at goshenattorneys.co.za, including enquiries submitted through it;
- rendering legal services to clients, prospective clients and former clients;
- conducting matters that involve counterparties, witnesses, beneficiaries, debtors and other third parties;
- managing supplier, correspondent-attorney and professional relationships; and
- complying with our statutory, regulatory and professional obligations.
Dual-jurisdiction statement
POPIA applies to all processing of personal information by the firm that is entered in a record in South Africa. In addition, the GDPR applies to certain of our processing activities by virtue of Article 3(2) GDPR — for example, where we offer services to, or monitor the behaviour of, data subjects who are in the European Union or European Economic Area. Where both frameworks apply, we apply the higher of the two standards. Nothing in this Policy reduces any protection you enjoy under mandatorily applicable law.
03Information Officer
In terms of sections 55 and 56 of POPIA, the firm's designated Information Officer is:
Jesse Goshen — Director, Goshen Attorneys Inc.
Email: info@goshenattorneys.co.za (mark correspondence "For the attention of the Information Officer")
Telephone: +27 (0) 11 064 4890
Address: 80 Greenvale Rd, Wilbart, Meadowbrook, Johannesburg, 1611
The Information Officer is registered with the Information Regulator (South Africa) and is responsible for encouraging and ensuring the firm's compliance with POPIA, dealing with requests made to the firm under POPIA and the Promotion of Access to Information Act 2 of 2000 (PAIA), and working with the Information Regulator in relation to any investigation.
04Personal Information We Collect
The categories of personal information we process depend on the nature of our relationship with you. They may include:
| Category | Examples | Typical data subjects |
|---|---|---|
| Identity information | Name, surname, identity or passport number, date of birth, nationality | Clients, counterparties, beneficiaries |
| Contact information | Email address, telephone number, physical and postal address | Clients, enquirers, suppliers |
| Matter information | Instructions, correspondence, pleadings, agreements, evidence and information relevant to your matter | Clients, opposing parties, witnesses |
| Financial information | Bank details, billing information, trust account transactions, creditworthiness information (debt recovery matters) | Clients, debtors |
| Verification information | FICA documentation: proof of identity, proof of address, company registration documents, beneficial ownership information | Clients |
| Website and technical data | Information you submit via our contact form; limited technical data inherent to web hosting (e.g. server logs) | Website visitors |
| Special personal information | Only where necessary to a matter — see section 7 | Clients and parties to matters |
05How We Collect Personal Information
Consistent with section 12 of POPIA, we collect personal information directly from you wherever reasonably practicable. We may also collect personal information from:
- persons authorised to act on your behalf (e.g. directors, agents, family members with mandate);
- public records, public registers (CIPC, Deeds Office, court records) and publicly available sources;
- opposing parties, their attorneys, courts, regulators and tribunals in the conduct of a matter;
- credit bureaux and tracing agents, where lawful and necessary for debt recovery; and
- third parties where you have consented, or where collection from another source does not prejudice your legitimate interests, or is necessary for the conduct of legal proceedings.
06Purposes and Lawful Bases for Processing
We process personal information only where a lawful justification exists under section 11 of POPIA and, where the GDPR applies, a legal basis under Article 6 GDPR. The principal purposes and corresponding bases are:
| Purpose | POPIA justification (s 11) | GDPR basis (Art 6) |
|---|---|---|
| Providing legal services and conducting your matter | Performance of a contract; protection of your legitimate interests | Art 6(1)(b) — contract |
| Responding to enquiries submitted via our website or otherwise | Consent; legitimate interests | Art 6(1)(a) / 6(1)(f) |
| Client onboarding, conflict checks and FICA verification | Compliance with a legal obligation | Art 6(1)(c) — legal obligation |
| Billing, trust accounting and debt recovery | Performance of a contract; legitimate interests; legal obligation | Art 6(1)(b), (c), (f) |
| Litigation, dispute resolution and enforcement | Legitimate interests of the firm, client or third party | Art 6(1)(f) — legitimate interests |
| Regulatory and professional compliance (Law Society / fidelity fund / tax) | Compliance with a legal obligation | Art 6(1)(c) |
| Practice updates and legal insights (where you have opted in) | Consent (s 69 direct marketing rules observed) | Art 6(1)(a) — consent |
Where we rely on legitimate interests, we conduct a balancing assessment and do not process where your interests or fundamental rights override ours. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
07Special Personal Information
Legal matters frequently and unavoidably involve special personal information as defined in section 26 of POPIA (and "special categories of personal data" under Article 9 GDPR) — for example, information concerning health in personal injury or family law matters, or criminal behaviour in litigation. We process such information only where:
- processing is necessary for the establishment, exercise or defence of a right or obligation in law (POPIA s 27(1)(b); GDPR Art 9(2)(f));
- you have consented (POPIA s 27(1)(a); GDPR Art 9(2)(a)); or
- another specific authorisation under sections 28–33 of POPIA or Article 9(2) GDPR applies.
Special personal information is subject to heightened internal access controls and is never used for marketing.
08Legal Professional Privilege and Confidentiality
This Policy operates alongside — and never dilutes — the protections of legal professional privilege and our duty of confidentiality as attorneys. Communications between you and the firm for the purpose of obtaining legal advice are privileged. Where a data protection right (such as access by a third party) conflicts with privilege or our professional duties, privilege and professional duty prevail to the extent permitted by law, including the exemptions in PAIA and section 23 read with the legitimate-refusal grounds applicable to legal professional privilege.
09Sharing of Personal Information; Operators and Processors
We do not sell personal information. We share personal information only as necessary for the purposes set out above, with:
- Courts, tribunals, regulators and state bodies — where required for a matter or by law;
- Counterparties and their legal representatives — in the ordinary and necessary conduct of a matter;
- Correspondent attorneys, advocates and experts — briefed on your matter under equivalent duties of confidence, including Bocconcini Attorneys & Conveyancers in associated conveyancing matters;
- Service providers (operators under s 20–21 POPIA / processors under Art 28 GDPR) — such as secure hosting, email and form-handling providers (our website contact form is processed by Formspree Inc.), who process only on our documented instructions and under written agreements imposing confidentiality and security obligations;
- Banks and the Legal Practitioners' Fidelity Fund framework — in connection with trust account administration; and
- Professional advisers, auditors and insurers — under duties of confidence.
10Cross-Border Transfers
As a practice with international clients and cross-border matters, we may transfer personal information outside South Africa. We do so only in compliance with section 72 of POPIA, which permits transfer where, among other grounds:
- the recipient is subject to law, binding corporate rules or a binding agreement providing an adequate level of protection substantially similar to POPIA;
- you consent to the transfer;
- the transfer is necessary for the performance of a contract with you or in your interest; or
- the transfer is for your benefit and consent is not reasonably practicable to obtain but would likely be given.
Where the GDPR applies and personal data is transferred from the EU/EEA to South Africa or elsewhere, we rely on the mechanisms of Chapter V GDPR — including the European Commission's Standard Contractual Clauses (SCCs), supplemented where necessary by transfer impact assessments consistent with the CJEU's Schrems II jurisprudence. This is an area in which the firm itself advises professionally; we apply to our own transfers the same discipline we apply for clients.
11Retention of Personal Information
In line with section 14 of POPIA and the GDPR's storage-limitation principle, we retain personal information only for as long as necessary for the purpose of collection, subject to legal and professional retention duties. Indicative periods:
| Record type | Indicative retention period | Rationale |
|---|---|---|
| Client matter files | Minimum 7 years after matter closure (longer where the matter may give rise to future claims, e.g. wills, trusts, minors' matters) | Professional obligations; prescription periods; defence of claims |
| Accounting and trust account records | Minimum 7 years | Statutory accounting and attorneys' practice requirements |
| FICA verification records | Minimum 5 years from termination of the business relationship | Financial Intelligence Centre Act 38 of 2001 |
| Website enquiries not converting to a mandate | Up to 24 months | Legitimate interests; conflict checking |
| Marketing consents and preferences | Until withdrawal of consent | Consent management |
On expiry of the applicable period, records are destroyed, deleted or de-identified in a manner that prevents reconstruction, in accordance with section 14(4)–(5) of POPIA.
12Security Safeguards
In terms of section 19 of POPIA and Article 32 GDPR, we maintain appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of personal information, including:
- encrypted transmission (TLS) for our website and email systems;
- access controls on matter files and need-to-know access within the practice;
- secure, access-controlled premises and locked physical filing;
- due diligence on, and written undertakings from, all operators/processors;
- regular review of safeguards against identified risks, as required by s 19(2) POPIA.
Notification of security compromises
In the event of a security compromise affecting your personal information, we will notify the Information Regulator and, unless a permitted exception applies, affected data subjects, as soon as reasonably possible in accordance with section 22 of POPIA — and, where GDPR applies, the supervisory authority within 72 hours under Articles 33–34 GDPR. Data breach response is a service the firm renders to clients; our internal breach protocol reflects that expertise.
13Your Rights
Subject to the limits imposed by legal professional privilege and applicable exemptions, you have the following rights:
| Right | POPIA | GDPR |
|---|---|---|
| To be notified that your information is being collected or has been accessed unlawfully | s 5(a), s 18, s 22 | Arts 13–14, 34 |
| Access — confirmation and a copy of the record | s 23 (via PAIA) | Art 15 |
| Correction or deletion of inaccurate, irrelevant, excessive or unlawfully obtained information | s 24 | Arts 16–17 |
| Objection to processing, including on reasonable grounds relating to your situation | s 11(3) | Art 21 |
| To refuse / opt out of direct marketing | s 69 | Art 21(2) |
| Restriction of processing | s 14(6), s 24 | Art 18 |
| Data portability (where applicable) | — | Art 20 |
| Not to be subject to solely automated decisions with legal effect | s 71 | Art 22 |
| To withdraw consent at any time | s 11(2)(b) | Art 7(3) |
| To complain to the supervisory authority | s 74 | Art 77 |
14Exercising Your Rights
To exercise any right, contact the Information Officer (section 3). Requests for access to records are processed under PAIA, using the prescribed request form where applicable; our PAIA Manual is available on request and from the firm's offices. We will:
- verify your identity before acting on a request;
- respond without undue delay and in any event within the periods prescribed by PAIA / within one month under GDPR (extendable where requests are complex); and
- not charge for the exercise of POPIA rights, save for prescribed fees applicable to PAIA access requests and reasonable fees for manifestly unfounded or excessive requests under GDPR.
15Complaints and Supervisory Authorities
We would ask that you raise any concern with our Information Officer first — we take privacy complaints seriously and will respond substantively. You are, however, always entitled to lodge a complaint directly with the regulator:
The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, 2017
Complaints: POPIAComplaints@inforegulator.org.za · General: enquiries@inforegulator.org.za
Website: inforegulator.org.za
If you are in the EU/EEA and the GDPR applies, you may also lodge a complaint with the supervisory authority of your habitual residence, place of work or the place of the alleged infringement (Article 77 GDPR).
16Cookies and Website Data
Our website is deliberately built to operate without advertising trackers, analytics profiling or non-essential cookies. The limited third-party services we use (font delivery and form processing) are detailed in our Cookie Policy, which forms part of this Policy.
17Children's Information
We process personal information of children (persons under 18 under POPIA) only where authorised by section 35 of POPIA — typically where processing is necessary for the establishment, exercise or defence of a right or obligation in law (for example, in family law, maintenance, custody and estate matters) or with the consent of a competent person. Our website and marketing are not directed at children.
18Automated Decision-Making and Profiling
We do not subject any data subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects (POPIA s 71; GDPR Art 22). All decisions affecting clients and matters are made by a qualified attorney.
19Changes to This Policy
We review this Policy at least annually and whenever the law or our processing changes materially. The effective date above reflects the latest revision. Material changes affecting current clients will be notified directly; the governing version is always the version published at goshenattorneys.co.za/privacy-policy.html.
20Contact
Goshen Attorneys Inc. · 80 Greenvale Rd, Wilbart, Meadowbrook, Johannesburg, 1611 · +27 (0) 11 064 4890 · info@goshenattorneys.co.za
This Privacy Policy was prepared by Goshen Attorneys Inc., a CIPP/E-qualified privacy practice. It should be read together with the related notices below.