PROTECTION OF PERSONAL INFORMATION POLICY
INTRODUCTION
The company is obliged to comply with the Protection of Personal Information Act (No. 4 of 2013) (“POPI”) as well as the Promotion of Access to Information Act (No. 2 of 2000) (“PAIA”), given that it processes the personal information of its employees, suppliers, clients and other data subjects from time to time as well as that there may be requesters of information relating to the company and its operations.
The company guarantees its commitment to protecting data subject privacy as well as ensuring that their personal information is used appropriately, transparently, securely and in accordance with applicable laws. This is in line with the Constitutional provisions.
The provisions of this policy must be read along with the relevant practices and procedures that are used to operationalise the purpose hereof.
COLLECTION OF PERSONAL INFORMATION
The company collects stores and processes personal information pertaining to data subjects including its employees, suppliers, clients and other stakeholders. The type of information collected and processed will depend on the purpose for which it is collected and will be processed for that scope of application only. Whenever appropriate, the company will inform the data subject of the information required, the purpose thereof, the rights of participation and the other relevant provisions contained at law.
The company must indicate to the data subject the consequence of failing to provide such personal information. For example, the company may not be able to employ an individual without certain personal information relating to that individual or the company may not be in a position to render services to a client in the absence of certain information which is required.
Examples of the personal information the company collects includes, but is not limited to information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person :
a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
b) information relating to the education or the medical, financial, criminal or employment history of the person;
c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person
d) the biometric information of the person;
e) the personal opinions, views or preferences of the person;
f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
g) the views or opinions of another individual about the person; and
h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
COLLECTION OF CLIENT AND/ OR SUPPLIER INFORMATION
For purposes of this Policy, clients include potential, past and existing clients.
The company collects and processes its clients’ personal information, such as that mentioned hereunder. The type of information will depend on the need for which it is collected and will be processed for that purpose only. Further examples of personal information collected from clients include, but is not limited to:
✓ The client’s identity number, name, surname, address, postal code
✓ The client’s residential and postal address
✓ Contact information
✓ Banking details
✓ Company registration number
✓ Full name of the legal entity
✓ Tax and/or VAT number
✓ Details of the person responsible for the client’s account
The company also collects and processes clients’ personal information for marketing purposes in order to ensure that our products and services remain relevant to our clients and potential clients.
Use of client and supplier information
The client’s personal information will only be used for the purpose for which it was collected and as agreed, if any such agreement is required at law. This may include, but not be limited to:
✓ Providing products and/ or services to clients
✓ In connection with sending accounts and communication in respect of services rendered
✓ Referral to other service providers
✓ Confirming, verifying and updating client details
✓ Conducting market or customer satisfaction research
✓ For audit and record keeping purposes
✓ In connection with legal proceedings
✓ In connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law.
The company acknowledges that personal information may only be processed if any of the conditions set out hereunder are met:
✓ Client consents to the processing
✓ The processing is necessary to attend to rights and obligations that are justifiable, including fulfilling contractual provisions
✓ The processing complies with an obligation imposed by law on the company
✓ Processing protects a legitimate interest of the party
✓ Processing is necessary for pursuing the legitimate interests of the company or of a third party to whom information is supplied.
DISCLOSURE OF PERSONAL INFORMATION
The Company may also disclose data subject’s information where there is a duty or a right to disclose in terms of applicable legislation, a contractual obligation, the law or where it may be necessary to protect the company’s rights.
SAFEGUARDING PERSONAL INFORMATION AND CONSENT
It is a requirement of POPI to adequately protect the personal information the company holds and to avoid unauthorised access and use of personal information.
The company shall review its technical and operational security controls and processes on a regular basis to ensure that personal information is secure.
The Company shall appoint an Information Officer who is responsible for the encouragement of compliance with the conditions of the lawful processing of personal information and other provisions of POPI and PAIA.
Information Officer details
Name: Carla van Reenen
Telephone number: 044 874 5014
Physical address: 99 Meade Street, George 6530
Email address: popi@blitsdruk.co.za
SECURITY BREACHES
Should the company detect a security breach on any of its systems that contain personal information, the company shall take the required steps to assess the nature and extent of the breach in order to ascertain if any information has been compromised.
The company shall activate its Incident Response Plan which includes the notification of the affected parties and the Information Regulator should it have reason to believe that personal information has been compromised. Such notification shall only be made where the company can identify the data subject to which the information relates. Where it is not possible it may be necessary to consider website publication and whatever else the Information Regulator prescribes.
Notification will be provided in writing by means of either:
✓ email
✓ registered mail
✓ place on our website.
The notification shall provide the following information where possible:
✓ description of possible consequences of the breach
✓ measures taken to address the breach
✓ recommendations to be taken by the data subject to mitigate adverse effects
✓ the identity of the party responsible for the breach.
In addition to the above, the company shall notify the Regulator of any breach and/or compromise to personal information in its possession and work closely with and comply with any recommendations issued by the Regulator.
The following provisions will apply in this regard –
o The Information Officer will be responsible for overseeing the investigation.
o The Information Officer will be responsible for reporting to the Information Regulator within 2 working days of a breach/ compromise to personal information.
o The Information Officer will be responsible for reporting to the Data Subject(s) within 2 working days of a breach/ compromise to personal information.
o The timeframes above are guidelines and depending on the merits of the situation may require earlier or later reporting.
ACCESS AND CORRECTION OF PERSONAL INFORMATION
Data subjects have the right to request access to any personal information that the company holds about them.
Data subjects have the right to request the Company to update, correct or delete their personal information on reasonable grounds. Such requests must be made to the company’s Information Officer (see details above) or to the Company’s head office (see details below) or submitted via the website “Information Officer Portal”.
Where an employee or client objects to the processing of their personal information, the Company may no longer process said personal information. The consequences of the failure to give consent to process the personal information must be set out before the employee or client confirms his/her objection.
The data subject must provide reasons for the objection to the processing of his/her personal information.
RETENTION OF RECORDS
The company shall ensure the safeguarding and protection of all personal information or data. The company is obligated to retain certain information as prescribed by law. This includes but is not limited to the following:
Regarding the Companies Act, No. 71 of 2008 and the Companies Amendment Act No 3 of 2011, hard copies of the documents mentioned below must be retained for 7 years:
✓ Any documents, accounts, books, writing, records or other information that a company is required to keep in terms of the Act
✓ Notice and minutes of all shareholders meetings, including resolutions adopted and documents made available to holders of securities
✓ Copies of reports presented at the annual general meeting of the company
✓ Copies of annual financial statements required by the Act and copies of accounting records as required by the Act.
AMENDMENTS TO THIS POLICY
Amendments to this Policy will take place from time to time subject to the discretion of the Company and pursuant to any changes in the law. Such changes will be brought to the attention of employee’s clients where it affects them.
Processing limitation
Personal information must be processed
(a) lawfully; and
(b) in a reasonable manner that does not infringe the privacy of the data subject.
Purpose specification
PI is collected for a specific, explicitly defined, and lawful purpose related to a function or activity of the responsible party.
Further processing limitation
Further processing of personal information must be compatible with the purpose for which it was collected and consider –
(a) the consequences of the intended further processing for the data subject
(b) the manner in which the information has been collected; and
(c) any contractual rights and obligations between the parties.