What This Handbook Covers
This handbook explains shared compliance responsibility when running QR campaigns that involve analytics or personal data collection.
POPIA and GDPR in Practical Terms
- POPIA: Governs lawful processing of personal information in South Africa.
- GDPR: Governs personal data processing for EU data subjects.
Many teams must align to both, especially with cross-border traffic.
Platform Responsibilities
Platform-level protections include secure transport and controlled processing for scan analytics workflows.
Your Responsibilities (Controller Side)
If destination pages collect personal data, you must:
- Display a clear privacy notice.
- Provide lawful basis/consent where required.
- Minimize data collection to what is necessary.
- Retain data only as long as needed.
- Support user rights requests under applicable law.
Campaign Compliance Checklist
Before launch:
- Confirm destination privacy policy is live.
- Confirm cookie/consent handling is configured.
- Confirm form fields collect only necessary information.
- Confirm retention and deletion process exists.
- Confirm internal owner for privacy requests.
After launch:
- Audit analytics and form flows quarterly.
- Review third-party processors and integrations.
- Update notices if processing purpose changes.
High-Risk Mistakes to Avoid
- Collecting PII without clear disclosure.
- Using broad "just in case" form fields.
- No process for deletion/access requests.
- Routing sensitive campaigns without legal review.
Regional GEO Note (South Africa)
For South African commercial campaigns, POPIA transparency and consent clarity are not optional. They directly affect trust, complaint risk, and enterprise procurement readiness.
Related Guides
- API key governance:
enterprise-authentication. - Analytics interpretation:
tracking-your-scans. - Terms and policy references:
/termsand/privacy.
Was this article helpful?
Your feedback helps us improve our documentation.