Privacy Policy
Comprehensive Data Protection & Privacy Notice
Who We Are
Bonela Consulting (Pty) Ltd
Level-2 B-BBEE People Solutions
POPIA Reg: 2024-040075
1. Introduction and Scope
This Privacy Policy (“Policy”) sets out how Bonela Consulting (Pty) Ltd (“Bonela”, “we”, “our”, or “us”), a Level-2 B-BBEE People Solutions company registered in the Republic of South Africa, collects, uses, stores, discloses, and otherwise processes Personal Information and Personal Data in connection with our people development, organisational effectiveness, and psychometric assessment services.
Bonela operates from South Africa and provides services to clients in both South Africa and the European Economic Area (“EEA”). Accordingly, this Policy is drafted to satisfy the requirements of the Protection of Personal Information Act 4 of 2013 (“POPIA”), the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the ePrivacy Directive 2002/58/EC, the Health Professions Act 56 of 1974, and all subsidiary regulations issued by the Health Professions Council of South Africa (“HPCSA”) Professional Board for Psychology.
This Policy applies to:
- Candidates and employees of our client organisations who undergo psychometric assessments, development programmes, or organisational interventions
- Representatives, employees, and contractors of our client organisations
- Visitors to our website at bonelaconsulting.com
- Our own employees, contractors, and service providers
- Any natural person whose Personal Information or Personal Data we process
2. Definitions
In this Policy, unless the context indicates otherwise:
| Term | Definition |
|---|---|
| Assessment Data | All data generated during or as a result of a psychometric assessment, including raw scores, norm-referenced scores, personality profiles, cognitive ability results, job-fit diagnostic outputs, and professional interpretative reports. |
| Candidate | A natural person who undergoes a psychometric assessment, workshop, or development intervention facilitated by Bonela. |
| Client | The corporate entity or organisation that engages Bonela to deliver people development, organisational effectiveness, or psychometric assessment services. |
| Controller / Responsible Party | The natural or juristic person that determines the purpose and means of processing Personal Information (POPIA) or Personal Data (GDPR). |
| Data Subject | The natural person to whom the Personal Information or Personal Data relates (both POPIA and GDPR). |
| GDPR | General Data Protection Regulation (EU) 2016/679. |
| HPCSA | Health Professions Council of South Africa, including its Professional Board for Psychology. |
| Information Officer | The person designated under POPIA section 55 to be responsible for compliance with POPIA within Bonela. |
| Operator / Processor | The natural or juristic person who processes Personal Information on behalf of the Responsible Party (POPIA) or Controller (GDPR). |
| Personal Data | Any information relating to an identified or identifiable natural person (GDPR definition). |
| Personal Information | Information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including but not limited to information relating to race, gender, mental health, biometric information, and personal opinions (POPIA definition). |
| POPIA | Protection of Personal Information Act 4 of 2013 (South Africa). |
| Processing | Any operation performed on Personal Information/Data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction. |
| Special Personal Information | As defined in POPIA section 26: religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sex life, biometric information, or criminal behaviour. Under GDPR (Article 9), “special categories of personal data”. |
3. Identity of the Responsible Party / Controller
For the purposes of POPIA and the GDPR:
| Entity Name | Bonela Consulting (Pty) Ltd |
| Trading As | Bonela Consulting |
| Registered Address | 31 Loerie Crescent, Canyoniqua, Mosselbay, South Africa, 6500 |
| Website | bonelaconsulting.com |
| Information Officer | Eugene Viljoen |
| Deputy Information Officer | Ettiene Viljoen |
| info@bonelaconsulting.com | |
| Telephone | +27 83 264 6275 |
| POPIA Regulator Reg. No. | 2024-040075 |
In most engagements, our Client acts as the Controller/Responsible Party in respect of their employees' or candidates' Personal Information, and Bonela acts as the Operator/Processor. Where Bonela independently determines the purpose and means of processing (for example, for our own marketing or direct assessment engagements), Bonela acts as the Controller/Responsible Party.
4. Categories of Personal Information We Process
4.1 Candidate and Employee Data
When delivering psychometric assessments, people development workshops, and organisational effectiveness interventions, we may process the following categories:
| Category | Data Elements |
|---|---|
| 4.1.1 Identifying Information | Full name, surname, preferred name, title; Identity number, passport number, employee number; Date of birth, age, gender; Nationality, citizenship, language preference; Photograph (where provided for identification) |
| 4.1.2 Contact Information | Email address (personal and/or business); Telephone number (mobile and/or landline); Physical and postal address |
| 4.1.3 Employment Information | Employer name, department, division, business unit; Job title, job grade, reporting line; Employment start date, tenure, employment type; Work location, team structure |
| 4.1.4 Assessment Data (Special Category) | Cognitive ability assessment scores and profiles; Personality assessment results; Emotional intelligence assessment outputs; Behavioural and competency assessment results; Job-fit diagnostic scores and recommendations; 360-degree feedback data; Leadership assessment outputs; Individual development plan data; Professional interpretative reports; Raw item-level response data; Information relating to mental health, psychological wellbeing, or cognitive functioning |
| 4.1.5 Training and Development Data | Workshop attendance records and completion certificates; Pre- and post-assessment scores; Learning management system activity logs; Feedback and evaluation form responses |
| 4.1.6 Technical and Usage Data | IP address, browser type, operating system; Device identifiers, screen resolution; Date, time, and duration of assessment sessions; Assessment platform interaction logs |
Important: Assessment Data
Assessment Data may constitute Special Personal Information under POPIA section 26 or special categories of personal data under GDPR Article 9. This includes data that may relate to mental health, psychological wellbeing, or cognitive functioning inferred from assessment results. Such data receives enhanced protection and is processed only with explicit consent or other lawful basis.
4.2 Client Representative Data
Name, job title, email, and telephone of client contact persons; Billing and invoicing information; Contractual correspondence.
4.3 Website Visitor Data
IP address, cookies, and usage analytics (see Section 16); Contact form submissions; Newsletter subscription data.
5. Lawful Basis for Processing
5.1 Under POPIA (Conditions for Lawful Processing)
We process Personal Information in accordance with one or more of the following conditions set out in POPIA Chapter 3:
| POPIA Condition | Application |
|---|---|
| Section 11 — Consent | Where Candidates provide informed, voluntary, specific consent to undergo psychometric assessments and for processing of their Assessment Data. Consent is obtained via our Candidate Consent Form. |
| Section 11 — Necessary for a contract | Processing necessary to perform our contractual obligations to Clients for the delivery of assessment, training, and organisational effectiveness services. |
| Section 11 — Legal obligation | Processing required to comply with HPCSA regulations, B-BBEE reporting obligations, Skills Development Act requirements, Employment Equity Act obligations, and tax legislation. |
| Section 11 — Legitimate interest | Processing necessary for our legitimate business interests (e.g., service improvement, quality assurance, business development), provided such interest does not override the Data Subject's rights. |
| Section 27 — Special Personal Information | Assessment Data that constitutes Special Personal Information is processed on the basis of explicit consent (section 27(1)(a)), or because processing is necessary for the establishment, exercise, or defence of a right or obligation in law (section 27(1)(d)). |
5.2 Under GDPR (Article 6 and Article 9)
For Data Subjects in the EEA, we rely on the following legal bases:
| GDPR Legal Basis | Application |
|---|---|
| Article 6(1)(a) — Consent | Where the Candidate has given clear, informed consent to the processing of their personal data for psychometric assessment purposes. |
| Article 6(1)(b) — Contract | Processing necessary for the performance of a contract to which the Data Subject is party, or to take pre-contractual steps at the request of the Data Subject. |
| Article 6(1)(c) — Legal obligation | Processing necessary for compliance with EU or Member State legal obligations to which Bonela is subject. |
| Article 6(1)(f) — Legitimate interests | Processing necessary for the purposes of Bonela's or a third party's legitimate interests, where such interests are not overridden by the Data Subject's fundamental rights and freedoms. A Legitimate Interest Assessment (LIA) is conducted and documented for each use case. |
| Article 9(2)(a) — Explicit consent | For special categories of data (including data concerning health, psychological profiling), explicit consent is obtained from the Candidate. |
| Article 9(2)(h) — Occupational assessment | Processing necessary for the purposes of occupational capacity assessments, in accordance with applicable EU or Member State law. |
6. Purpose of Processing
We process Personal Information and Personal Data strictly for the following purposes:
- To administer, score, and interpret psychometric assessments in compliance with HPCSA requirements and international best practice standards.
- To generate professional assessment reports and provide evidence-based recommendations to Clients for recruitment, selection, development, succession planning, and talent management decisions.
- To deliver people development workshops, coaching, and training programmes.
- To conduct organisational effectiveness interventions, including team diagnostics, culture assessments, and change management initiatives.
- To fulfil contractual obligations to our Clients under service level agreements.
- To comply with legal and regulatory obligations, including HPCSA professional and ethical standards, Employment Equity Act, Skills Development Act, B-BBEE Act, tax legislation, and any applicable EU/EEA legislation.
- To conduct research and development for the validation and norming of assessment instruments (only with anonymised or de-identified data, or with explicit consent).
- To manage client relationships, invoicing, and business administration.
- To improve and maintain the security, integrity, and performance of our IT systems and assessment platforms.
- To respond to enquiries, provide support, and communicate service-related information.
- To conduct quality assurance, professional supervision, and peer review in accordance with HPCSA Scope of Practice regulations.
- To comply with lawful requests from regulatory authorities, courts, or law enforcement agencies.
7. HPCSA Compliance and Professional Standards
As a provider of psychometric assessment services, Bonela is bound by the professional and ethical standards of the HPCSA Professional Board for Psychology. The following principles govern our handling of Assessment Data:
| Principle | Description |
|---|---|
| 7.1 Registered Professionals | All psychometric assessments are administered, scored, and interpreted under the supervision of, or directly by, professionals registered with the HPCSA as either Psychologists or Psychometrists in the appropriate category and scope of practice. |
| 7.2 Classified Assessments | Assessment instruments classified by the HPCSA are used strictly in accordance with their classification. Access to classified test materials is restricted to appropriately registered professionals. |
| 7.3 Informed Consent | Candidates are provided with clear, comprehensive information about the assessment process, the nature of the assessment, how results will be used, who will have access to results, and their rights before providing consent. Consent is documented via our Candidate Consent Form. |
| 7.4 Feedback | In accordance with HPCSA ethical rules, Candidates are entitled to individual feedback on their assessment results. Feedback is provided by a registered professional in a manner that is understandable and appropriate. |
| 7.5 Confidentiality | Assessment results are treated as confidential professional information. Access is restricted to the registered professional conducting the assessment and authorised Client representatives as specified in the consent form. Raw test data and item-level responses are never disclosed to the Client. |
| 7.6 Fair and Unbiased Assessment | We use assessment instruments that are validated and normed for the relevant South African and international populations. We continuously monitor for potential bias and ensure that assessment practices comply with the Employment Equity Act 55 of 1998 (section 8) requirements for fair and validated psychometric testing. |
| 7.7 Record Retention | Assessment records are retained for a minimum period as required by the HPCSA (typically not less than five years from the date of assessment), after which they are securely destroyed unless a longer retention period is required by law or contract. |
8. Data Sharing and Disclosure
8.1 Categories of Recipients
We may share Personal Information with the following categories of recipients, subject to appropriate contractual and security safeguards:
| Recipient Category | Purpose | Safeguards |
|---|---|---|
| Client Organisation | Delivery of assessment reports, training reports, and intervention outcomes | Data Processing Agreement; access limited to authorised representatives; raw test data never disclosed |
| Microsoft Corporation | Cloud hosting via Microsoft 365 Business, OneDrive, Exchange Online | Microsoft DPA; SCCs for international transfers; ISO 27001 and SOC 2 certified; encryption at rest and in transit |
| Sub-processors | IT support, assessment platform providers, payment processors | Written Data Processing Agreements; security assessments; access limited to strictly necessary |
| HPCSA and Professional Bodies | Professional audits, ethical investigations, CPD records | Statutory obligation; data disclosed only as required by law |
| Regulatory Authorities | Information Regulator (SA), DPAs (EU), SARS, Department of Labour | Only in response to lawful requests, subpoenas, or statutory obligations |
| Legal and Professional Advisors | Legal advice, audit, insurance | Professional privilege; DPAs where applicable |
| Research Partners | Assessment validation and norming studies | Only with anonymised data or explicit consent; ethics approval where required |
8.2 No Sale of Personal Information
Bonela does not sell, rent, lease, or trade Personal Information or Personal Data to any third party for marketing or commercial purposes.
9. International and Cross-Border Data Transfers
9.1 South Africa to EEA
Where we transfer Personal Information from South Africa to the EEA (or vice versa), we ensure that the transfer is lawful under both POPIA and the GDPR:
- POPIA section 72 permits transborder transfers where the recipient country provides an adequate level of protection. The EU/EEA is generally regarded as providing adequate protection.
- For transfers from the EEA to South Africa, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to GDPR Article 46(2)(c), supplemented by Transfer Impact Assessments.
9.2 Microsoft Data Residency
Our Microsoft 365 Business tenant is configured with the South African data centre region as the primary data location. Microsoft may process certain administrative and diagnostic data in other regions in accordance with its Data Protection Addendum. We have executed the Microsoft Data Protection Addendum, which incorporates Standard Contractual Clauses for transfers outside the EEA.
9.3 Supplementary Measures
In accordance with the EDPB Recommendations 01/2020, we implement the following supplementary measures for international transfers:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Pseudonymisation of Assessment Data where technically feasible
- Access controls limiting data access to authorised personnel on a need-to-know basis
- Regular Transfer Impact Assessments
- Contractual commitments to challenge disproportionate government access requests
10. Data Security
| Category | Measures |
|---|---|
| 10.1 Technical Measures | Microsoft 365 security (ATP, DLP, Defender); Multi-factor authentication (MFA) enforced; Conditional Access policies; OneDrive encryption (BitLocker, TLS 1.2+); Microsoft Information Protection labels; Azure AD / Entra ID access management; Vulnerability scanning and penetration testing; Endpoint protection on all devices; Automated backup and disaster recovery |
| 10.2 Organisational Measures | Role-based access control (RBAC) with least-privilege principle; Mandatory data protection and information security training for all staff; Background screening for employees with access to Personal Information; Clean desk and clear screen policies; Incident response plan and data breach notification procedures; Regular internal audits and compliance reviews; Third-party vendor risk assessments; Non-disclosure agreements with all employees and contractors; Assessor Code of Conduct |
| 10.3 Physical Measures | Restricted physical access to office premises; Secure storage of any physical assessment materials; Controlled disposal of physical documents via shredding |
11. Data Retention
We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following retention schedule applies:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Psychometric assessment reports | Minimum 5 years from date of assessment | HPCSA professional requirements; POPIA s14; contractual obligations |
| Raw test data and item responses | Minimum 5 years from date of assessment | HPCSA professional requirements |
| Training attendance and completion records | 5 years from date of training | Skills Development Act; B-BBEE Act; contractual obligations |
| Client contractual records | 5 years after contract expiry | Prescription Act 68 of 1969; POPIA s14 |
| Financial and tax records | 5 years from end of relevant tax year | Tax Administration Act; Companies Act |
| Employee records | Duration of employment plus 5 years | BCEA, LRA, Employment Equity Act, POPIA |
| Website analytics and cookies | Maximum 13 months | ePrivacy Directive; POPIA |
| Marketing consent records | Duration of consent plus 1 year | POPIA; GDPR; CPA |
| Data breach records | 5 years from date of breach | POPIA; GDPR |
Upon expiry of the relevant retention period, Personal Information is securely destroyed using methods appropriate to the medium (secure deletion for electronic records; shredding for physical records). De-identified and aggregated statistical data may be retained indefinitely for research and benchmarking purposes.
12. Rights of Data Subjects
12.1 Rights under POPIA
Data Subjects in South Africa have the following rights under POPIA:
| Right | Description |
|---|---|
| Right of access (s23) | Request confirmation of whether we hold Personal Information about you, and access to such information. |
| Right to correction (s24) | Request correction or deletion of Personal Information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. |
| Right to deletion (s24) | Request destruction or deletion of Personal Information in certain circumstances. |
| Right to object (s11(3)) | Object to processing based on legitimate interests, and to processing for direct marketing. |
| Right against automated decision-making (s71) | Not be subject to a decision based solely on automated processing that has legal or similarly significant effects. |
| Right to lodge a complaint | Lodge a complaint with the Information Regulator of South Africa. |
12.2 Rights under GDPR
Data Subjects in the EEA have the following additional or equivalent rights under GDPR:
| Right | Description |
|---|---|
| Right of access (Art. 15) | Obtain confirmation of processing and a copy of the personal data being processed. |
| Right to rectification (Art. 16) | Have inaccurate personal data corrected without undue delay. |
| Right to erasure (Art. 17) | Request deletion of personal data in specified circumstances (“right to be forgotten”). |
| Right to restriction (Art. 18) | Request restriction of processing in certain circumstances. |
| Right to data portability (Art. 20) | Receive personal data in a structured, commonly used, machine-readable format. |
| Right to object (Art. 21) | Object to processing based on legitimate interests or for direct marketing. |
| Right against automated decisions (Art. 22) | Not be subject to solely automated decisions with legal or significant effects. |
| Right to withdraw consent (Art. 7(3)) | Withdraw consent at any time, without affecting prior lawful processing. |
12.3 Exercising Your Rights
To exercise any of the above rights, please contact our Information Officer using the details in Section 3. We will respond to verified requests within:
- POPIA: A reasonable time, not exceeding 30 days.
- GDPR: Without undue delay, and in any event within one calendar month (extendable by two further months for complex requests, with prior notification).
We may request verification of identity before processing your request. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.
12.4 Assessment-Specific Rights
In addition to statutory rights, Candidates have the following rights specific to psychometric assessments:
- The right to receive individual feedback on assessment results from a registered professional, in accordance with HPCSA ethical rules.
- The right to request that assessment results not be disclosed to the Client before receiving feedback.
- The right to request a reassessment where there is a reasonable belief that results do not accurately reflect the Candidate's abilities or characteristics, subject to professional judgment.
- The right to know which assessment instruments were used and why.
13. Automated Decision-Making and Profiling
Bonela uses psychometric assessment instruments that involve algorithmic scoring and profiling. This constitutes automated processing under POPIA section 71 and GDPR Article 22.
13.1 Nature of Automated Processing
- Assessment instruments automatically calculate scores based on Candidate responses.
- Norm-referenced scoring compares Candidate results against relevant population norms.
- Job-fit algorithms may generate compatibility scores or recommendations.
13.2 Safeguards
We implement the following safeguards to ensure fair and transparent automated processing:
- No decision with legal or similarly significant effect is made solely on the basis of automated processing. A registered professional always reviews, interprets, and contextualises assessment results before any recommendation is made.
- Candidates are informed of the existence of automated processing via the Candidate Consent Form.
- Candidates may request human intervention, express their point of view, and contest decisions influenced by assessment results.
- Assessment instruments are regularly validated for fairness and bias, in compliance with the Employment Equity Act and HPCSA standards.
14. Children's Data
Bonela does not knowingly collect or process Personal Information of children under the age of 18 (in terms of POPIA) or under the age of 16 (in terms of GDPR, or the age specified by the applicable Member State) without the prior written consent of a competent person (parent, guardian, or person having authority).
Where assessments are conducted on minors (for example, in educational or career guidance contexts), explicit consent is obtained from the competent person, and all HPCSA ethical requirements for working with minors are strictly observed.
15. Direct Marketing
We may use your contact information to send you information about our services, events, and thought leadership content. We will only do so:
- With your prior opt-in consent (POPIA s69; GDPR Art. 6(1)(a)); or
- Where you are an existing client and the marketing relates to similar services (GDPR Recital 47 soft opt-in), and you have the opportunity to opt out at any time.
Every marketing communication includes a clear, functional unsubscribe mechanism. You may also opt out by emailing privacy@bonelaconsulting.com.
16. Cookies and Website Privacy
Our website uses cookies and similar tracking technologies. In summary:
- Strictly necessary cookies are deployed without consent as they are essential for website functionality.
- Analytics, performance, and marketing cookies are only deployed after the visitor has given informed consent via our cookie consent banner.
- Visitors may withdraw cookie consent at any time via the cookie settings accessible on every page.
17. Data Breach Notification
17.1 POPIA (Section 22)
In the event of a security compromise involving Personal Information, Bonela will:
- Notify the Information Regulator of South Africa as soon as reasonably possible after becoming aware of the compromise.
- Notify affected Data Subjects as soon as reasonably possible, unless identity is unknown, law enforcement requests a delay, or a public communication would be adequate.
- Provide sufficient information to allow Data Subjects to take protective measures.
17.2 GDPR (Articles 33-34)
For Data Subjects in the EEA:
- We will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to rights and freedoms.
- Where a breach is likely to result in a high risk to rights and freedoms, we will notify affected Data Subjects without undue delay.
- Where Bonela acts as Processor, we will notify the Controller without undue delay upon becoming aware of a breach.
17.3 Breach Response Plan
Our Incident Response Plan includes:
- Immediate containment and assessment of the breach
- Documentation and root cause analysis
- Notification to relevant regulatory authorities and affected individuals
- Remediation measures to prevent recurrence
- Post-incident review and policy updates
18. Data Protection Impact Assessments
In accordance with GDPR Article 35 and POPIA best practice, Bonela conducts Data Protection Impact Assessments (DPIAs) before initiating any processing that is likely to result in a high risk to the rights and freedoms of Data Subjects. This includes, but is not limited to:
- Large-scale processing of special categories of personal data (e.g., psychometric assessment programmes)
- Systematic evaluation of personal aspects (profiling)
- New assessment instruments or delivery platforms
- Changes in sub-processors or international transfer mechanisms
19. Sub-Processors
Bonela engages the following categories of sub-processors. A current list of specific sub-processors is available upon request:
| Sub-Processor Category | Purpose | Location |
|---|---|---|
| Microsoft Corporation | Microsoft 365 Business: email, document storage (OneDrive/SharePoint), collaboration (Teams) | South Africa (primary); global (certain services) |
| Psychometric Assessment Platform Providers | Online assessment delivery, scoring, and reporting | South Africa / EEA (varies by platform) |
| Website Hosting Provider | Hosting of bonelaconsulting.com | To be confirmed |
| Payment Gateway | Processing of client payments | South Africa |
| IT Support and Managed Services | Technical support, system maintenance | South Africa |
We will not engage a new sub-processor without entering into a written Data Processing Agreement that imposes equivalent data protection obligations. Where we act as Processor for a Client, we will provide prior notification of new sub-processors as required by the DPA.
20. Governing Law and Jurisdiction
This Policy is governed by the laws of the Republic of South Africa. For Data Subjects in the EEA, the provisions of the GDPR and applicable Member State law apply in addition to South African law. Nothing in this Policy limits the rights of Data Subjects under mandatory applicable law.
21. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes will be communicated via:
- A prominent notice on our website
- Direct email notification to affected Data Subjects (where feasible and appropriate)
- Notification to Clients under existing contractual arrangements
The current version of this Policy is always available at bonelaconsulting.com/privacy.
22. Contact and Complaints
For any questions, requests, or complaints regarding this Policy or our data processing practices, please contact:
| Information Officer | Eugene Viljoen |
| eugene.viljoen@bonelaconsulting.com | |
| Telephone | +27 83 264 6275 |
| Postal Address | PO Box 133, George, Western Cape, 6530 |
If you are not satisfied with our response, you have the right to lodge a complaint with:
South Africa
Information Regulator:
inforegulator.org.za
Email:
complaints.BI@inforegulator.org.za
HPCSA:
hpcsa.co.za
European Union / EEA
The supervisory authority of the EU/EEA Member State in which you reside, work, or where the alleged infringement occurred.
List of supervisory authorities:
edpb.europa.eu/about-edpb/about-edpb/members_en
Last updated: 4 February 2026 | Version 1.0
Download PDF Version