Protection of Data and Personal Information Policy
INTRODUCTION AND POLICY STATEMENT:
- The Protection of Personal Information Act No. 4 of 2013 (“POPI”) regulates the processing and storage of personal information data in South Africa. POPI was signed into law on 19 November 2013 and thereafter the President proclaimed 1 July 2020 to be the commencement date. The deadline for businesses to comply with POPI is 1 July 2021, on which date POPI will become legally enforceable.The Company does process and store personal information, relating to natural and juristic persons, in order to operate its business efficiently. In this regard the Company shall ensure that such personal information is processed, stored and disposed of in accordance with POPI.The Company regards the lawful and appropriate processing of all Personal Information as crucial to successful service delivery and essential to maintaining confidence between the Company and those individuals and entities who deal with it. The Company therefore fully endorses and adheres to the principles of POPI.This Protection of Data and Personal Information Policy declares the Company’s commitment to comply with POPI and further sets out how the Company uses and protects the personal information of its Data Subjects. It describes the manner in which the Company will meet its legal obligations and requirements concerning confidentiality and information security standards. The requirements within the Policy are primarily based upon POPI, as that is the key piece of legislation covering security and confidentiality of personal information.
DEFINITIONS AND INTERPRETATION:
In this Protection of Data and Personal Information Policy –
- Headings are for convenience and reference only and shall not be used in the interpretation thereof;
- Any gender includes the other genders and a natural person includes a juristic person and vice versa;
- unless the context otherwise requires –
- “Consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
- “Company” means Grapevine Creative Media (Pty) Ltd (registration number: 2019/537174/07), a company registered and incorporated in accordance with the laws of the Republic of South Africa;
- “Data Subject” means the natural or juristic person to whom the personal information relates;
- “Data Protection Laws” means any statutes, laws, secondary legislation or regulations or binding policy of any government authority that relates to the security and protection of personally identifiable information, data privacy, trans-border data flow or data protection in force from time to time in the Republic of South Africa, including but not limited to POPI and/or any equivalent or analogous legislation of the jurisdiction(s) where the Services are being provided or where information is being Processed;
- “Direct Marketing” means to approach a Data Subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
- promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or
- requesting the Data Subject to make a donation of any kind for any reason;
- “De-identify”, in relation to personal information of a Data Subject, means to delete any information that –
- identifies the Data Subject;
- can be used or manipulated by a reasonably foreseeable method to identify the Data Subject; or
- can be linked by a reasonably foreseeable method to other information that identifies the Data Subject;
and “de-identified” has a corresponding meaning;
- “Information Officer” means the person appointed by the Company, from time to time, who is responsible for the monitoring of compliance, by the Company, with the conditions for the lawful processing of Personal information; dealing with requests made to the Company in terms of the POPI Act; working with the Regulator in relation to investigations conducted in relation to prior authorisation by the Data Subject and ensuring compliance by the Company with the provisions of the POPI Act;
- “Operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
- “Person” means a natural person or a juristic person;
- “Personal Information” means information relating to an unidentifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
- “POPI” means the Protection of Personal Information Act No. 4 of 2013;
- “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information;
- “Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
RELEVANT SECTIONS OF POPI REGULATING THE PROCESSING OF PERSONAL INFORMATION:
- Section 9 of POPI provides that Personal Information must be processed lawfully and in a reasonable manner that does not infringe the privacy of a Data Subject.
- Section 10 of POPI provides that Personal Information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
- Section 11 of POPI sets out the instances in which Personal Information may be processed, namely:
“(a) the Data Subject or a competent person where the Data Subject is a child consents to the processing;
(b) processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is party;
(c) processing complies with an obligation imposed by law on the responsible party;
(d) processing protects a legitimate interest of the Data Subject;
(e) processing is necessary for the proper performance of a public law duty by a public body; or
(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.”
- Section 12(1) of POPI provides that the Personal Information must be collected directly from the Data Subjects in terms of the provisions of section 12(2), which stipulates:
“It is not necessary to comply with subsection (1) if –
(a) the information is contained in or derived from a public record or has deliberately been made public by the Data Subject;
(b) the Data Subject or a competent person where the Data Subject is a child has consented to the collection of the information form another source;
(c) collection of the information from another source would not prejudice a legitimate interest of the Data Subject;
(d) collection of the information from another source is necessary –
(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
(ii) to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997);
(iii) for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
(iv) in the interests of national security; or
(v) to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied;
(e) compliance would prejudice a lawful purpose of the collection; or
(f) compliance is not reasonably practicable in the circumstances of the particular case.”
- Section 14(1) of POPI, subject to sections 14(2) and 14(3), provides that records of Personal Information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless –
“(a) retention of the record is required by or authorised by law;
(b) the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
(c) retention of the record is required by a contract between the parties thereto; or
(d) the Data Subject or a competent person where the Data Subject is a child has consented to the retention of the record.”
- Section 14(2) of POPI does allow the Company to retain records of Personal Information for periods in excess of those contemplated in section 14(1) for historical, statistical or research purposes if the Company has established the appropriate safeguards against the records being used for any other purposes.
- Section 14(3) of POPI provides that if the Company has used a record of Personal Information for a Data Subject to make a decision about the Data Subject, the Company must: –
“(a) retain the record for such period as may be required or prescribed by law or a code of conduct; or
(b) if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the Data Subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.”
- Section 14(4) of POPI requires the Company to destroy or delete a record of Personal Information for Data Subjects as soon as reasonably possible after the Company is no longer authorised to retain the record in terms of sections 14(1) and 14(2) of POPI.
- Section 16 of POPI requires the Company to take reasonable practical steps to ensure that any Personal Information collected on Data Subjects, including background checks or employment references, must be complete, accurate and not misleading.
- Section 26 of POPI prohibits the Company, subject to section 27, from processing Personal Information on Data Subjects concerning: –
“(a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or
(b) the criminal behaviour of a Data Subject to the extent that such information relates to: –
(i) the alleged commission by a Data Subject of any offence; or
(ii) any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings.”
- Section 27(1) of POPI provides that the prohibition on processing Personal Information of Data Subjects, as referred to in section 26, does not apply if the: –
“(a) processing is carried out with the consent of a Data Subject referred to in section 26;
(b) processing is necessary for the establishment, exercise or defence of a right or obligation in law;
(c) processing is necessary to comply with an obligation of international public law;
(d) processing is for historical, statistical or research purposes to the extent that: –
(i) the purpose serves a public interest and the processing is necessary for the purpose concerned; or
(ii) it appears to be impossible or would involve a disproportionate effort to ask for consent,
And sufficient guarantees are provided to ensure that the processing does not adversely affect the individual privacy of the Data Subject to a disproportionate extent;
(e) information has deliberately been made public by the Data Subject; or
(f) the provisions of sections 28 to 33 are, as the case may be, complied with.”
PROCESSING OF PERSONAL INFORMATION:
- Personal Information of Data Subjects processed and stored by the Company:
- in the ordinary course of business includes, but is not limited to: –
- customers name, identity number, registration number, VAT number, tax number, physical address, postal address, contact person, telephone number, fax number, mobile number, email address, contact person and email for accounts;
- hosting customer servers and backups on Company infrastructure, customer email archiving and storage;
- Where applicable, screening visitors through CCTV footage, and completing the attendance register for Covid and security purposes to ensure that only authorised persons enter the premises of the Company;
- to monitor and analyse trends, usage and activities in connection with the Company’s products and services to understand which parts of the Company’s digital platforms and services are of the most interest and to improve the design and content of those platforms;
- to ensure that the Company has up-to-date contact information for the Data Subject, where applicable;
- complying with applicable laws, ordinances and regulations; and
- complying with demands or requests made by Regulators, Governments, courts and law enforcement authorities.
- customers paying for services by way of debit order includes, but is not limited to: –
- bank name, branch name, branch code, account number, account type, account name and preferred day of month to debit;
- employee and applicant information include, but is not limited to: –
- name, surname, identity number, gender, marital status, colour, race, age, education information, financial information, employment history, physical address, postal address, contact details, mobile number, risk assessments, credit checks, qualification checks and verifications, employment checks and verification;
- contracted service providers include, but is not limited to: –
- contractors name, identity number, registration number, VAT number, physical address, postal address, contact person, telephone number, fax number, mobile number, email address, contact person and email for accounts;
- electronic communications sent to the Company.
- in the ordinary course of business includes, but is not limited to: –
HOW DATA SUBJECTS PERSONAL INFORMATION WILL BE USED:
- Personal Information of Data Subjects will only be used for the purposes for which it was collected and for no other purpose, save with the consent of the Data Subject.
- The Company uses the Personal Information under its care in the following ways:
- Conducting credit reference checks and assessments;
- Administration of agreements;
- Providing products and services to customers;
- Discounting and asset funding purposes;
- Detecting and prevention of fraud, crime, money laundering and other malpractice;
- Conducting market or customer satisfaction research;
- Marketing and sales;
- In connection with legal proceedings;
- Staff administration;
- Keeping of accounts and records;
- Complying with legal and regulatory requirements;
- Profiling data subjects for the purposes of direct marketing.
SAFEGUARDING AND STORING OF PERSONAL INFORMATION:
- The Company will keep its Data Subjects’ Personal Information that it processes secure and confidential and it will maintain the integrity and confidentiality of the Personal Information in its possession or under its control by taking appropriate, reasonable technical and organisational measures in line with international best practice to prevent the loss of, damage to, unauthorised destruction of or unlawful access to the Personal Information.
- The Company employs up to date technology to ensure the confidentiality, integrity and availability of the Personal Information under its care. Measures put in place include, but are not limited to:
- Virus protection software and update protocols;
- Physical access control;
- Secure setup of hardware and software making up the IT infrastructure;
- Data encrypted, compressed, indexed and stored.
- The Company may share the Personal Information with its agents, affiliates, and associated companies who may use this information to send the Data Subject information on products and services. The Company may supply the Personal Information to any party to whom the Company may have assigned or transferred any of its rights or obligations under any agreement, and/or to service providers who render the following services:
- Capturing and organising of data;
- Storing of data;
- Sending of emails and other correspondence to customers;
- Conducting due diligence checks;
- Professional advisors, auditors and business partners;
- Administration of the Medical Aid and Pension Schemes.
- The Company will notify its Data Subjects in writing in the event of a security breach (or a reasonable belief of a security breach) in respect of their Personal Information. The Company will provide such notification as soon as reasonably possible after it has become aware of any security breach of the Data Subjects Personal Information, and immediately upon notifying them, will take all necessary and reasonable steps to mitigate the continuation of the compromise, the repetition of a similar compromise, and mitigate the extent of the loss occasioned by the compromise of the Personal Information.
- Personal Information of its Data Subjects will be stored on site and/or uploaded to a secure server and/or uploaded to the Cloud.
RETENTION OF DATA SUBJECTS PERSONAL INFORMATION:
- The Company will process its Data Subjects Personal Information for as long as necessary to fulfil the purposes for which that Personal Information was collected and/or as permitted or as required by applicable law.
- The Company may retain its Data Subjects Personal Information for longer periods for statistical, historical or research purposes, and should this occur, the Company will ensure that the appropriate safeguards have been put in place to ensure that all recorded Personal Information will continue to be processed in accordance with POPI.
- Once the purpose for which the Data Subjects Personal Information was initially collected and processed no longer applies or becomes obsolete, the Company will ensure that it is deleted, destroyed or de-identified so that a third party cannot re-identify such Personal Information.
PROVIDING PERSONAL INFORMATION TO THIRD PARTIES:
- The Company may disclose its Data Subjects Personal Information to third party service providers provided that the relevant consent has been acquired from its Data Subjects and provided that the Company enters into agreements with such third-party service providers to ensure that they process all Personal Information in accordance with the provisions of POPI and only to fulfil the purposes for which that Personal Information was collected.
- In addition, the Company will not send Personal Information to any jurisdiction outside of the Republic of South Africa without the prior written consent of its Data Subjects.
DATA SUBJECTS ACCESS TO PERSONAL INFORMATION:
- Data Subjects may, at any time, request access to their Personal Information held by the Company and request the correction or deletion of such Personal Information. Such request must be directed, on the prescribed form, to the Information Officer.
- Data Subjects may challenge the accuracy or completeness of their Personal Information in Company records. If the Data Subject successfully demonstrates that their Personal Information in Company records is inaccurate or incomplete, the Company will ensure that such Personal Information is amended or deleted as required by the Data Subject.
- The Company may refuse to grant access to a requested record that falls within a certain category. Grounds on which the Company may refuse access include, but are not limited to: –
- Protecting Personal Information that the Company holds on a third party, who is a natural person (including a deceased person), from unreasonable disclosure;
- Protecting commercial information of the Company and/or information the Company holds on a third party, such as trade secrets, financial, commercial, scientific or technical information, that may harm the commercial or financial interests of the Company or third party;
- If disclosure of the record would result in a breach of duty of confidentiality owed to a third party in terms of an agreement;
- If disclosure of the record would endanger the life or physical safety of an individual;
- If disclosure of the record would prejudice or impair the security of property or means of transport;
- If disclosure of the record would prejudice or impair the protection of a person in accordance with a witness protection scheme;
- If disclosure of the record would prejudice or impair the protection of the safety of the general public;
- The record is privileged from production in legal proceedings, unless the legal privilege has been waived;
- Disclosure of a record that would put the Company at a disadvantage in contractual or other negotiations or prejudice the Company in commercial competition;
- The record is a computer programme; and
- The record contains information about research being carried out or about to be carried out on behalf of the Company or a third party.
REMEDIES AVAILABLE IF REQUEST FOR ACCESS TO PERSONAL INFORMATION IS REFUSED
- INTERNAL REMEDIES
- The Company does not have internal appeal procedures. As such, the decision made by the Information Officer pertaining to a request is final, and requestors will have to exercise such external remedies at their disposal if a request is refused, and the requestor is not satisfied with the response provided by the information officer.
- EXTERNAL REMEDIES
- A requestor that is dissatisfied with the information officer’s refusal to disclose information, may within 30 days of notification of the decision, apply to a court for relief. Likewise, a third party dissatisfied with the information officer’s decision to grant a request for information, may within 30 days of notification of the decision, apply to a court for relief. For purposes of the Act, courts that have jurisdiction over these applications are the Constitutional Court, the High Court or another court of similar status.
PLANS TO COMPLY WITH POPI IN TERMS OF PERSONAL INFORMATION PROCESSED AND BACKGROUND CHECKS PERFORMED ON DATA SUBJECTS:
- Every current Company customer will be required to sign an addendum to their service agreements, containing the relevant consent clauses required for the collection, use and storage of their Personal Information, or any other action so required, in terms of POPI;
- Each new Company customer will be required to sign a service agreement containing the relevant consent clauses required for the collection, use and storage of their Personal Information, or any other action so required, in terms of POPI;
- Every current Company employee will be required to sign an addendum to their employment contracts, containing the relevant consent clauses required for the collection, use and storage of their Personal Information, or any other action so required, in terms of POPI;
- Each new employee will be required to sign an employment contract containing the relevant consent clauses required for the collection, use and storage of their Personal Information, or any other action so required, in terms of POPI;
- Each new applicant for employment will be required to sign a consent form containing the relevant consent clauses required for the collection, use and storage of their Personal Information, or any other action so required, in terms of POPI;
- The Company will put in place agreements with its third-party service providers and/or suppliers to ensure there is a mutual understanding in regard to the protection of Personal Information. Third party service providers and/or suppliers will be subjected to the same POPI regulations as the Company.
Accepted and adopted this 29th day of June 2021