{"clause": "POPIA consent", "premise": "Daily Maverick reported on Tuesday that TymeBank rolled out a new onboarding screen where users must actively tick separate boxes for marketing emails, profiling, and credit-bureau checks before the 'continue' button activates.", "hypothesis": "The responsible party is obtaining specific consent for each distinct processing purpose.", "label": "entailment", "scenario": "news-fintech-onboarding"}
{"clause": "POPIA consent", "premise": "IOL writes that Nedbank's new robo-advisor shows each client a clear summary of what data will be used for portfolio recommendations and asks them to click 'I agree' before the tool runs.", "hypothesis": "Nedbank is obtaining informed consent before using the client's data for robo-advice.", "label": "entailment", "scenario": "news-robo-advisor"}
{"clause": "POPIA consent", "premise": "I phoned the Discovery call centre and told them to stop using my number for Vitality marketing; they said it was recorded and would take 48 hours.", "hypothesis": "The data subject has exercised the right to object to direct marketing.", "label": "entailment", "scenario": "first-person-marketing-objection"}
{"clause": "POPIA consent", "premise": "I signed a form at the Netcare hospital front desk that explicitly said my contact details would be passed to my medical aid for pre-authorisation; I ticked the box myself.", "hypothesis": "The hospital obtained consent from the patient before sharing details with the medical aid.", "label": "entailment", "scenario": "first-person-hospital-preauth"}
{"clause": "POPIA consent", "premise": "Internal memo 2026-03-11: following the legal review, our research platform now requires every participant to re-consent after any material change to the study protocol, with a timestamped log per participant.", "hypothesis": "The responsible party can demonstrate renewed consent after material protocol changes.", "label": "entailment", "scenario": "memo-research-reconsent"}
{"clause": "POPIA consent", "premise": "PR for the Mukuru remittance flow: we removed the auto-ticked 'share my KYC data with partner banks' checkbox and replaced it with an explicit unticked consent that the sender must tick themselves.", "hypothesis": "The remittance flow now collects opt-in consent for sharing KYC data with partner banks.", "label": "entailment", "scenario": "memo-remove-prechecked-box"}
{"clause": "POPIA consent", "premise": "Ops memo: our kiosk in the Sandton branch captures a visitor's name and company on an iPad before issuing an access badge; the privacy notice is shown on the same screen but visitors cannot continue without tapping 'agree'.", "hypothesis": "Visitors are given a privacy notice and must accept it before their data is captured.", "label": "entailment", "scenario": "memo-kiosk-visitor"}
{"clause": "POPIA consent", "premise": "BusinessTech reports that a Johannesburg gym chain rolled out biometric fingerprint entry for members last month.", "hypothesis": "The gym chain has obtained valid consent from members for biometric processing.", "label": "neutral", "scenario": "news-gym-biometrics"}
{"clause": "POPIA consent", "premise": "Reuters reports that a Stellenbosch winery has started running email marketing campaigns against its tasting-room visitor list.", "hypothesis": "The winery obtained data-subject consent for the marketing campaigns.", "label": "neutral", "scenario": "news-winery-marketing"}
{"clause": "POPIA consent", "premise": "Sunday Times notes that Bank Zero recently onboarded 50 000 new users via its in-app signup.", "hypothesis": "Bank Zero's signup flow obtains granular consent for each processing purpose.", "label": "neutral", "scenario": "news-bank-zero-signup"}
{"clause": "POPIA consent", "premise": "I attended a Liberty Life financial-advice seminar last weekend and gave my business card at the door.", "hypothesis": "I consented to receive marketing communications from Liberty.", "label": "neutral", "scenario": "first-person-seminar-card"}
{"clause": "POPIA consent", "premise": "I joined a new Pilates studio in Melville and filled in their welcome form.", "hypothesis": "The studio obtained my specific consent to share my contact details with third-party wellness partners.", "label": "neutral", "scenario": "first-person-pilates-form"}
{"clause": "POPIA consent", "premise": "Sprint retro note: the team discussed whether school photographs uploaded to our parent portal need re-consent when re-used in the school's annual magazine.", "hypothesis": "The school has obtained re-consent from parents for using the photographs in the annual magazine.", "label": "neutral", "scenario": "memo-school-photo-reuse"}
{"clause": "POPIA consent", "premise": "Jira DATA-228: a customer called saying he wants to 'object to some processing' — the agent logged the call but hasn't yet clarified which processing activity he means.", "hypothesis": "The data subject has validly objected to direct marketing under §11(3).", "label": "neutral", "scenario": "memo-unclear-objection"}
{"clause": "POPIA consent", "premise": "Engineering note: the new Yoco consent dashboard shows each merchant a list of data-sharing partners, but does not yet show when or how the merchant originally consented.", "hypothesis": "Yoco can discharge its burden of proving when and how each merchant originally consented.", "label": "neutral", "scenario": "memo-consent-provenance-missing"}
{"clause": "POPIA consent", "premise": "News24 reports that a popular food-delivery app now auto-enrols every new user into its loyalty programme and only offers an opt-out buried in the account settings page.", "hypothesis": "The app is relying on valid, freely-given consent for the loyalty programme.", "label": "contradiction", "scenario": "news-food-delivery"}
{"clause": "POPIA consent", "premise": "My Vodacom contract expired and they kept sending me upgrade offers even though I emailed twice asking them to stop.", "hypothesis": "Vodacom has ceased processing the data subject's information for direct marketing after a valid objection.", "label": "contradiction", "scenario": "first-person-telco-marketing"}
{"clause": "POPIA consent", "premise": "I got an SMS from a short-term lender I have never heard of saying 'you qualify for R15 000' — I definitely never signed up with them.", "hypothesis": "The lender has obtained the data subject's consent to send direct marketing.", "label": "contradiction", "scenario": "first-person-cold-sms-loan"}
{"clause": "POPIA consent", "premise": "I opened a Capitec account last week and was never asked whether they could share my transaction history with their insurance arm, but I noticed a new quote SMS from Capitec Insure this morning.", "hypothesis": "Capitec obtained the data subject's consent before sharing the transaction history with its insurance arm.", "label": "contradiction", "scenario": "first-person-bank-cross-sell"}
{"clause": "POPIA consent", "premise": "RCA for INC-6612: the marketing team bulk-imported 42 000 contacts from a third-party CSV and fired a Mailchimp campaign without any consent audit on the imported list.", "hypothesis": "The responsible party can discharge its burden of proving valid consent for the imported list.", "label": "contradiction", "scenario": "memo-third-party-list-import"}
{"clause": "POPIA consent", "premise": "Incident report INC-7712: a developer shipped a release where the cookie banner's 'Reject all' button silently logged the same preferences object as 'Accept all'.", "hypothesis": "The platform was obtaining valid consent via the cookie banner.", "label": "contradiction", "scenario": "memo-cookie-banner-bug"}
{"clause": "POPIA consent", "premise": "Jira INC-4411: the fundraising page shipped without a consent checkbox for the 'add me to your monthly donor list' option — it was on by default.", "hypothesis": "The fundraiser has obtained the donor's opt-in consent to be added to the monthly donor list.", "label": "contradiction", "scenario": "memo-donor-default-on"}
{"clause": "POPIA minimality / purpose limitation", "premise": "News24 reports that Takealot's courier app asks a delivery driver only for their name, vehicle registration, and drop-off time — nothing else — when logging a successful delivery.", "hypothesis": "The data captured by the courier app is limited to what is needed to record the delivery.", "label": "entailment", "scenario": "news-courier-minimal"}
{"clause": "POPIA minimality / purpose limitation", "premise": "BusinessTech article: Superbalist's newsletter signup asks only for an email address.", "hypothesis": "The Superbalist signup collects the minimum necessary data for sending a newsletter.", "label": "entailment", "scenario": "news-newsletter-email-only"}
{"clause": "POPIA minimality / purpose limitation", "premise": "Home Affairs only asked for my ID number and a photo when I renewed my smart ID; the entire capture took two minutes.", "hypothesis": "Home Affairs collected the data necessary for the stated purpose of ID renewal.", "label": "entailment", "scenario": "first-person-home-affairs-id"}
{"clause": "POPIA minimality / purpose limitation", "premise": "Internal memo 2026-02-14: per product-spec review, the new identity-verification microservice will discard the MRZ photo the moment the ID number passes the Luhn check — no retention beyond validation.", "hypothesis": "The microservice retains data only for as long as needed to achieve its stated verification purpose.", "label": "entailment", "scenario": "memo-verify-discard"}
{"clause": "POPIA minimality / purpose limitation", "premise": "Engineering note for the EasyEquities onboarding redesign: we removed the 'mother's maiden name' field since we no longer use it for any verification or fraud check.", "hypothesis": "EasyEquities has reduced the data captured to match the current processing purpose.", "label": "entailment", "scenario": "memo-remove-unused-field"}
{"clause": "POPIA minimality / purpose limitation", "premise": "Internal memo for the Gauteng Dept of Health vaccination roll-out: the capture app takes only name, ID, date of birth, vaccine lot number, and date.", "hypothesis": "The vaccination app's data capture is limited to what is necessary for the vaccination record.", "label": "entailment", "scenario": "memo-vaccine-capture"}
{"clause": "POPIA minimality / purpose limitation", "premise": "I went to open a Shoprite Money Market account and they asked only for my ID and proof of address — nothing else.", "hypothesis": "The retailer is collecting the minimum data necessary for a basic transactional account.", "label": "entailment", "scenario": "first-person-money-market"}
{"clause": "POPIA minimality / purpose limitation", "premise": "I asked the Sanral e-toll agent why they needed my employer name to process my account — she said it was on the form.", "hypothesis": "Sanral's collection of employer name is adequate, relevant and not excessive for e-toll account management.", "label": "neutral", "scenario": "first-person-etoll-employer"}
{"clause": "POPIA minimality / purpose limitation", "premise": "Sunday Times reports that a Gauteng car-rental chain captures marital status on its booking form.", "hypothesis": "Marital status is relevant and necessary to the one-day car-rental booking purpose.", "label": "neutral", "scenario": "news-car-rental-marital"}
{"clause": "POPIA minimality / purpose limitation", "premise": "RCA INC-3322: the Prasa staff portal is storing employee next-of-kin details in the same table as passenger complaint data, because the original table was reused.", "hypothesis": "The next-of-kin data is being used only for the purpose for which it was collected.", "label": "neutral", "scenario": "memo-table-reuse"}
{"clause": "POPIA minimality / purpose limitation", "premise": "Sprint note: the marketing team wants to start pulling City of eThekwini residents' water-usage data into our churn model.", "hypothesis": "Pulling residents' water-usage data into the churn model is compatible with the purpose for which the municipality collected it.", "label": "neutral", "scenario": "memo-municipal-data-reuse"}
{"clause": "POPIA minimality / purpose limitation", "premise": "News24 reports that a Pretoria clinic collects the occupation of every patient on its intake form.", "hypothesis": "Occupation is adequate, relevant and not excessive for the clinic's stated patient-care purpose.", "label": "neutral", "scenario": "news-clinic-occupation"}
{"clause": "POPIA minimality / purpose limitation", "premise": "I noticed the Pick n Pay Smart Shopper card form asks for my number of children.", "hypothesis": "Number of children is necessary to operate a grocery loyalty programme.", "label": "neutral", "scenario": "first-person-loyalty-children"}
{"clause": "POPIA minimality / purpose limitation", "premise": "Engineering ticket DATA-330: the marketing-analytics table retains pseudonymised browsing events for 36 months.", "hypothesis": "The 36-month retention is adequate, relevant and not excessive for the marketing-analytics purpose.", "label": "neutral", "scenario": "memo-36m-retention"}
{"clause": "POPIA minimality / purpose limitation", "premise": "Daily Maverick reports that SAPS's new online affidavit portal captures the applicant's full name, ID number, cellphone, physical address, employer, salary band and parents' names, even for a simple lost-property affidavit.", "hypothesis": "The SAPS portal is collecting data that is adequate, relevant and not excessive for a lost-property affidavit.", "label": "contradiction", "scenario": "news-saps-affidavit"}
{"clause": "POPIA minimality / purpose limitation", "premise": "At the OUTsurance kiosk, the agent asked for my race, religion and political affiliation when I was just quoting on car insurance.", "hypothesis": "The insurer is collecting data adequate, relevant and not excessive for a car-insurance quote.", "label": "contradiction", "scenario": "first-person-insurer-over-collect"}
{"clause": "POPIA minimality / purpose limitation", "premise": "I tried to sign up for free Wi-Fi at a Mugg & Bean and the captive portal insisted on my ID number, home address, monthly income, and employer.", "hypothesis": "The captive portal's collection is limited to what is necessary for granting café Wi-Fi.", "label": "contradiction", "scenario": "first-person-wifi-over-collect"}
{"clause": "POPIA minimality / purpose limitation", "premise": "RCA INC-8843: our recruiting ATS was storing applicants' matric subjects and results from 20+ years ago for current entry-level operator roles.", "hypothesis": "The ATS retains information adequate, relevant and not excessive for screening current entry-level operator applicants.", "label": "contradiction", "scenario": "memo-ats-stale-matric"}
{"clause": "POPIA minimality / purpose limitation", "premise": "Incident report: during Q1 our Payfast checkout was recording the browser's full navigator.userAgent, screen resolution, timezone, and battery-level reading and persisting them under the order record.", "hypothesis": "The checkout is persisting data that is limited to what is necessary to process a payment.", "label": "contradiction", "scenario": "memo-payment-fingerprint"}
{"clause": "POPIA minimality / purpose limitation", "premise": "PR review: we found that the Liberty wealth-advice tool was persisting every chat message the client typed into the 'questions for my adviser' box, including unrelated personal anecdotes, to the production DB indefinitely.", "hypothesis": "Persisting the full free-text chat history indefinitely is consistent with the advice-delivery purpose.", "label": "contradiction", "scenario": "memo-chat-free-text"}
{"clause": "POPIA minimality / purpose limitation", "premise": "Jira DATA-221: the Checkers Xtra Savings loyalty pipeline quietly started ingesting the customer's vehicle registration number from partner petrol stations, even though the loyalty card's stated purpose is grocery discounts.", "hypothesis": "The loyalty pipeline is collecting data consistent with its defined purpose.", "label": "contradiction", "scenario": "memo-loyalty-scope-creep"}
{"clause": "POPIA security safeguards", "premise": "Sunday Times reports that Absa completed its annual penetration test in February and remediated the two critical findings within the agreed SLA.", "hypothesis": "Absa is regularly verifying the effectiveness of its security safeguards.", "label": "entailment", "scenario": "news-pentest-remediated"}
{"clause": "POPIA security safeguards", "premise": "IOL confirmed that Old Mutual's claims portal requires multi-factor authentication for all internal admin users and rotates access credentials every 60 days.", "hypothesis": "Old Mutual has implemented reasonable technical measures to prevent unlawful access.", "label": "entailment", "scenario": "news-mfa-rotation"}
{"clause": "POPIA security safeguards", "premise": "BusinessTech writes that Standard Bank encrypts all customer PII at rest using AES-256 and in transit using TLS 1.3.", "hypothesis": "Standard Bank has implemented appropriate technical safeguards for stored and transmitted PII.", "label": "entailment", "scenario": "news-encryption-standards"}
{"clause": "POPIA security safeguards", "premise": "My Discovery Bank app locked me out after three wrong PIN attempts and sent me an SMS asking whether it was me.", "hypothesis": "Discovery Bank has implemented appropriate safeguards against unauthorised account access.", "label": "entailment", "scenario": "first-person-bank-lockout"}
{"clause": "POPIA security safeguards", "premise": "I asked the MTN Business support engineer how they safeguard my SIM-swap reset and he explained they require a branch visit with biometrics plus a callback to my registered number.", "hypothesis": "MTN Business has layered controls in place for SIM-swap reset requests.", "label": "entailment", "scenario": "first-person-sim-swap-controls"}
{"clause": "POPIA security safeguards", "premise": "Engineering ticket CS-910: the SecOps team completed the annual ISO 27001 surveillance audit with no major nonconformities.", "hypothesis": "The responsible party has had regard to generally accepted information-security practices.", "label": "entailment", "scenario": "memo-iso-audit"}
{"clause": "POPIA security safeguards", "premise": "Incident note INC-9012: a laptop used by a Netcare junior doctor was stolen from a car boot; whole-disk encryption was enabled and the device was remote-wiped within the hour.", "hypothesis": "Appropriate safeguards were in place and activated for the stolen device.", "label": "entailment", "scenario": "memo-stolen-laptop-encrypted"}
{"clause": "POPIA security safeguards", "premise": "I'm a Takealot customer and I logged in yesterday to find that my password from 2019 still worked, with no MFA challenge, from a brand-new laptop I'd never used before.", "hypothesis": "Takealot is employing reasonable technical safeguards against unauthorised access.", "label": "neutral", "scenario": "first-person-weak-auth"}
{"clause": "POPIA security safeguards", "premise": "News24 reports that a Durban law firm recently migrated its client files to a new cloud provider.", "hypothesis": "The law firm has implemented appropriate technical and organisational safeguards for client files.", "label": "neutral", "scenario": "news-law-firm-migrated"}
{"clause": "POPIA security safeguards", "premise": "Sunday Times reports that Vodacom is rolling out a new 'zero-trust' initiative across its enterprise environment in 2026.", "hypothesis": "The zero-trust initiative has already improved Vodacom's safeguard effectiveness.", "label": "neutral", "scenario": "news-vodacom-zero-trust"}
{"clause": "POPIA security safeguards", "premise": "I received a password-reset link from my Santam broker this morning.", "hypothesis": "Santam has strong organisational controls around issuing password resets.", "label": "neutral", "scenario": "first-person-reset-link"}
{"clause": "POPIA security safeguards", "premise": "I noticed that my Momentum client portal offers MFA as an option but it isn't switched on by default on my account.", "hypothesis": "Momentum has implemented appropriate safeguards against unauthorised access for this account.", "label": "neutral", "scenario": "first-person-mfa-optional"}
{"clause": "POPIA security safeguards", "premise": "Engineering note: the new DLP product was deployed to the engineering laptops fleet last week; rollout to the broader company is scheduled for Q2.", "hypothesis": "The organisation has established and maintained appropriate safeguards across the whole workforce.", "label": "neutral", "scenario": "memo-dlp-partial-rollout"}
{"clause": "POPIA security safeguards", "premise": "Sprint note: the security team has drafted a risk register but hasn't yet completed the review of external threats.", "hypothesis": "The responsible party has identified all reasonably foreseeable internal and external risks.", "label": "neutral", "scenario": "memo-risk-register-draft"}
{"clause": "POPIA security safeguards", "premise": "News24 reports that an FNB developer left a Jenkins dashboard exposed to the public internet with no authentication for six weeks in January 2026.", "hypothesis": "FNB has maintained appropriate technical safeguards against unauthorised access.", "label": "contradiction", "scenario": "news-jenkins-exposed"}
{"clause": "POPIA security safeguards", "premise": "Daily Maverick reveals that a Transnet legacy SAP instance has been running on unpatched software with publicly-known CVEs for over two years.", "hypothesis": "Transnet is continually updating its safeguards in response to new risks.", "label": "contradiction", "scenario": "news-unpatched-sap"}
{"clause": "POPIA security safeguards", "premise": "At the Spar head office a visitor badge gave me unescorted access to a corridor where several unlocked computers were logged in to the payroll system.", "hypothesis": "Spar has reasonable organisational measures in place to prevent unauthorised access to payroll data.", "label": "contradiction", "scenario": "first-person-unlocked-payroll"}
{"clause": "POPIA security safeguards", "premise": "A Hollard agent emailed my policy docs as an unencrypted attachment with my full ID and bank details to my personal gmail, and cc'd a colleague.", "hypothesis": "Hollard is using appropriate technical measures to secure personal information in transit.", "label": "contradiction", "scenario": "first-person-unencrypted-email"}
{"clause": "POPIA security safeguards", "premise": "RCA for INC-7781: the data-engineering team found an S3 bucket containing 12 million Checkers customer records with public-read ACL enabled by mistake.", "hypothesis": "The bucket configuration was an appropriate technical safeguard.", "label": "contradiction", "scenario": "memo-public-s3"}
{"clause": "POPIA security safeguards", "premise": "RCA INC-5123: the backup job for the Momentum CRM was writing to a network share with 'Everyone: Full Control' NTFS permissions.", "hypothesis": "The backup location had appropriate access controls.", "label": "contradiction", "scenario": "memo-backup-everyone"}
{"clause": "POPIA security safeguards", "premise": "RCA INC-4420: the BCX helpdesk was resetting customer portal passwords to the string 'Welcome@1' and not forcing a change on next login.", "hypothesis": "The password-reset process represents an appropriate safeguard against unauthorised access.", "label": "contradiction", "scenario": "memo-weak-reset-password"}
{"clause": "POPIA breach notification", "premise": "Reuters reports that Mediclinic confirmed a ransomware attack on 14 March 2026 and notified the Information Regulator and affected patients in writing on 17 March 2026.", "hypothesis": "Mediclinic notified the Regulator and affected data subjects as soon as reasonably possible after discovery.", "label": "entailment", "scenario": "news-mediclinic-3-day"}
{"clause": "POPIA breach notification", "premise": "Daily Maverick confirmed that on 9 January 2026 Shoprite disclosed a database intrusion to the Information Regulator within 24 hours of detection.", "hypothesis": "Shoprite notified the Regulator promptly after discovering the compromise.", "label": "entailment", "scenario": "news-shoprite-24h"}
{"clause": "POPIA breach notification", "premise": "News24 writes that Vodacom became aware on 5 April that a batch of SIM-swap logs had been accessed by an unauthorised party; a SAPS investigation formally asked Vodacom in writing to hold public notification until 20 April to avoid impeding their active criminal probe, which Vodacom did.", "hypothesis": "Vodacom's delayed notification to data subjects was permissible under POPIA §22(3).", "label": "entailment", "scenario": "news-lawful-delay"}
{"clause": "POPIA breach notification", "premise": "I am a Discovery Life policyholder and I received a letter three weeks after their 11 February breach explaining what happened, what was affected, what they've done, and what I should do.", "hypothesis": "Discovery has notified data subjects in writing with the required contents under §22(5).", "label": "entailment", "scenario": "first-person-letter-with-contents"}
{"clause": "POPIA breach notification", "premise": "Incident report INC-8881: on 4 April 2026 we confirmed unauthorised download of a customer export; the CISO notified the Information Regulator on 5 April 2026 and sent emails to all 18 000 affected data subjects on 6 April 2026.", "hypothesis": "The responsible party notified both the Regulator and the data subjects as soon as reasonably possible.", "label": "entailment", "scenario": "memo-2-day-notification"}
{"clause": "POPIA breach notification", "premise": "Internal note dated 11 April 2026: we have reasonable grounds to believe personal information was accessed by an unauthorised person but cannot yet determine the identity of the perpetrator.", "hypothesis": "The responsible party has a duty to notify under §22(1) despite not knowing the perpetrator's identity.", "label": "entailment", "scenario": "memo-duty-even-unknown"}
{"clause": "POPIA breach notification", "premise": "PR for the incident-response runbook: we hard-coded a requirement to publish a prominent website banner when more than 10 000 data subjects are affected and postal addresses are unknown.", "hypothesis": "The organisation has adopted a §22(4)-compliant notification medium for mass incidents.", "label": "entailment", "scenario": "memo-runbook-website-banner"}
{"clause": "POPIA breach notification", "premise": "Sunday Times reports that SARS is 'investigating an incident' that occurred last week; no further detail has been released.", "hypothesis": "SARS has complied with its §22 notification obligations to data subjects.", "label": "neutral", "scenario": "news-sars-investigating"}
{"clause": "POPIA breach notification", "premise": "News24 writes that Santam detected unusual log activity on 2 April 2026 and has engaged an external forensics team.", "hypothesis": "Santam has reasonable grounds to believe personal information was accessed by an unauthorised person.", "label": "neutral", "scenario": "news-santam-forensics"}
{"clause": "POPIA breach notification", "premise": "I received a fraud-alert SMS from Nedbank on 5 April saying 'we detected suspicious activity on your profile'.", "hypothesis": "Nedbank has experienced a compromise triggering §22(1) notification duties.", "label": "neutral", "scenario": "first-person-fraud-sms"}
{"clause": "POPIA breach notification", "premise": "My Momentum broker phoned me to say there was 'some kind of issue' with the portal last weekend, but didn't know any details.", "hypothesis": "Momentum has fulfilled its §22 notification obligations.", "label": "neutral", "scenario": "first-person-broker-vague"}
{"clause": "POPIA breach notification", "premise": "Jira INC-2244: we believe the incident may rise to a notifiable compromise but legal is still assessing; no notifications sent yet as at day 12 after the initial alert.", "hypothesis": "The responsible party has complied with the §22(2) 'as soon as reasonably possible' standard.", "label": "neutral", "scenario": "memo-assessment-limbo"}
{"clause": "POPIA breach notification", "premise": "RCA INC-3344: an automated scanner flagged potential exposure of 200 records at 02:00; the on-call engineer confirmed the data had not actually been accessed and closed the ticket.", "hypothesis": "The organisation has notification obligations under §22 in respect of this alert.", "label": "neutral", "scenario": "memo-no-access-confirmed"}
{"clause": "POPIA breach notification", "premise": "Incident log: a phishing email reached 30 staff members on 12 March; no evidence yet that any credentials were submitted.", "hypothesis": "A notifiable compromise has occurred.", "label": "neutral", "scenario": "memo-phishing-no-creds-yet"}
{"clause": "POPIA breach notification", "premise": "Engineering note: the security team identified a misconfiguration on 1 April and is still determining whether any personal information was actually accessed.", "hypothesis": "The §22(1) 'reasonable grounds to believe' threshold has already been met.", "label": "neutral", "scenario": "memo-misconfig-still-investigating"}
{"clause": "POPIA breach notification", "premise": "Sunday Times reports that a TymeBank contractor's laptop containing unencrypted customer records was stolen on 2 February; the bank only informed customers eight months later in October.", "hypothesis": "TymeBank notified affected customers as soon as reasonably possible after discovery.", "label": "contradiction", "scenario": "news-tymebank-8-months-late"}
{"clause": "POPIA breach notification", "premise": "IOL reports that Hollard decided not to notify its customers of a March data exposure because its in-house legal team 'felt it wasn't serious enough', even though the compromise met §22(1)'s reasonable-grounds threshold.", "hypothesis": "Hollard fulfilled its §22 notification obligations to data subjects.", "label": "contradiction", "scenario": "news-hollard-no-notify"}
{"clause": "POPIA breach notification", "premise": "I only heard about the Nedbank vendor breach in May from a news article — I never got any communication from Nedbank even though my ID and account were apparently in the exposed dataset.", "hypothesis": "Nedbank has notified affected data subjects directly.", "label": "contradiction", "scenario": "first-person-only-news"}
{"clause": "POPIA breach notification", "premise": "I received a text from Capitec on 20 January that 'an incident occurred' — nothing about what data was involved, what they've done, or what I should do.", "hypothesis": "Capitec's notification satisfied the §22(5) content requirements.", "label": "contradiction", "scenario": "first-person-vague-sms"}
{"clause": "POPIA breach notification", "premise": "RCA INC-5520: we confirmed the compromise on 1 November 2025 but the legal team decided to wait until our annual report in April 2026 to inform data subjects, to reduce reputational impact.", "hypothesis": "The responsible party notified data subjects as soon as reasonably possible after discovery.", "label": "contradiction", "scenario": "memo-5-months-late"}
{"clause": "POPIA breach notification", "premise": "RCA for INC-1123: on confirming a compromise we notified only the Regulator and decided not to notify data subjects because we felt email volume would be 'commercially damaging'.", "hypothesis": "The responsible party has complied with §22(1) in respect of data subjects.", "label": "contradiction", "scenario": "memo-skip-data-subject"}
{"clause": "POPIA breach notification", "premise": "RCA INC-9090: following the compromise we notified the Regulator within 12 hours; however the data-subject letters went out only 4 months later because the call-centre was overwhelmed.", "hypothesis": "Data subjects were notified as soon as reasonably possible after discovery.", "label": "contradiction", "scenario": "memo-4-months-late-subjects"}
{"clause": "POPIA cross-border transfers", "premise": "Sunday Times reports that a major SA retailer has been mirroring its Johannesburg customer database to an ap-southeast-1 (Singapore) bucket since 2023.", "hypothesis": "Personal information is being transferred outside South Africa.", "label": "entailment", "scenario": "news-retailer-singapore"}
{"clause": "POPIA cross-border transfers", "premise": "I'm an Absa business-banking client and my account manager mentioned in passing that their new fraud-analytics tool is hosted in eu-central-1 (Frankfurt) and processes our transaction history there.", "hypothesis": "Absa is transferring personal information outside South Africa.", "label": "entailment", "scenario": "first-person-absa-frankfurt"}
{"clause": "POPIA cross-border transfers", "premise": "Jira ticket INFRA-442: the data platform team replicated the production warehouse from af-south-1 to ap-south-1 (Mumbai) for disaster recovery last week.", "hypothesis": "The replication constitutes a cross-border transfer of personal information.", "label": "entailment", "scenario": "memo-dr-mumbai"}
{"clause": "POPIA cross-border transfers", "premise": "RCA INC-7012: we discovered that a contractor had copied a customer CSV from our internal SharePoint to a personal Dropbox account whose underlying storage is in us-east-1 (Virginia).", "hypothesis": "Personal information was transferred outside South Africa.", "label": "entailment", "scenario": "memo-dropbox-us-east-1"}
{"clause": "POPIA cross-border transfers", "premise": "Engineering ticket CS-331: OpenAI API calls from our support bot send customer names and ticket summaries to OpenAI's US infrastructure in us-east-1.", "hypothesis": "The outbound API calls constitute cross-border transfers under §72.", "label": "entailment", "scenario": "memo-openai-us"}
{"clause": "POPIA cross-border transfers", "premise": "Incident report INC-5544: the CDN misconfiguration caused origin-pull requests for images containing customer ID photos to be served from Cloudflare's Amsterdam PoP.", "hypothesis": "Cross-border transfer of personal information occurred.", "label": "entailment", "scenario": "memo-cdn-amsterdam"}
{"clause": "POPIA cross-border transfers", "premise": "Jira DATA-980: we enabled cross-region replication from af-south-1 to eu-central-1 (Frankfurt) for the customer-profile table last Tuesday.", "hypothesis": "The replication is an outbound cross-border transfer.", "label": "entailment", "scenario": "memo-replication-frankfurt"}
{"clause": "POPIA cross-border transfers", "premise": "I got a privacy update from 10X Investments explaining that starting May 2026 they will begin using a US analytics vendor in us-west-2 (Oregon).", "hypothesis": "10X has a lawful §72 ground for the upcoming transfer.", "label": "neutral", "scenario": "first-person-10x-us-west-2"}
{"clause": "POPIA cross-border transfers", "premise": "News24 reports that a Pretoria fintech is sending raw SA customer data to a US data-broker in us-east-1 (Virginia) for enrichment.", "hypothesis": "The fintech has obtained data-subject consent for this transfer.", "label": "neutral", "scenario": "news-fintech-us-east-1-consent"}
{"clause": "POPIA cross-border transfers", "premise": "Sunday Times reports that Discovery confirmed a contract with a Bermuda reinsurer for handling claims data.", "hypothesis": "Discovery's contract provides substantially similar protection as required by §72(1)(a).", "label": "neutral", "scenario": "news-discovery-reinsurer-contract"}
{"clause": "POPIA cross-border transfers", "premise": "IOL writes that Standard Bank uses an international payments processor whose infrastructure spans multiple regions.", "hypothesis": "Standard Bank's arrangement with the processor satisfies §72(1)(a).", "label": "neutral", "scenario": "news-sbsa-international-processor"}
{"clause": "POPIA cross-border transfers", "premise": "I noticed the Sanlam expat-service portal says 'data may be processed by our Ireland affiliate'.", "hypothesis": "Sanlam has a lawful §72 basis for the transfer to Ireland.", "label": "neutral", "scenario": "first-person-sanlam-ireland-vague"}
{"clause": "POPIA cross-border transfers", "premise": "I signed up for a new SaaS tool whose privacy page says 'we use multiple sub-processors globally' without naming them.", "hypothesis": "The SaaS tool is transferring personal data to a foreign region.", "label": "neutral", "scenario": "first-person-saas-vague-subprocessors"}
{"clause": "POPIA cross-border transfers", "premise": "Jira INFRA-112: the vendor's DPA lists 'Google Cloud' as the processor but does not specify the region.", "hypothesis": "The vendor is transferring personal information outside South Africa.", "label": "neutral", "scenario": "memo-gcp-region-unknown"}
{"clause": "POPIA cross-border transfers", "premise": "Engineering note: the Snowflake contract allows the customer to select the region; our account is being provisioned this week and no region has been set yet.", "hypothesis": "Cross-border transfer of personal data will occur under this Snowflake deployment.", "label": "neutral", "scenario": "memo-snowflake-pending-region"}
{"clause": "POPIA cross-border transfers", "premise": "IOL reports that a Johannesburg SaaS startup stores all customer data in its af-south-1 (Cape Town) region and does not replicate to any foreign region.", "hypothesis": "The startup's storage architecture involves cross-border transfer of personal data.", "label": "contradiction", "scenario": "news-af-south-1-only"}
{"clause": "POPIA cross-border transfers", "premise": "I migrated my side-business's data from AWS Singapore to Teraco's Isando facility last month; the data no longer leaves South Africa.", "hypothesis": "The data is still being transferred outside South Africa.", "label": "contradiction", "scenario": "first-person-migration-teraco"}
{"clause": "POPIA cross-border transfers", "premise": "I asked my Momentum wealth adviser where my KYC docs are stored; she confirmed 'Azure South Africa North — they haven't left the country'.", "hypothesis": "Momentum is transferring the KYC docs outside South Africa.", "label": "contradiction", "scenario": "first-person-azure-za-north"}
{"clause": "POPIA cross-border transfers", "premise": "PR review note: our new analytics lakehouse will be deployed in af-south-1 only; all cross-region failover is disabled.", "hypothesis": "The lakehouse architecture involves cross-border transfer of personal data.", "label": "contradiction", "scenario": "memo-af-south-1-lakehouse"}
{"clause": "POPIA cross-border transfers", "premise": "Sprint note: the Vox-hosted backup NAS sits in their Parklands data centre; per the vendor the data never leaves SA.", "hypothesis": "The backup NAS involves transfer of personal information outside South Africa.", "label": "contradiction", "scenario": "memo-vox-onshore"}
{"clause": "POPIA cross-border transfers", "premise": "Internal note: BCX confirmed in writing that our managed-hosting contract places all compute and storage in their Midrand facility, with no foreign sub-processors.", "hypothesis": "The hosting arrangement involves cross-border transfer of personal data.", "label": "contradiction", "scenario": "memo-bcx-midrand-onshore"}
{"clause": "POPIA cross-border transfers", "premise": "Engineering memo: the OCR vendor we're evaluating processes ID documents entirely on-prem inside our af-south-1 VPC — no data ever leaves the VPC.", "hypothesis": "The OCR vendor's architecture triggers a cross-border transfer.", "label": "contradiction", "scenario": "memo-onprem-ocr"}
{"clause": "POPIA general processing", "premise": "Sunday Times reports that Allan Gray has appointed an internal information officer and published a public PAIA/POPIA manual on its website.", "hypothesis": "Allan Gray has taken steps consistent with the accountability and openness conditions.", "label": "entailment", "scenario": "news-allan-gray-manual"}
{"clause": "POPIA general processing", "premise": "IOL writes that Standard Bank runs an annual POPIA-training e-learning module for all staff and tracks completion at 97%.", "hypothesis": "Standard Bank is taking steps to ensure compliance with the Chapter 3 conditions during processing.", "label": "entailment", "scenario": "news-sbsa-training"}
{"clause": "POPIA general processing", "premise": "I requested the Netcare information officer's name and contact details and received them within two days; the email also pointed me to their PAIA manual.", "hypothesis": "Netcare is meeting its openness obligation under the Chapter 3 conditions.", "label": "entailment", "scenario": "first-person-io-request"}
{"clause": "POPIA general processing", "premise": "Bank Zero's privacy page clearly lists each processing purpose, lawful basis, retention period, and my rights in plain English.", "hypothesis": "Bank Zero is satisfying the openness condition.", "label": "entailment", "scenario": "first-person-bank-zero-plain"}
{"clause": "POPIA general processing", "premise": "Internal memo 2026-02-01: we rolled out a new privacy-impact-assessment template that all product owners must complete before launch, signed off by the information officer.", "hypothesis": "The organisation is embedding accountability into its processing activities.", "label": "entailment", "scenario": "memo-pia-template"}
{"clause": "POPIA general processing", "premise": "Memo from the CISO: we have appointed a second deputy information officer to cover our Cape Town entity and filed the registration with the Regulator.", "hypothesis": "The responsible party is complying with the accountability obligations.", "label": "entailment", "scenario": "memo-deputy-io"}
{"clause": "POPIA general processing", "premise": "Ops memo: all new hires in the Payfast engineering team now complete a mandatory POPIA onboarding module in week one and sign a confidentiality acknowledgement.", "hypothesis": "Payfast is taking reasonable steps to ensure the Chapter 3 conditions are met during processing.", "label": "entailment", "scenario": "memo-onboarding-module"}
{"clause": "POPIA general processing", "premise": "News24 reports that Telkom processes customer data across several legacy and modern platforms.", "hypothesis": "Telkom's processing across these platforms complies with the Chapter 3 accountability condition.", "label": "neutral", "scenario": "news-telkom-multi-platform"}
{"clause": "POPIA general processing", "premise": "BusinessTech writes that a mid-sized SA insurer recently brought in a new Chief Privacy Officer.", "hypothesis": "The insurer's processing is now lawful and reasonable under §9.", "label": "neutral", "scenario": "news-insurer-new-cpo"}
{"clause": "POPIA general processing", "premise": "Sunday Times reports that a Cape Town fintech publishes quarterly transparency reports.", "hypothesis": "The fintech is meeting all eight conditions of Chapter 3.", "label": "neutral", "scenario": "news-fintech-transparency-report"}
{"clause": "POPIA general processing", "premise": "I signed up with a new online broker; the onboarding flow felt normal but I didn't read the privacy notice in detail.", "hypothesis": "The broker is processing my personal information lawfully and reasonably.", "label": "neutral", "scenario": "first-person-broker-onboarding"}
{"clause": "POPIA general processing", "premise": "Sprint retro: the team discussed whether our public feedback API might unintentionally capture PII if users submit it in the free-text field.", "hypothesis": "The API's processing currently infringes data subject privacy.", "label": "neutral", "scenario": "memo-feedback-api"}
{"clause": "POPIA general processing", "premise": "Incident ticket INC-2213: a partner vendor told us they 'have POPIA controls'; the audit is scheduled for Q3.", "hypothesis": "The vendor's controls meet the Chapter 3 security-safeguards and accountability conditions.", "label": "neutral", "scenario": "memo-vendor-unaudited"}
{"clause": "POPIA general processing", "premise": "Jira DATA-881: the data-engineering team is drafting a records-of-processing inventory; coverage is at 60% this sprint.", "hypothesis": "The organisation has a complete records-of-processing inventory for all its processing activities.", "label": "neutral", "scenario": "memo-ropa-in-progress"}
{"clause": "POPIA general processing", "premise": "Daily Maverick writes that a Johannesburg debt-collection firm has been buying lists of defaulters from an informal broker and calling them at 22:00 on Sundays.", "hypothesis": "The firm is processing personal information lawfully and in a manner that does not infringe data subject privacy.", "label": "contradiction", "scenario": "news-debt-collector-harass"}
{"clause": "POPIA general processing", "premise": "News24 confirmed that a Limpopo municipality has no designated information officer and its data practices have never been documented.", "hypothesis": "The municipality is complying with the accountability condition in Chapter 3.", "label": "contradiction", "scenario": "news-municipality-no-io"}
{"clause": "POPIA general processing", "premise": "BusinessTech reveals that Telkom's legacy post-paid billing system still processes customer data without any documented purpose, retention or lawfulness assessment.", "hypothesis": "Telkom's legacy system is processed in accordance with all eight conditions of Chapter 3.", "label": "contradiction", "scenario": "news-telkom-legacy-billing"}
{"clause": "POPIA general processing", "premise": "I watched a debt-review agent for a small SA lender put my full name, ID, and balance on a whiteboard in an open-plan office.", "hypothesis": "The lender is processing my information in a reasonable manner that does not infringe my privacy.", "label": "contradiction", "scenario": "first-person-whiteboard"}
{"clause": "POPIA general processing", "premise": "The Home Affairs queue clerk was loudly calling out each applicant's ID number and reason for visit so the whole room could hear.", "hypothesis": "Home Affairs was processing personal information in a manner that respects data subject privacy.", "label": "contradiction", "scenario": "first-person-ha-call-out"}
{"clause": "POPIA general processing", "premise": "RCA INC-4401: the marketing team launched a segmentation campaign using unstructured personal data extracted from support tickets, without informing the information officer and outside the approved purpose.", "hypothesis": "Processing was conducted in accordance with the organisation's accountability framework and purpose specification.", "label": "contradiction", "scenario": "memo-shadow-campaign"}
{"clause": "POPIA general processing", "premise": "RCA for INC-2234: an internal analyst ran exploratory queries against the production customer-events table for a personal research project, with no approved business purpose and outside her authorised scope.", "hypothesis": "The processing was lawful and within the accountability framework under Chapter 3.", "label": "contradiction", "scenario": "memo-unauth-exploration"}
{"clause": "POPIA data subject rights", "premise": "News24 reports that Nedbank responded to a data-subject access request within the prescribed 30-day window, providing a full record description and a list of third parties who had accessed the customer's data.", "hypothesis": "Nedbank has honoured the data subject's §23 access right.", "label": "entailment", "scenario": "news-nedbank-access"}
{"clause": "POPIA data subject rights", "premise": "Daily Maverick confirmed that after a reader requested deletion of her profile, Takealot purged her account data within 14 days and sent a written confirmation of the destruction.", "hypothesis": "Takealot has honoured the data subject's right to request destruction under §24.", "label": "entailment", "scenario": "news-takealot-deletion"}
{"clause": "POPIA data subject rights", "premise": "BusinessTech writes that FNB's 'My Data' self-service page lets customers see what personal data the bank holds, download it, and request corrections — all online.", "hypothesis": "FNB has enabled the §23 access and §24 correction rights.", "label": "entailment", "scenario": "news-fnb-self-service"}
{"clause": "POPIA data subject rights", "premise": "I emailed the Old Mutual information officer on 3 March and on 30 March received a written confirmation that they hold my policy, a full record description, and a list of third parties that had accessed it.", "hypothesis": "Old Mutual has honoured the data subject's §23 access right within a reasonable time.", "label": "entailment", "scenario": "first-person-old-mutual-access"}
{"clause": "POPIA data subject rights", "premise": "I asked Capitec to correct my date of birth on their system after I noticed it was wrong by one year; they did it the same week and sent me a confirmation letter.", "hypothesis": "Capitec has honoured the data subject's §24 correction right.", "label": "entailment", "scenario": "first-person-capitec-correction"}
{"clause": "POPIA data subject rights", "premise": "Jira ticket DSR-7781: a data subject asked us to correct their marital status on their Discovery Life profile; the agent made the change and confirmed with the customer in writing.", "hypothesis": "The change represents fulfilment of the §24 correction right.", "label": "entailment", "scenario": "memo-correction-ticket"}
{"clause": "POPIA data subject rights", "premise": "Internal memo 2026-03-30: the DSR workflow now auto-notifies third parties that received the data whenever a correction is made.", "hypothesis": "The workflow implements the §24 obligation to inform third parties of changes where decisions may be affected.", "label": "entailment", "scenario": "memo-third-party-notify"}
{"clause": "POPIA data subject rights", "premise": "Sunday Times reports that a major SA retailer received 1 400 data-subject requests last year.", "hypothesis": "The retailer responded to each of the 1 400 requests within the prescribed time.", "label": "neutral", "scenario": "news-retailer-1400-requests"}
{"clause": "POPIA data subject rights", "premise": "News24 writes that Discovery is rolling out a new self-service privacy portal in May 2026.", "hypothesis": "Discovery is currently satisfying the §23 access right for every data subject.", "label": "neutral", "scenario": "news-discovery-portal-may"}
{"clause": "POPIA data subject rights", "premise": "IOL reports that Santam's 2025 annual report mentions a 'compliance improvement programme' covering data-subject requests.", "hypothesis": "Santam currently honours the §24 correction right in every case.", "label": "neutral", "scenario": "news-santam-improvement-programme"}
{"clause": "POPIA data subject rights", "premise": "I submitted a correction request to my short-term insurer last Thursday and haven't heard back yet.", "hypothesis": "The insurer has failed to respond within the time required by §24.", "label": "neutral", "scenario": "first-person-correction-pending"}
{"clause": "POPIA data subject rights", "premise": "I asked a small online retailer whether they still have my details; they replied that the compliance team is looking into it.", "hypothesis": "The retailer is going to deliver a §23-compliant response.", "label": "neutral", "scenario": "first-person-retailer-looking-into-it"}
{"clause": "POPIA data subject rights", "premise": "Incident report INC-2213: a customer's deletion request was processed in production but the nightly backup tape from that week has not yet been purged; legal is assessing whether that still meets §24.", "hypothesis": "The organisation has fully complied with the §24 destruction right for this request.", "label": "neutral", "scenario": "memo-backup-not-purged"}
{"clause": "POPIA data subject rights", "premise": "Sprint note: we discussed how to prove identity for §23 access requests coming in by email; no decision has been locked in yet.", "hypothesis": "The organisation currently has a §23-compliant identity-verification mechanism in production.", "label": "neutral", "scenario": "memo-id-verification-pending"}
{"clause": "POPIA data subject rights", "premise": "Sunday Times reports that a Johannesburg clinic refused a patient's written request to correct her out-of-date home address on her file, saying 'that's an admin problem, not our problem'.", "hypothesis": "The clinic has honoured the §24 right to request correction.", "label": "contradiction", "scenario": "news-clinic-refuse-correction"}
{"clause": "POPIA data subject rights", "premise": "IOL reports that Santam insisted on charging a R2 500 'research fee' before it would confirm whether it held any information on a claimant who had submitted a §23 access request.", "hypothesis": "Santam is providing the §23 confirmation at no more than the prescribed fee.", "label": "contradiction", "scenario": "news-santam-fee"}
{"clause": "POPIA data subject rights", "premise": "I wrote to an online learning platform in February asking them to delete my old account records that I no longer need them to hold; four months later I'm still on their mailing list and they haven't responded.", "hypothesis": "The platform has honoured the data subject's request under §24.", "label": "contradiction", "scenario": "first-person-edtech-no-deletion"}
{"clause": "POPIA data subject rights", "premise": "A Takealot support agent told me over chat that they 'don't do' correction requests and I'd need to close my account and open a new one to fix my surname.", "hypothesis": "Takealot is facilitating the §24 correction right.", "label": "contradiction", "scenario": "first-person-takealot-refuses"}
{"clause": "POPIA data subject rights", "premise": "RCA INC-8812: the data-subject access portal was silently dropping requests with non-ASCII characters in the subject's name; 140 requests were never actioned over a 6-month period.", "hypothesis": "The organisation is honouring its §23 access-right obligations.", "label": "contradiction", "scenario": "memo-dsar-dropped"}
{"clause": "POPIA data subject rights", "premise": "Engineering ticket CS-6611: the deletion script we shipped last quarter was only soft-deleting records with a flag; the underlying PII rows remained in the database indefinitely, against the data subject's destruction request.", "hypothesis": "The deletion implementation is destroying records as requested.", "label": "contradiction", "scenario": "memo-soft-delete-only"}
{"clause": "POPIA data subject rights", "premise": "Jira DSR-9010: we responded to a §23 access request with a PDF dump of raw database rows with column names like 'cust_lvl_8_seg_cd', unreadable without our internal glossary.", "hypothesis": "The response is in an 'understandable form' as required by §23.", "label": "contradiction", "scenario": "memo-unreadable-dump"}