← Go to SA Vintage Tractors and Engine Clubs
SOUTH AFRICAN VINTAGE TRACTOR AND ENGINE CLUB (SAVTEC)
This document constitutes the official Privacy Policy and Personal Data Protection Policy of the South African Vintage Tractor and Engine Club, hereinafter referred to as the “Organisation” or “SAVTEC”. As a national body dedicated to the preservation, restoration, and exhibition of historical agricultural machinery, stationary engines, and related industrial heritage, the Organisation operates across multiple regional branches within the Republic of South Africa.
This policy is established to govern the collection, storage, processing, dissemination, and destruction of personal information in strict accordance with the statutory requirements of the Protection of Personal Information Act, No. 4 of 2013 (hereinafter referred to as “POPIA”), alongside the procedural frameworks established by the Promotion of Access to Information Act, No. 2 of 2000 (hereinafter referred to as “PAIA”).
The Organisation recognizes that the right to privacy enshrined in Section 14 of the Constitution of the Republic of South Africa, 1996, requires active operational protection. In managing its administrative duties, membership applications, regional activities, show judging protocols, and electronic platforms, the Organisation is fully committed to ensuring that all personal data entrusted to it by members, applicants, website visitors, and third-party associates is handled with absolute confidentiality, structural safety, and legal accountability.
This policy applies universally to all structural components of the Organisation, including the National Executive Committee, all elected executive members, regional branch committees, temporary administrative staff, and any automated digital systems operated by or on behalf of the Organisation at its central domain, savtec.co.za.
In this policy, unless the context clearly indicates a contrary intention, the following terms shall possess the meanings assigned to them under POPIA and this section:
“Active Member” means any individual whose membership application has been formally vetted, approved by the Executive Committee, and whose annual subscription fees are fully paid and up to date.
“Applicant” means any natural or juristic person who has completed and submitted an online or physical registration form seeking admission to the Organisation.
“Biometrics” means a technique of personal identification that is based on physical, physiological, or behavioural characterisations, including blood typing, fingerprinting, DNA analysis, or retinal scanning.
“Child” means a natural person under the age of 18 years who is not legally competent to take any action or give consent concerning their own personal information without parental or legal guardian authorization.
“Consent” means any voluntary, specific, and informed expression of will in terms of which a Data Subject agrees to the processing of personal information relating to them.
“Data Subject” means the person to whom personal information relates, including active members, applicants, website users, regional volunteers, and external service suppliers.
“De-identify” in relation to personal information of a data subject, means to delete information that identifies the data subject, which can be used to identify the data subject, or which can be linked by a reasonably foreseeable method to the data subject.
“Executive Member” means an individual duly elected or co-opted to serve on the National Executive Committee or a regional branch committee of the Organisation, vested with administrative and decision-making authority.
“Information Officer” means the individual designated by the Organisation to ensure compliance with the conditions for the lawful processing of personal information as mandated by POPIA.
“Operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
“Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including but not limited to:
Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
Information relating to the education or the medical, financial, criminal or employment history of the person;
Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
The biometric information of the person;
The personal opinions, views or preferences of the person;
Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence;
The views or opinions of another individual about the person; and
The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
“Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:
The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
Dissemination by means of transmission, distribution or making available in any other form; or
Merging, linking, as well as restriction, degradation, erasure or destruction of information.
“Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. For the purposes of this policy, SAVTEC is the Responsible Party.
“Special Personal Information” means personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour of a data subject.
This Privacy Policy governs all data interactions executed by the Organisation through physical documentation, verbal communications, telephonic inquiries, and digital interactions. Specifically, it encompasses:
The collection and management of data via the public-facing aspects of the website savtec.co.za.
The secure submission, containment, and processing of applicant registration records.
The distribution of applicant data to designated Executive Members during the mandatory vetting and validation phases.
The operational mechanics of the secure, restricted back-end website environment and the associated online membership platform.
The recording, maintenance, and public display of competitive judging sheets, scorecards, and historical machinery registers.
The administration of financial and accounting workflows associated with membership fees, regional branch allocations, and voluntary contributions.
This policy applies to all structural tiers of the Organisation. Every regional branch, including those operating within specialised irrigation schemes or agricultural zones, must adhere strictly to these central protocols. No regional branch may develop independent data processing rules that contradict, diminish, or bypass the protections outlined herein.
In full compliance with Chapter 3 of POPIA, the Organisation structures all data processing activities around the eight foundational conditions for lawfulness.
+-------------------------------------------------------------------+
| SAVTEC POPIA COMPLIANCE FRAMEWORK |
| |
| [1. Accountability] --> Executive Committee takes ownership |
| [2. Minimisation] --> Only essential identity & asset data |
| [3. Specification] --> Vetting, billing, and show registries |
| [4. Limitation] --> No external commercial redistribution |
| [5. Quality Care] --> Annual membership validation audits |
| [6. Openness] --> Clear transparency at registration |
| [7. Security Guard] --> Multi-factor authentication & firewalls |
| [8. Subject Rights] --> Full access, correction, and deletion |
+-------------------------------------------------------------------+
The Organisation ensures that all compliance measures prescribed by POPIA are implemented, maintained, and audited. The National Executive Committee bears ultimate accountability for ensuring that data processing remains lawful. The designated Information Officer is charged with operational oversight, regular staff or volunteer training, and managing communication with the South African Information Regulator.
Personal information is processed lawfully and in a reasonable manner that does not infringe upon the privacy of the Data Subject. The Organisation gathers only the minimum volume of data necessary to execute its primary objectives. Data collection relies on explicit consent, contract fulfillment, or the protection of the legitimate interests of the Organisation and its membership base.
The Organisation collects personal information for specific, explicitly defined, and lawful purposes relating to the administration of a historical preservation club. These purposes include vetting new registrations, managing regional branch allocations, processing annual membership dues, publishing official show results, and maintaining historical tractor registries.
Personal information is not processed for any secondary purpose that is incompatible with the original purpose for which it was collected. If the Organisation wishes to use data for historical research, public archiving, or statistical tracking outside standard club administration, it ensures that the records are thoroughly de-identified, or alternatively, it obtains fresh, unambiguous consent from the affected individuals.
The Organisation takes reasonably practicable steps to ensure that all personal information is complete, accurate, not misleading, and updated where necessary. This requires regular database maintenance, annual membership detail confirmation cycles, and accessible self-service or administrative channels through which members can update their contact or machinery profiles.
The Organisation maintains complete transparency regarding its data storage locations, processing methods, and the specific identities of internal parties handling sensitive records. At every point of data collection, clear notification is provided regarding the purpose of collection, the voluntary or mandatory nature of the disclosure, and the right to lodge a formal complaint with the Information Regulator.
The Organisation secures the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures. This prevents loss of, damage to, or unauthorised destruction of personal information, alongside preventing unlawful access to or processing of such data.
The Organisation recognizes the right of Data Subjects to request confirmation of whether their personal records are held, to demand full access to those records without excessive charge, and to request the correction, destruction, or deletion of records that are inaccurate, irrelevant, excessive, or unlawfully retained.
To fulfill its constitutional mandate as a mechanical heritage preservation group, the Organisation collects and processes distinct categories of personal data. These categories are limited to necessary information and are itemised below:
Full legal names, surnames, preferred names, and titles.
South African National Identity Numbers or Passport Numbers (required for formal identity verification, background confirmation during vetting, and legal compliance within the club constitution).
Dates of birth and age brackets (used to determine eligibility for specific age-related membership tiers or veteran competitor awards).
Primary and alternative electronic mail addresses.
Mobile telephone numbers, landline numbers, and messaging profile identifiers.
Residential addresses, postal addresses, and farm descriptions (essential for allocating members to the correct regional branch, distributing physical publications, and coordinating local engine days).
Detailed logs of vintage tractors, stationary engines, agricultural implements, and classic vehicles owned, restored, or maintained by the data subject.
Machinery metadata, including manufacturer names, model designations, manufacturing years, engine serial numbers, chassis numbers, and unique casting marks.
Photographic images of machinery restorations, mechanical components, workshop activities, and public show participations.
Historical narratives, mechanical modification logs, and ownership lineages associated with specific vintage machines.
Banking account details, branch codes, and payment card details (used solely for processing subscription renewals, event entry fees, and regalia purchases).
Invoicing histories, payment allocations, outstanding balances, and financial communication logs managed via automated accounting and client management systems.
Internet Protocol (IP) addresses, browser specifications, operating system details, and device identifiers.
Access timestamps, interaction logs, security audit logs, and account tracking metrics tied to the secure back-end member platform.
The Organisation collects personal information through structured, lawful channels. It avoids covert monitoring and ensures that individuals are aware of data capture at the time of interaction.
The vast majority of data processing originates from direct disclosures by the individual. This happens when an applicant fills out the digital registration form on the website, completes a physical application at a regional show, signs an event attendance register, or communicates directly with an executive member via email or telephone.
During the course of membership, the Organisation generates internal data points that link directly to the individual. This includes the production of technical evaluation sheets by certified club judges, the assignment of scores during competitive ploughing or stationary engine exhibitions, and the recording of administrative choices made by executive committee panels.
When accessing savtec.co.za, the host servers automatically capture standard transmission data. This automated capture is restricted to data elements required to maintain security, track system errors, and ensure the stability of the online membership platform.
The Organisation collects, stores, and uses personal data strictly for operations linked to its core cultural and administrative functions. Data is never collected without a specific purpose.
Data is processed to maintain an accurate national membership register, track regional branch membership volumes, distribute constitutional notices, manage AGM voting processes, and issue official financial invoices and statements.
To preserve the safety, shared values, and mutual trust of the club, all applications go through an explicit evaluation process. Personal data is reviewed by designated panels to ensure the validity of the application before granting administrative access to the proprietary areas of the website.
During regional engine days and national rallies, the Organisation processes data to allocate exhibition spaces, compile safety manifests for dangerous flywheel machinery, manage public insurance parameters, and organize specific field demonstrations.
A primary objective of SAVTEC is archiving South Africa’s mechanical farming history. Technical descriptions of tractors and stationary engines, along with their owners’ names, are stored in long-term databases to maintain authentic preservation records for research and judging purposes.
The processing workflow for new registrations is highly structured, secure, and restricted. The lifecycle of applicant data follows a specific path designed to maximize protection:
+-----------------------------------------------------------------+
| REGISTRATION & VETTING WORKFLOW |
| |
| [Step 1] Applicant fills form on public website |
| [Step 2] Data saved in isolated "Pending" database table |
| [Step 3] Executive Members notified via encrypted admin link |
| [Step 4] Form reviewed against constitutional criteria |
| [Step 5] IF REJECTED: Data scrubbed / applicant notified |
| [Step 6] IF APPROVED: Account migrates to Active Member DB |
| [Step 7] Automated welcome email dispatched with access link |
+-----------------------------------------------------------------+
Initial Submission: When an individual completes the registration form on the public website, the information is instantly isolated within a sandboxed database table designated for “Pending Requests”. At this stage, the applicant profile remains completely hidden from the standard membership directory and has zero access privileges.
Executive Distribution: An automated system alert notifies elected Executive Members that a new application requires evaluation. These Executive Members access the pending details through an administrative dashboard secured by multi-factor authentication.
Deliberation and Verification: The Executive Members inspect the provided details, confirming geographic branch suitability and validating identification metrics. This assessment is carried out entirely within the secure website back-end to prevent data leaks.
Rejection Handling: If an application is denied based on constitutional guidelines, the record is flagged for removal. The data is securely deleted from the pending table within a reasonable period, and a simple notice is sent to the applicant.
Approval and Platform Activation: Upon formal approval by the executive panel, an administrator triggers a profile status change. The system moves the record from the pending pool to the Active Member Database. This action activates the back-end account, unlocks the online membership platform, and prompts the system to generate an automated welcome email containing access credentials.
The Organisation does not sell, lease, or trade personal databases to external marketing groups or commercial entities. Sharing data with third parties is strictly limited to authorized Operators who assist in running the club.
The website infrastructure, member directory, and data storage systems are maintained on secure servers managed by professional web hosting and cloud storage companies. These entities act as technical Operators, bound by strict confidentiality agreements to ensure they do not access or alter data without explicit authorization from the Information Officer.
For invoicing, fee tracking, and agency-style member communication, the Organisation utilizes specialised third-party software applications (such as Hello Bonsai or similar secure accounting tools). These platforms handle billing data under rigorous data privacy standards that match or exceed POPIA requirements.
When preparing for major public exhibitions, participant names, branch affiliations, and machinery technical details may be shared with trusted local printing contractors to produce physical show brochures, event programs, and competitive display placards.
The Organisation will disclose personal records to statutory bodies, law enforcement agencies, or tax authorities only if required to do so by a formal court order, an explicit legislative mandate, or to defend its legal rights within the South African court system.
Section 72 of POPIA regulates the transmission of personal records outside the borders of South Africa. The Organisation generally stores and processes its primary databases within local data centres. However, cross-border data transfers may happen in the following specific scenarios:
International Cloud Routing: The use of international software plugins, automated backup storage systems, or international email dispatch systems means data may travel through or rest on servers located in European Union jurisdictions or North American regions.
Specialist Heritage Verifications: When verifying the historical accuracy or factory assembly records of specific imported machinery, the Organisation may share serial numbers and ownership details with international historical registers, such as the Friends of Ferguson Heritage Ltd in the United Kingdom.
The Organisation ensures that any international third party receiving this data is located in a country with data protection laws that provide an equivalent or higher level of safety than POPIA. If the target country lacks these protections, the Organisation will not transmit the data without setting up a clear data transfer contract or getting explicit consent from the Data Subject.
To prevent unauthorized access, data leaks, or data loss, the Organisation uses a layered, secure approach to information safety across its digital systems.
Transport Security: The entirety of the savtec.co.za domain uses Transport Layer Security (TLS/SSL) encryption, ensuring that all data passed between users’ browsers and the website servers remains private.
Access Limitations: Access to administrative areas, pending applicant tables, and financial logs is limited through strict permission settings. Only verified Executive Members have access to these areas.
Password Policies: All users accessing the back-end platform must use complex passwords. Administrative and executive accounts require multi-factor authentication (MFA) before access is granted.
Security Scanning: The web server runs automated firewalls, malware scanners, and intrusion detection software to monitor for unauthorized login attempts or malicious activity.
Physical Records: Physical registration forms, judging sheets, and financial records are kept in locked filing cabinets at designated regional branch headquarters.
Access Restriction: Only authorized committee members have physical keys or access codes to these filing areas.
Administrative Training: All Executive Members and branch volunteers handling member records receive regular training on data privacy, safe storage habits, and secure password management.
The Organisation keeps personal records only as long as necessary to fulfill the operational or historical purposes for which they were gathered.
+-----------------------------------------------------------------+
| DATA RETENTION SCHEDULE |
| |
| Active Members --> Duration of membership plus 5 years |
| Rejected Applicants --> Deleted within 90 days of decision |
| Show Scorecards --> Retained permanently for history |
| Financial Records --> Retained 7 years per SARS mandates |
+-----------------------------------------------------------------+
Personal details, contact info, and asset registries are kept for the entire duration of an individual’s active membership. When a member resigns or passes away, their administrative profile is archived. The file is kept for a maximum of five years to clear any outstanding financial accounts or manage constitutional enquiries, after which it is deleted.
Data from unapproved or rejected applicants is kept for a maximum of ninety days after the Executive Committee makes its decision. This buffer allows time to address any application appeals. Once this period closes, the record is removed from the database.
In line with the Tax Administration Act, No. 28 of 2011, all financial records, invoices, receipt logs, and bank confirmation details are kept for seven years from the date of the transaction.
Section 14(2) of POPIA allows personal data to be kept for extended periods for historical, research, or statistical purposes. Because tracking machinery restoration lineages is a primary goal of the club, the Organisation keeps historical show registers, tractor serial number databases, and judging scores indefinitely. This data is preserved for historical research and is protected against non-club commercial use.
When the retention period for data expires, it is destroyed securely:
Digital records are wiped from active databases using secure deletion commands and cleared from system backups.
Physical paperwork is shredded using cross-cut equipment or burned under the supervision of an authorized branch official.
Every individual whose data is held by the Organisation possesses explicit legal rights under POPIA. The Organisation provides clear steps for members and the public to exercise these rights.
Data Subjects have the right to request a complete copy of all personal information the Organisation holds about them. This request must be sent to the Information Officer in writing using the appropriate form prescribed under PAIA. The Organisation will provide this info within thirty days, provided the request is reasonable and identity is verified.
If any personal information is incorrect, incomplete, out of date, or misleading, the Data Subject can submit a correction request. Active members can update most details directly through the self-service portal on the back-end website. Alternatively, they can notify the Information Officer to have the records updated across all systems.
An individual has the right to object to the processing of their personal data at any time on reasonable grounds, unless legislation requires the processing. If an objection is validated, the Organisation will halt processing immediately. This may result in the termination of active membership if the data is essential for club administration.
Data Subjects can request the deletion of records that are no longer authorized under POPIA or this policy. The Organisation will evaluate the request against its legal obligations, such as tax laws or historical preservation mandates, and proceed with deletion where allowed.
A data breach occurs when personal information is accessed, altered, lost, or destroyed by unauthorized parties. The Organisation maintains an incident response protocol to handle breaches quickly and transparently.
If a security breach is detected on the website or within regional databases, the Information Officer will immediately isolate the affected systems, revoke compromised administrator access codes, change master database passwords, and apply security patches to stop further data exposure.
The technical support team will conduct a thorough review to determine the exact scope of the breach, identifying which database tables were accessed and which individuals were affected.
If there is evidence that personal information has been accessed by an unauthorized person, the Organisation will issue formal notifications as required by Section 22 of POPIA:
The Information Regulator: Notification will be sent via email or the official online portal as soon as reasonably possible after discovering the breach.
The Affected Data Subjects: Notice will be sent directly via email or SMS, using clear language to describe how the breach occurred, what data was exposed, the likely consequences, and the mitigation steps taken by the club.
The website savtec.co.za uses cookies to ensure smooth technical performance, protect user accounts, and improve the website experience. Cookies are small text files saved to a user’s device when they load specific webpages.
| Cookie Category | Technical Function | Expiry Cycle |
| Essential Cookies | Maintains secure login state for active members and administrators accessing the back-end platform. | Deleted at end of browser session. |
| Preference Cookies | Saves user choices, such as language preferences or regional branch dashboard layouts. | Stored up to 12 months. |
| Security Tracking | Monitors login attempts to detect and block automated brute-force attacks. | Dynamic or persistent based on risk. |
Users can block or delete cookies through their web browser settings. However, disabling essential cookies will prevent access to the secure back-end area and the online membership platform, as the system relies on them to verify logged-in users.
The Organisation uses direct electronic communication to keep members informed about events, club news, and updates. These communications follow strict choice-driven guidelines:
Operational Club Notices: Invoices, AGM alerts, constitutional updates, and vetting responses are sent as essential operational messages. Members cannot opt out of these while remaining active in the club.
Promotional Content and Newsletters: Bulletins regarding regional branch news, show photo galleries, or partner club events are sent only to individuals who have opted in.
Opt-Out Controls: Every promotional email includes an unambiguous “Unsubscribe” link at the bottom. Clicking this link removes the email address from marketing distribution lists immediately.
The National Executive Committee appoints the Information Officer responsible for managing data compliance. For any questions, access requests, or privacy concerns, contact the Information Officer using the details below:
Organisation Name: South African Vintage Tractor and Engine Club (SAVTEC)
Attention: The Designated Information Officer
Postal Address: Postnet Suite 44, Private Bag X2, Paarden Eiland, Cape Town, 7420, South Africa
Electronic Mail: compliance@savtec.co.za
Official Web Address: www.savtec.co.za
If a data subject is dissatisfied with how the Organisation handles their personal information or privacy requests, they have the right to lodge a formal complaint with the South African Information Regulator:
Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Postal Address: P.O Box 31533, Braamfontein, Johannesburg, 2017
Complaints Email Address: complaints.IR@inforegulator.org.za
General Enquiries Email Address: enquiries@inforegulator.org.za
The National Executive Committee reviews this Privacy Policy annually to ensure it aligns with technological changes, organizational updates, and legal shifts within South African statutory frameworks.
Any updates to this policy will be published clearly on the public website at savtec.co.za/privacy-policy. When major modifications alter how personal information is handled, a notification will be sent directly to all active members via email. Continued membership and use of the website platform after changes are posted constitutes acceptance of the updated terms.
This Privacy Policy was formally ratified by the National Executive Committee of the South African Vintage Tractor and Engine Club on this 25th day of May 2026.