Description of Chapter Pages
1. INTRODUCTION
2. CONDITIONS FOR THE LAWFUL PROCESSING OF PERSONAL INFORMATION
3. THE PURPOSE OF THE PROCESSING OF PERSONAL INFORMATION
4. CATEGORIES OF DATA SUBJECTS AND THE PERSONAL INFORMATION RELATING THERETO
5. CATEGORIES OF RECIPIENTS OF PERSONAL INFORMATION
6. APPOINTMENT OF INFORMATION OFFICER AND DEPUTY INFORMATION OFFICERS
7. REGISTRATION AND CONTACT DETAILS OF CURRENT INFORMATION OFFICER AND DEPUTY INFORMATION OFFICER
8. CROSS-BORDER FLOWS OF PERSONAL INFORMATION
9. DESCRIPTION OF INFORMATION SECURITY MEASURES
10. CONSENT TO THE PROCESSING OF PERSONAL INFORMATION BY A DATA SUBJECT
11. OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION BY A DATA SUBJECT
12. REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION
13. APPLICATION FOR THE CONSENT OF A DATA SUBJECT FOR THE PURPOSE OF DIRECT MARKETING
14. SECURITY BREACHES
15. COMPLAINTS REGARDING INTERFERENCE WITH THE PROTECTION OF PERSONAL INFORMATION
16. OFFENCES AND PENALTIES
LIST OF APPENDICES
1. INTRODUCTION
1.1. The Protection of Personal Information Act (POPI) is intended to balance 2 competing interests.
These are:
Our individual constitutional rights to privacy (which requires our personal information to be protected); and
The needs of our society to have access to and to process (work with) our personal information for legitimate purposes, including the purpose of doing business.
1.2. This Compliance Manual sets out the framework for ROBB AND CARTER’s compliance with POPI.
1.3. Where reference is made to the “processing” of personal information, this will include any activity in which the information is worked with, from the time that the information is collected, up to the time that the information is destroyed, regardless of whether the information is worked with manually, or by automated systems.
2. CONDITIONS FOR THE LAWFUL PROCESSING OF PERSONAL INFORMATION
2.1. Chapter 3 of POPI provides for the minimum Conditions for Lawful Processing of Personal Information by a Responsible Party. These conditions may not be derogated from unless specific exclusions apply as outlined in POPI.
2.2. Below is a description of the eight Conditions for Lawful Processing as contained in POPI:
2.2.1. Accountability – the Responsible Party has an obligation to ensure that there is compliance with POPI in respect of the Processing of Personal Information.
2.2.2. Processing limitation – Personal Information must be collected directly from a Data Subject to the extent applicable; must only be processed with the consent of the Data Subject and must only be used for the purposes for which it was obtained.
2.2.3. Purpose specification – Personal Information must only be processed for the specific purpose for which it was obtained and must not be retained for any longer than it is needed to achieve such purpose.
2.2.4. Further processing limitation – further processing of Personal Information must be compatible with the initial purpose for which the information was collected.
2.2.5. Information quality – the Responsible Party must ensure that Personal Information held is accurate and updated regularly and that the integrity of the information is maintained by appropriate security measures.
2.2.6. Openness – there must be transparency between the Data Subject and the Responsible Party.
2.2.7. Security safeguards – a Responsible Party must take reasonable steps to ensure that adequate safeguards are in place to ensure that Personal Information is being processed responsibly and is not unlawfully accessed.
2.2.8. Data Subject participation – the Data Subject must be made aware that their information is being processed and must have provided their informed consent to such processing.
3. THE PURPOSE OF THE PROCESSING OF PERSONAL INFORMATION
3.1. As outlined above, Personal Information may only be Processed for a specific purpose.
3.2. The purposes for which ROBB AND CARTER Processes, or will Process Personal Information, is set out hereunder:
3.2.1. Administration.
3.2.2. Rendering services in accordance with contractual agreements concluded with customers.
3.2.3. Staff administration.
3.2.4. Compliance with Tax-related legislation.
3.2.5. Keeping accounts of records.
4. CATEGORIES OF DATA SUBJECTS AND THE PERSONAL INFORMATION RELATING THERETO
4.1. As per section 1 of POPI, a Data Subject may either be a natural or a juristic person.
4.2. The table hereunder sets out the various categories of Data Subjects that ROBB AND CARTER engages with and the types of Personal Information relating to each data subject:
Entity Type | Personal Information Processed |
Customers: Natural Persons | Names; contact details; physical and postal addresses; date of birth; ID number; tax related information; nationality; gender; confidential correspondence. |
Customer – Juristic Persons / Entities | Names of contact persons; name of legal entity; physical and postal address and contact details; financial information; registration number; founding documents; tax related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; BBBEE information. |
Contracted Service Providers | Names of contact persons; name of legal entity; physical and postal address and contact details; financial information; registration number; founding documents; tax related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; BBBEE information. |
Employees / Directors | Gender; pregnancy; marital status; colour, race; age; language; education information; financial information; employment history; ID number; physical and postal address; contact details; opinions; criminal record; wellbeing. |
5. CATEGORIES OF RECIPIENTS OF PERSONAL INFORMATION
5.1. ROBB AND CARTER may disclose personal information to its service providers, vendors and suppliers who are involved in the delivery of products or services to it or in compliance with other legislative obligations.
5.2. Agreements have been put in place to ensure that all service providers, vendors and suppliers comply with the privacy and protection of personal information requirements as contained in the Act.
5.3. In order to ensure this protection, the Protection of Personal Information Agreement and Consent Declaration attached to this manual as APPENDIX C must be completed by each service provider, vendor or supplier and submitted to the Information Officer.
6. APPOINTMENT OF INFORMATION OFFICER AND DEPUTY INFORMATION OFFICERS
6.1. The responsibilities of the Information Officer are set out in section 55 of the Act and accompanying regulations.
6.2. The Information Officer (and the deputy officer(s)) are responsible for:
6.2.1. Encouraging compliance with the conditions of the lawful processing of personal information within the entity;
6.2.2. Dealing with any and all requests that are made to the entity with regards to the Act;
6.2.3. Working with the Information Regulator in relation to any investigations that are conducted in relation to the entity;
6.2.4. Ensuring that the entity complies with the provisions of the Act; and
6.2.5. Any other responsibility as may be prescribed by the Act.
6.3. It is obligatory in terms of the Act to register an Information Officer, and any Deputy Information Officers, with the Information Regulator before they may take up their duties in terms of the Act.
6.4. The regulator has created an electronic platform in the form of an Information Officer Registration Portal on their website which may be accessed at the following link:
https://justice.gov.za/inforeg/portal.html
6.5. In order to register the Information Officer, and any Deputy Information Officers, the form attached to this manual as APPENDIX A must be completed and submitted to the Information Regulator using the Online Portal described above.
6.6. In the event that a new Information Officer, or a new Deputy Information Officer, is appointed, his or her name and contact details must be updated with the Information Regulator using the Online Portal described above.
7. REGISTRATION AND CONTACT DETAILS OF CURRENT INFORMATION OFFICER AND DEPUTY
INFORMATION OFFICER
7.1. In accordance with section 55(2) of POPI, the following individuals have been appointed to fulfil the duties of the Information Officer as contained in the Act:
7.1.1. Information Officer:
NAME: ELAINE FABER
Position: Company Administrator
Email Address: robbcarter@global.co.za
Telephone: 011 955-1010 / 084 455 0419
7.1.2. Deputy Information Officers:
NAME: REINART BERGH
Position: Factory Manager
Email Address: reinartb@mweb.co.za
Telephone: 073 221 0192
NAME: ADOLF MARAIS
Position: Sales Engineer
Email Address: robbcarter3@global.co.za
Contact No: 082 400 9352
7.2. The Registration Certificate appointing Elaine Faber, Reinart Bergh and Dolf Marais as the Information Officer and as the Deputy Officers, respectively, is attached to this manual as
8. CROSS-BORDER FLOWS OF PERSONAL INFORMATION
8.1. Section 72 of POPI provides that Personal Information may only be transferred out of the Republic of South Africa by ROBB AND CARTER, if:
8.1.1. The data subject consents to this, or requests it; or
8.1.2. Such third party is subject to a law, binding corporate rules or a binding agreement which protects the personal information in a manner similar to POPI, and such third party is governed by similar rules which prohibit the onward transfer of the personal information to a third party in another country; or
8.1.3. The transfer of the personal information is required for the performance of the contract between ourselves and the client; or
8.1.4. The transfer is necessary for the conclusion or performance of a contract for the benefit of the client entered into between ourselves and the third party; or
8.1.5. The transfer of the personal information is for the benefit of the client and it is not reasonably possible to obtain their consent and that if it were possible the client would be likely to give such consent.
8.2. The company does not do any Cross-Border transfers of any Personal Information relating to employees, clients, companies, or the organisation in general.
9. DESCRIPTION OF INFORMATION SECURITY MEASURES
9.1. ROBB AND CARTER relies on up-to-date technology to ensure the confidentiality, integrity, and availability of the Personal Information under its care.
9.2. In order to secure the integrity and confidentiality of the personal information in our possession, and to protect it against loss or damage or unauthorized access, the following security safeguards will continue to be implemented:
9.2.1. The business premises where records are kept must remain protected by access control, burglar alarms and armed response.
9.2.2. Archived files must be stored behind locked doors and access control to these storage facilities must be implemented.
9.2.3. All the user terminals on the internal computer network and servers must be protected by passwords that are changed on a regular basis.
9.2.4. The email infrastructure must comply with industry standard security safeguards and meet the General Data Protection Regulation (GDPR), which is standard in the European Union.
9.2.5. Vulnerability assessments must be carried out on the digital infrastructure on an annual basis to identify weaknesses in the systems and to ensure that there is adequate security in place.
9.2.6. An internationally recognized Firewall must be used to protect the data on the local servers, and antivirus protection must be run at least every hour to ensure the systems are kept updated. The security of this system must comply with the GDPR of the European Union.
9.2.7. The staff must be trained to carry out their duties in compliance with POPI, and this training must be ongoing.
9.2.8. It must be a term in every employment contract which creates the obligation to maintain full confidentiality in respect of all of ROBB AND CARTER’s clients’ personal information.
9.2.9. Employment contracts for staff whose duty it is to process a client’s personal information, must include an obligation on the staff member (1) to maintain ROBB AND CARTER’s security measures, and (2) to notify their manager/supervisor immediately if there are reasonable grounds to believe that the personal information of a client has been accessed or acquired by any unauthorised person.
9.2.10. The processing of the personal information of ROBB AND CARTER’s employees must take place in accordance with the rules contained in the relevant Labour legislation.
9.2.11. The digital work profiles and privileges of staff who have left ROBB AND CARTER’s employ must be properly terminated.
9.2.12. The personal information of clients and employees must be destroyed timeously in a manner that de-identifies the person.
9.2.13. These security safeguards must be verified on a regular basis to ensure effective implementation, and these safeguards must be continually updated in response to new risks or deficiencies.
10. CONSENT TO THE PROCESSING OF PERSONAL INFORMATION BY A DATA SUBJECT
10.1. POPI defines consent to be “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information “.
10.2. In compliance with the conditions for the lawful processing of personal information set out in Chapter 3 of POPI, each data subject will be asked to complete a Protection of Personal Information Agreement and Consent Declaration.
10.3. This consent form provides data subjects with information regarding how ROBB AND CARTER obtains, uses and discloses personal Information in accordance with the requirements of POPI and obtains the Data Subject’s consent to do so.
10.4. In order to ensure that the necessary consent is obtained in this way, the Protection of Personal Information Agreement and Consent Declaration attached to this manual as APPENDIX C must be completed by the Data Subject and submitted to the Information Officer.
11. OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION BY A DATA SUBJECT
11.1. Section 11 (3) of POPI and regulation 2 of the POPI Regulations provides that a Data Subject may, at any time, object to the Processing of his, her or its Personal Information in the prescribed form.
11.2. This is subject to the following exception contained in the Act:
11.2.1. A data subject may object, at any time, to the processing of personal information on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing.
11.3. Should a Data Subject seek to object to the processing of his/her/its Personal Information, the form attached to this manual as APPENDIX D must be completed by the Data Subject and submitted to the Information Officer.
12. REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION
12.1. Section 24 of POPI and regulation 3 of the POPI Regulations provides that a Data Subject may request for their Personal Information to be corrected/deleted in the prescribed form.
12.2. Should a Data Subject seek to correct or delete his, her or its Personal Information, the form attached to this manual as APPENDIX E must be completed by the Data Subject and submitted to the Information Officer.
12.3. ROBB AND CARTER must notify the data subject, who has made a request in terms of subsection
(1), of the action taken as a result of the request.
13. APPLICATION FOR THE CONSENT OF A DATA SUBJECT FOR THE PURPOSE OF DIRECT MARKETING
13.1. Direct Marketing includes any communication by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail.
13.2. Section 69 (2) provides that the processing of personal information of a data subject for the
purpose of direct marketing is prohibited unless the data subject has given his, her or its consent to the processing.
13.3. Should ROBB AND CARTER wish to obtain a Data Subject’s consent to process his, her or its
Personal Information for the purpose of Direct Marketing, the form attached to this manual as APPENDIX F must be completed by the Responsible Party and delivered to the Data Subject.
14. SECURITY BREACHES
14.1. Should it appear that the personal information of a client has been accessed or acquired by an unauthorised person, the Information Regulator and the relevant client/ must be notified unless we are no longer able to identify the client/s. This notification must take place as soon as reasonably possible.
14.2. Such notification must be given to the Information Regulator first as it is possible that they, or another public body, might require the notification to the client/s be delayed.
14.3. The notification to the client must be communicated in writing in one of the following ways, with a view to ensuring that the notification reaches the client:
14.3.1. By mail to the client’s last known physical or postal address;
14.3.2. By email to the client’s last known email address; or
14.3.3. As directed by the Information Regulator.
14.4. This notification to the client must give sufficient information to enable the client to protect themselves against the potential consequences of the security breach, and must include:
14.4.1. A description of the possible consequences of the breach;
14.4.2. Details of the measures that ROBB AND CARTER intends to take or has taken to address the breach;
14.4.3. The recommendation of what the client could do to mitigate the adverse effects of the breach; and
14.4.4. If known, the identity of the person who may have accessed, or acquired the personal information.
15. COMPLAINTS REGARDING INTERFERENCE WITH THE PROTECTION OF PERSONAL INFORMATION
15.1. In terms of Section 74 of the Act, any person may submit a complaint to the Information Regulator in the prescribed manner and form alleging interference with the protection of the personal information of a data subject.
15.2. Should any person wish lodge a complaint with the Information Regulator regarding an alleged interference with personal information of a data subject by ROBB AND CARTER, the form attached to this manual as APPENDIX G must be completed and submitted to the Information Regulator.
16. OFFENCES AND PENALTIES
16.1. POPI provides for serious penalties for the contravention of its terms. For minor offences a guilty party can receive a fine or be imprisoned for up to 12 months. For serious offences the period of imprisonment rises to a maximum of 10 years. Administrative fines for the ROBB AND CARTER can reach a maximum of R10 million.
16.2. Breaches of this Compliance Manual will also be viewed as a serious disciplinary offence.
16.3. It is therefore imperative that the ROBB AND CARTER complies strictly with the terms of this Compliance Manual.
APPENDICES
Description of Appendix
A) APPOINTMENT OF INFORMATION OFFICER
B) CERTIFICATE APPOINTING INFORMATION OFFICER/DEPUTY INFORMATION OFFICER
C) CONSENT TO PROCESS PERSONAL INFO
D) OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION
E) REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION
F) APPLICATION FOR CONSENT FROM DATA SUBJECT TO PROCESS PERSONAL INFORMATION FOR THE PURPOSE OF DIRECT MARKETING
G) COMPLAINT REGARDING INTERFERENCE WITH PERSONAL INFORMATION
View POPIA Manuals and Appendices: