Information Manual
In terms of Section 51 of The Promotion of Access to Information
Act, No. 2 of 2000, (“PAIA”), and Section 18 of The Protection of
Personal Information Act, No. 4 of 2013, (“POPI”) compiled for:
DOUGH GETTERS (PTY) LTD
with Registration Number 2017/332953/07
("the Private Body")
| TABLE OF CONTENTS | |
|---|---|
| 1. | INTRODUCTION |
| 2. | DEFINITIONS AND INTERPRETATION |
| 3. | CONTACT DETAILS OF THE PRIVATE BODY – Section 51(1)(a)(i) of PAIA and section 18(1)(b) of the POPI Act |
| PART A: PROMOTION OF ACCESS TO INFORMATION | |
|---|---|
| 4. | GUIDE ON HOW TO EXERCISE RIGHTS IN TERMS OF PAIA – Section51(1)(b)(i) |
| 5. | RECORDS AVAILABLE IN TERMS OF LEGISLATION OTHER THAN PAIA AND POPI– Section 51(1)(b)(iii) of PAIA |
| 6. | DESCRIPTION OF SUBJECTS AND CATEGORIES OF RECORDS – Section 51(1)(b)(iv) of PAIA |
| 7. | FORM OF REQUEST FOR RECORDS |
| 8. | FEES PRESCRIBED IN TERMS OF THE REGULATIONS – Section 51(1)(f) of PAIA |
| PART B: PROTECTION OF PERSONAL INFORMATION | |
|---|---|
| 9. | PROTECTION OF PERSONAL INFORMATION - Section 51(1)(c)(i)-(iii) of PAIA read with section 18 of the POPI Act |
| 10. | TRANSBORDER FLOWS OF PERSONAL INFORMATION – Section 51(1)(iv) of PAIA and section 18(1)(g) of the POPI Act |
| 11. | SECURITY MEASURES TO PROTECT PERSONAL INFORMATION – Section 51(1)(v) of PAIA |
| 12. | UPDATES TO THE MANUAL – Section 51(2) |
| 1. | PART B: PROTECTION OF PERSONAL INFORMATION |
|---|
1.1 This Information Manual is published in terms of section 51 of the Promotion of Access to
Information Act, No. 2 of 2000 (“PAIA”), as amended by the Protection of Personal Information
Act, No. 4 of 2013, (“POPI Act”) as well as section 18 of the POPI Act.
1.2 PAIA gives effect to the provisions of Section 32 of the Constitution, which provides for the right
of access to information held by the State and to information held by another person that is
required for the exercise and/or protection of any right.
1.3 The POPI Act gives effect to the provisions of, inter alia, Section 14 of the Constitution, which
provides for the right to privacy of all persons.
1.4 The information provided in this manual includes:
1.4.1 contact details of the Head, as defined in PAIA, of the Private Body;
1.4.2 a description of the guide referred to in section 10 of PAIA, (which is a guide which
was produced by the Human Rights Commission and after 1 July 2021 shall be made
available and amended, from time to time, by the Information Regulator defined in
POPI) dealing with access to information;
1.4.3 a description of the records of the Private Body which are available in terms of any
legislation other than the PAIA;
1.4.4 a description of the subjects on which the Private Body holds records and the
categories of records held on each subject;
1.4.5 a description of the subjects on which the Private Body holds personal information
and the categories of personal information held on each subject;
1.4.6 the purpose of processing personal information;
1.4.7 the recipients to whom the personal information may be supplied;
1.4.8 planned transborder flows of information (if applicable);
1.4.9 a general description of the security measures in place to ensure the confidentiality,
integrity, and availability of the information to be processed;
Information Manual in terms of Section 51 of The Promotion of Access to Information Act, No 2 of 2000 and Section 18 of
The Protection of Personal Information Act, No. 4 Of 2013
1.4.10 sufficient information so as to facilitate a request for access to a record of the Private
Body;
1.4.11 a privacy and POPIA policy.
1.5 The reference to any information in addition to that specifically required in terms of section 51
of PAIA and section 18 of the POPI Act does not create any right or entitlement (contractual or
otherwise) to receive such information, other than in terms of PAIA and the POPI Act.
1.6 The main aim of this manual is to:
1.6.1 disclose the types of records held by the Private Body and to facilitate the requests
for access to records of the Private Body, as permitted by PAIA (dealt with in Part A
hereof);
1.6.2 make data subjects aware of the type and source of information being collected, the
purpose of collecting and processing such information and related matters(dealt with
in Part B hereof).
This manual may be updated from time to time and shall be made available on the Private Body’s
website and/or at its principal place of business, to any person on request, subject to the
payment of a reasonable fee and to the Information Regulator.
| 2. | DEFINITIONS AND INTERPRETATION |
|---|
2.1 In this document, clause headings are for convenience and shall not be used in its interpretation
unless the context clearly indicates a contrary intention:
2.2 An expression which denotes -
2.2.1 any gender includes the other genders;
2.2.2 a natural person includes an artificial or juristic person and vice versa;
2.2.3 the singular includes the plural and vice versa;
2.3 The following expressions shall bear the meanings assigned to them below and similar
expressions bear corresponding meanings:
2.3.1 "data subject" means the person to whom personal information relates;
2.3.2 "Personal Information" means information relating to an identifiable living, natural person,
and where it is applicable, an identifiable existing juristic person;
2.3.3 "this document" or "this manual" means this information manual, together with all of its
annexures, as amended from time to time;
2.3.4 "the Private Body" means the private body to which this manual applies with their details as
they appear on the front page of this manual;
2.3.5 "requester" means a person or entity requesting access to a record that is under the control
of the Private Body.
2.4 Any reference to any statute, regulation or other legislation shall be a reference to that statute,
regulation or other legislation as at the signature date, and as amended or substituted from time
to time;
2.5 If any provision in a definition is a substantive provision conferring a right or imposing an
obligation on any party then, notwithstanding that it is only in a definition, effect shall be given
to that provision as if it were a substantive provision in the body of this manual;
2.6 Where any term is defined within a particular clause other than this, that term shall bear the
meaning ascribed to it in that clause wherever it is used in this manual;
2.7 Where any number of days is to be calculated from a particular day, such number shall be
calculated as excluding such particular day and commencing on the next day. If the last day of
such number so calculated falls on a day which is not a business day, the last day shall be deemed
to be the next succeeding business day;
2.8 Any reference to days (other than a reference to business days), months or years shall be a
reference to calendar days, months or years, as the case may be or as is otherwise defined in
any legislation;
2.9 The use of the word "including" followed by a specific example/s shall not be construed as
limiting the meaning of the general wording preceding it and the eiusdem generis rule shall not
be applied in the interpretation of such general wording or such specific example/s;
2.10 Insofar as there is a conflict in the interpretation of or application of this manual and PAIA or the
POPI Act, PAIA or the POPI Act shall prevail;
2.11 This manual does not purpot to be exhaustive of or comprehensively deal with every procedure
provided for in PAIA or all rights listed under the POPI Act. The reader relying on any provisions
of this Manual is advised to familiarise his/her/itself with the provisions of PAIA and the POPI
Act.
| 3. | CONTACT DETAILS OF HEAD OF THE PRIVATE BODY AND THE INFORMATION OFFICER – Section 51(1)(a)(i) of PAIA and section 18 (1)(b) of the POPI Act |
|---|
3.1 Head and deputy Information Officer, (defined in POPIA), of the Private Body: Willem Haarhoff.
3.1.1 Postal Address of Head of the Private Body: 162 Mitchell Street, Bergsig, George, 6529.
3.1.2 Street Address of Head of the Private Body: 162 Mitchell Street, Bergsig, George, 6529.
3.1.3 Telephone Number of Head of the Private Body: 076 440 0832.
3.1.4 Email of Head of the Private Body: willem@doughgetters.co.za.
3.2 Information Officer, (defined in POPIA), of the Private Body: Michiel Heyns Claassen
3.2.1 Postal Address: 162 Mitchell Street, Bergsig, George, 6529.
3.2.2 Street Address: 162 Mitchell Street, Bergsig, George, 6529.
3.2.3 Telephone Number: 082 472 1527.
3.2.4 Email: michiel@doughgetters.co.za.
3.3 The Act stipulates the following general responsibilities of the Information Officer: (1) to
encourage compliance with POPIA, (2) dealing with requests made to the Private Body in relation
to POPIA, (for instance, requests from Data Subjects to update or view their Personal
Information), (3) working with the Regulator in relation to investigations, (4) otherwise ensuring
compliance with POPIA, (5) as may be prescribed (i.e. keep an eye on the Regulator’s website).
3.4 Information Officers need to be registered with the Regulator before taking up their duties.
PART A: PROMOTION OF ACCESS TO
INFORMATION
| 4. | GUIDE ON HOW TO EXERCISE RIGHTS IN TERMS OF PAIA– Section 51(1)(b)(i) of PAIA |
|---|
4.2 The contact details of the HRC are as follows:
4.2.1 Postal address: Private Bag 2700, Houghton, 2041
4.2.2 Telephone: +27 11 484 8300
4.2.3 Telefax: +27 11 484 0582
4.2.4 Website: www.sahrc.org.za
4.2.5 Email: paia@sahrc.org.za
4.3 The guide is also available electronically at
https://www.sahrc.org.za/home/21/files/Section%2010%20guide%202014.pdf
4.4 With effect from 1 July 2021, the Information Regulator, (“IR”) must update and make available
the existing guide that had previously been compiled by the HRC containing information in an
easily comprehensible form and manner as may reasonable be required by a person who wishes
to exercise any right contemplated in PAIA and POPI.
4.5 The contact details of the IR are as follows:
4.5.1 Physical address: Braampark, Forum 3, 33 Hoof Street, Braampark, Johannesburg, 2017
4.5.2 Postal Address: P.O Box, 31533
4.5.3 Telephone: +27 10 023 5200
4.5.4 Telefax: +27 86 500 3351
4.5.5 Website: www.justice.gov.za/inforeg/contact.html
4.5.6 Email: inforeg@justice.gov.za.
| 5. | RECORDS AVAILABLE IN TERMS OF LEGISLATION OTHER THAN PAIA AND POPI – Section 51(1)(b)(iii) of PAIA |
|---|
5.1 Some of the records held by the Private Body are available in terms of legislation other than PAIA
or POPI, which legislation is listed below. Records that must be made available in terms of these
Acts shall be made available in terms of the requirements of PAIA and this manual. That
legislation includes:
5.1.1 The Companies Act, No. 71 Of 2008
5.1.2 Income Tax Act, No. 58 Of 1962
5.1.3 Value Added Tax Act, No. 89 Of 1991
5.1.4 Labour Relations Act, No. 66 Of 1995
5.1.5 Basic Conditions of Employment Act, No. 75 Of 1997
5.1.6 Skills Development Levies Act, No. 9 Of 1999
5.1.7 Unemployment Insurance Act, No. 63 Of 2001
5.1.8 Any Other Industry Applicable Legislation.
| 5. | RECORDS AVAILABLE IN TERMS OF LEGISLATION OTHER THAN PAIA AND POPI – Section 51(1)(b)(iii) of PAIA |
|---|
6.1 The Private Body holds various records. The subjects on which the Private Body holds records
and the categories of records held by the Private Body are reproduced in the tables below.
6.2 The listing of a category or subject matter in this manual does not guarantee access to such
records. All requests for access will be evaluated on a case-by-case basis in accordance with the
provisions of PAIA and other applicable legislation. A request for records shall be made in the
prescribed form set out later in this manual under the heading “FORM OF REQUEST FOR RECORDS”.
| RECORD SUBJECTS: INTERNAL ADMINISTRATION, COMPLIANCE AND MANAGEMENT |
|---|
| Categories of records held: |
| Records of the owners of the Private Body |
| Records and minutes of the meetings of the owners and/or managers of the Private Body |
| Resolutions of the owners and/or managers of the Private Body |
| Agreements dealing with the internal arrangements between the owners and/or managers of the Private Body |
| Records relating to the creation and/or registration of the Private Body |
| Legislative compliance |
| Regulatory reports |
| RECORD SUBJECTS: HUMAN RESOURCES |
|---|
| Categories of records held: |
| Any personal records provided to the Private Body by their employees |
| List of employees |
| Conditions of employment and other employee-related contractual and quasi-legal records |
| Pension and provident fund records |
| Health and Safety records |
| Internal evaluation records |
| All internal policies applicable and accessible to the employees |
| RECORD SUBJECTS: FINANCE |
|---|
| Categories of records held: |
| Financial statements and other accounting records |
| Accounting reports |
| Taxation records |
| Debtors and creditors records |
| Insurance records |
| Banking statements |
| RECORD SUBJECTS: CLIENT RECORDS |
|---|
| Categories of records held: |
| Any records a client has provided to the Private Body or a third party acting for or on behalf of the Private Body |
| Contractual information |
| Client needs assessments |
| Personal records of clients |
| Any records a third party has provided to the Private Body about clients |
| Confidential, privileged, contractual and quasi-legal records of clients |
| Client evaluation records |
| Client profiling |
| Client account numbers |
| Any records a third party has provided to the Private Body either directly or indirectly |
| Records generated by or within the Private Body pertaining to clients, including transactional records |
| RECORD SUBJECTS: SERVICE PROVIDERS, SUPPLIERS AND THIRD PARTIES |
|---|
| Categories of records held: |
| Any records a client has provided to the Private Body or a third party acting for or on behalf of the Private Body |
| Lists of service providers and suppliers |
| Service providers’ and suppliers’ terms and conditions |
| Records kept in respect of other third parties, including without limitation joint venture partners, which includes records, falling within the subjects contemplated in this part of the manual, which can be said to belong to the Private Body but which are held by such third party |
| RECORD SUBJECTS: ASSETS |
|---|
| Categories of records held: |
| Register of assets (movable or immovable) |
| Insurance records relating to the assets |
| Register of intellectual property owned by the Private Body |
| RECORD SUBJECTS: OTHER RECORDS |
|---|
| Categories of records held: |
| Information relating to the Private Body’ s own commercial activities |
| Research information belonging to the Private Body, whether carried out itself or commissioned from a third party |
| Information technology including information systems, network security, software licenses, technology asset |
| Support services |
| Internal communication |
| 7. | FORM OF REQUEST FOR RECORDS |
|---|
7.1 A request for records shall be accompanied by adequate proof of identity of the applicant, (such
as a certified copy of his/her identity document), and made using the prescribed form, a copy of
which is attached hereto and marked annexure "A" ("the prescribed form"). The prescribed form
is also available from the website of the Human Rights Commission at https://www.sahrc.org.za,
or the website of the Department of Justice and Constitutional Development at
https://www.doj.gov.za and as may be advised by the Information Regulator on or after 1 July
2021.
7.2 The prescribed form shall be submitted to the Private Body Head named in clause 3 hereof.
7.3 The above procedure shall apply if the requester is requesting information for personal use
and/or on behalf of another person, even if such other person is a permanent employee of the
Private Body.
7.4 The Head of the Private Body shall as soon as reasonably possible, and within 30 (thirty) days
after the request has been received, decide whether or not to grant such request.
7.5 The requester will be notified of the decision of the Head of the Private Body or the General
Manager in the manner indicated by the requester.
7.6 After access is granted, actual access to the record requested will be given as soon as reasonably
possible.
7.7 If the request for access is refused, the Head of the Private Body or the General Manager shall
advise the requester in writing of the refusal. The notice of refusal shall state:
7.7.1 adequate reasons for the refusal; and
7.7.2 that the requester may lodge an appeal with a court of competent jurisdiction against
the refusal of the request (including the period) for lodging such an appeal.
7.8 If the Head of the Private Body or the General Manager fails to respond within 30 (thirty) days
after a request has been received, it is deemed, in terms of section 58 read together with section
56(1) of PAIA, that the Head of the Private Body or the General Manager has refused the request
| 8. | FEES PRESCRIBED IN TERMS OF THE REGULATIONS – Section 51(1)(f) of PAIA |
|---|
8.1 The following applies to requests (other than personal requests):
8.1.1 A requestor is required to pay the prescribed fees (R50.00) before a request will be
processed;
8.1.2 If the preparation of the record requested requires more than the prescribed 6 (six)
hours, a deposit shall be paid (of not more than one third of the access fee which
would be payable if the request were granted);
8.1.3 A requestor may lodge an application with a court against the tender/payment of the
request fee and/or deposit;
8.2 Records may be withheld until the fees have been paid.
8.3 The fee structure shall be available by way of regulations published from time to time.
8.4 In addition to the request fee, the following reproduction fees are prescribed by the Minister in
respect of private bodies such as the Private Body:
| DESCRIPTION: | FEE: |
|---|---|
| For every photocopy of an A4-size page or part thereof: | R1.10 |
| For every printed copy of an A4-size page or part thereof held on a computer or in electronic or machine-readable form: | R0.75 |
| For a copy in a computer-readable form on compact disc: | R70 |
| (i) For a transcription of visual images, for an A4-size page or part thereof: (ii) For a copy of visual images: | (i) R20 (ii) R60 |
| (iii) For transcription of an audio record, for an A4-size page or part thereof: (iv) For a copy of an audio record: | (iii) R20 (iv) R30 |
| To search for the record for disclosure: | R30 for each hour or part of an hour reasonably required for such search. |
8.5 The request fee payable by a requester, other than a personal requester, referred to in
regulation 11(2) is R50,00.
8.6 For purposes of section 54(2) of the Act, the following applies:
8.6.1 Six hours as the hours to be exceeded before a deposit is payable; and
8.6.2 one third of the access fee is payable as a deposit by the requester.
8.7 The actual postage is payable when a copy of a record must be posted to a requester.
PART A: PROMOTION OF ACCESS TO
INFORMATION
| 9 | PROTECTION OF PERSONAL INFORMATION (POPIA POLICY) - Section 51(1)(c)(i)-(iii) of PAIA read with section 18 of the POPI Act |
|---|
INTRODUCTION
9.1 In South Africa, the right to privacy is protected in terms of the common law and section 14 of
the 1996 Constitution. As with all rights in the Bill of Rights, none are absolute, and can be limited
in terms of laws of general application. While the Constitution provides for, among other rights,
the right to privacy, the extent of the right to privacy may be limited by application of laws such
as the Promotion of Access to Information Act, 2 of 2000 and the Regulation of Interception of
Communications and Provision of Communication-related Information Act, 70 of 2002 (RICA).
9.2 POPI requires all South African organisations which handle personal information, to comply with
several important principles regarding privacy, disclosure, and trans-border flows of personal
information to other countries. POPI places responsibilities on the Private Body to process
personal information that it holds, in a fair and proper manner. The processing of such
information includes the collection, organising, storage, disclosure, transmission and use of
personal information.
9.3 The Private Body processes certain personal information, as defined in the POPI Act, (“Personal
Information”) relating to several data subjects, from time to time. A data subject is the person,
(natural or juristic), to whom Personal Information relates and from whom the Private Body
collects and processes information.
9.4 A description of the data subjects, (individuals and juristic persons), the information relating
thereto, the purpose of processing that information and the recipients of that Personal
Information is reproduced in the tables below.
DATA SUBJECTS AND PURPOSE FOR PROCESSING PERSONAL INFORMATION:
| DATA SUBJECTS: EMPLOYEES |
|---|
| Personal Information processed: | Source of the Personal Information | Is the supply of Personal Information mandatory or voluntary?: |
| Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person | Information provide by employee or candidate | Voluntary |
| For a copy in a computer-readable form on compact disc: | Information provide by employee or candidate | Mandatory |
| Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person | Information provide by employee or candidate | Mandatory |
| Will any of the Personal Information be transferred to another country or international organisation? |
| No |
| Purpose of processing Personal Information: |
| To assess candidates for employment, to comply with legislative obligations in respect of employees, to load employee onto payroll and remunerate them |
| Recipient or categories of recipients to whom the Personal Information is supplied: |
| Human resources, management |
| The consequences of failure to provide information: |
| Inability to assess candidates for employment, inability to comply with legislative obligations in respect of employees, inability to load employee onto payroll and remunerate them. |
| DATA SUBJECTS: CLIENTS/CUSTOMERS |
|---|
| Personal Information processed: | Source of the Personal Information | Is the supply of Personal Information mandatory or voluntary?: |
| Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person | Provided by client/customer | Voluntary |
| Information relating to the education or the medical, financial, criminal or employment history of the person | Provided by client/customer | Mandatory |
| Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person | Provided by client/customer | Mandatory |
| Will any of the Personal Information be transferred to another country or international organisation? |
| No |
| Purpose of processing Personal Information: |
| To conduct needs assessment, to onboard client, to provide services to client, to invoice client. |
| Recipient or categories of recipients to whom the Personal Information is supplied: |
| Finance, management |
| The consequences of failure to provide information: |
| Inability to conduct needs assessment, inability to onboard client, inability to provide agreed services to client, inability to invoice client. |
| DATA SUBJECTS: SUPPLIERS |
|---|
| Personal Information processed: | Source of the Personal Information | Is the supply of Personal Information mandatory or voluntary?: |
| Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person | Provided by suppliers | Voluntary |
| Information relating to the education or the medical, financial, criminal or employment history of the person | Provided by suppliers | Mandatory |
| Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person | Provided by suppliers | Mandatory |
| Will any of the Personal Information be transferred to another country or international organisation? |
| No |
| Purpose of processing Personal Information: |
| To evaluate suppliers and their goods, to place orders for goods and settle supplier accounts. |
| Recipient or categories of recipients to whom the Personal Information is supplied: |
| Procurement, management |
| The consequences of failure to provide information: |
| Inability to evaluate suppliers and their goods, inability to place orders for goods and inability to settle supplier accounts. |
| DATA SUBJECTS: SERVICE PROVIDERS |
|---|
| Personal Information processed: | Source of the Personal Information | Is the supply of Personal Information mandatory or voluntary?: |
| Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person | Provided by service providers | Voluntary |
| Information relating to the education or the medical, financial, criminal or employment history of the person | Provided by service providers | Mandatory |
| Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person | Provided by service providers | Mandatory |
| Will any of the Personal Information be transferred to another country or international organisation? |
| No |
| Purpose of processing Personal Information: |
| To evaluate service providers and their services, to place orders for services and settle service provider accounts |
| Recipient or categories of recipients to whom the Personal Information is supplied: |
| Procurement, management |
| The consequences of failure to provide information: |
| Inability to evaluate service providers and their services, inability to place orders for services and inability to settle service provider accounts. |
| DATA SUBJECTS: PROSPECTIVE CLIENTS |
|---|
| Personal Information processed: | Source of the Personal Information | Is the supply of Personal Information mandatory or voluntary?: |
| Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person | Provided by prospective client | Voluntary |
| Information relating to the education or the medical, financial, criminal or employment history of the person | Provided by prospective client | Mandatory |
| Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person | Provided by prospective client | Mandatory |
| Will any of the Personal Information be transferred to another country or international organisation? |
| No |
| Purpose of processing Personal Information: |
| Market business, prepare proposals and quotations. |
| Recipient or categories of recipients to whom the Personal Information is supplied: |
| Marketing, management |
| The consequences of failure to provide information: |
| Inability to market business, inability to prepare proposals and quotations and limited business growth. |
9.5 The Private Body may collect and process the above data subjects’ Personal Information as
defined in POPI and set out in the tables above and otherwise. The type of information will also
depend on the nature of the relationship with the data subject and the purpose for which the
information is collected and used.
9.6 The purpose of collecting the information set out in the tables above is set out therein. Personal
Information will be processed for those purposes and other lawful purposes only, even though
not set out above.
9.7 Whenever possible, the Private Body will inform the relevant data subject what information they
are required to provide to the Private Body and what information is optional.
9.8 Where Personal Information is collected in terms of specific legislation, the Private Body will
inform the data subject in terms of which legislation that data is collected.
LAWFUL BASIS OF COLLECTING PERSONAL INFORMATION
9.9 The Private Body needs to adhere to POPIA and protect personal information efficiently by
adhering to the principles of POPIA governing the lawful basis of collecting personal information
such as:
9.9.1 Purpose Limitation - Personal data may only be used for the specific purpose for
which it has been initially collected. Subsequent use for other purposes must be
compatible with this primary purpose.
9.9.2 Proportionality - Processing of personal data may not be excessive in relation to the
objective pursued by the Private Body. Data may be collected only to the extent
required.
9.9.3 Direct Collection - Personal data must generally be collected directly from the data
subject.
9.9.4 Transparency - The data subject must be aware what personal data is processed for
which purpose and who is responsible for it.
9.9.5 Data Quality - Personal data must be collected correctly. Appropriate measures must
be taken so that irrelevant or incomplete data is corrected or deleted.
9.9.6 Security - Appropriate technical and organizational measures must be taken to protect
personal data against unauthorized access, accidental loss or destruction and other
forms of unlawful processing. Data may be accessible only by persons who have a
“need to know”.
9.9.7 Deletion - Personal Data that is no longer required must be deleted. The period of
time data after which data is to be deleted shall be defined and the actual deletion
must be ensured. In line with the provisions of 14(1)(d) of POPIA our Data Subjects
hereby consent to the indefinite storage and retention of all Personal Information
which shall be deleted on request, unless otherwise provided by Legislation.
PROCESSING OF PERSONAL INFORMATION
9.10 Personal Information may only be processed if certain conditions are met which are listed below:
9.10.1 The data subject consents to the processing – consent is obtained directly from the
data subject;
9.10.2 The Personal Information is subject to a contract concluded between the parties or
such information is in the public domain;
9.10.3 Processing complies with an obligation imposed by law;
9.10.4 Processing protects a legitimate interest of clients and, employees so that the Private
Body can respond to their needs on a timeous basis and provide them with a beneficial
service;
9.10.5 Processing protects a legitimate interest of suppliers so that the Private Body can
provide them with business opportunities on a timeous basis and relevant
information;
9.10.6 Processing protects a legitimate interest of Employees to enable the Private Body to
provide them with the necessary services and protection.
9.11 We will not, without data subjects’ express consent use their Personal Information for any
purpose, other than:
specifically:
9.11.1 as set out in the abovementioned tables;
generally:
9.11.2 in relation to the provision of any goods and services to a data subject;
9.11.3 to inform the data subject of new services or products or special offers (unless they
have opted out from receiving marketing material from us);
9.11.4 to improve our product and/or service selection and their experience; or
9.11.5 to disclose their Personal Information to any third party as set out below:
9.11.5.1 to our employees and/or third party service providers who assist us to
interact with data subjects, their personal and contact information
being essential in order to assist us to communicate with the data
subjects properly and efficiently and facilitate the provision of services
9.11.5.2 to law enforcement, government officials, fraud detection agencies or
other third parties when we believe in good faith that the disclosure of
Personal Information is necessary to prevent physical harm or financial
loss, to report or support the investigation into suspected illegal
activity;
9.11.5.3 to our service providers (under contract with us) who help with parts of
our business operations (fraud prevention, marketing, technology
services etc). However, these service providers may only use data
subjects information in connection with the services they perform for
us and not for their own benefit;
9.11.5.4 to any third-party seller for purposes of sending data subjects an invoice
for any goods purchased from such third-party seller, which disclosed
information will be limited to data subjects’ email addresses;
9.12 We are entitled to use or disclose data subjects’ Personal Information if such use or disclosure is
required to comply with any applicable law, subpoena, order of court or legal process served on
us, or to protect and defend our rights or property.
9.13 Data subjects’ privacy is important to us and we will therefore not sell, rent or provide their
Personal Information to unauthorised third parties for their independent use, without their
consent.
9.14 We will not process personal information:
9.14.1 concerning the religious or philosophical beliefs, race or ethnic origin, trade union
membership, political persuasion, health or sex life or biometric information of a
data subject; or
9.14.2 the criminal behaviour of a data subject except to the extent that such information
relates to i) the alleged commission by a data subject of any offence; or ii) any
proceedings in respect of any offence allegedly committed by a data subject or the
disposal of such proceedings.
9.15 In line with our obligations in terms of section 22 of the POPI Act, where there are reasonable
grounds to believe that Personal Information has been accessed or acquired by any unauthorised
person, we will notify the Information Regulator and the data subject, where possible and follow
our procedures set out in our data breach policy.
9.16 When data subjects provide a rating or review of our services and/or goods, they consent to us
using that rating or review as we deem fit, including without limitation, on our website, in
newsletters or other marketing material. The name that will appear next to that rating or review
is their first name, as they would have provided. We will not display their surname, nor any of
their contact details, with a rating or review.
9.17 We will:
9.17.1 treat data subjects’ Personal Information as strictly confidential, save where we are
entitled to share it as set out in this section;
9.17.2 take appropriate technical and organisational measures to ensure that data subjects’
Personal Information is kept secure and is protected against unauthorised or
unlawful processing, accidental loss, destruction or damage, alteration, disclosure or
access;
9.17.3 provide data subjects with access to their Personal Information to view and/or
update personal details;
9.17.4 promptly notify data subjects if we become aware of any unauthorised use,
disclosure or processing of their Personal Information;
9.17.5 provide data subjects with reasonable evidence of our compliance with our
obligations under this section on reasonable notice and request; and
9.17.6 Information in our possession or control, save for that which we are legally obliged
to retain.
9.18 Given the nature of the information we retain, we will retain data subjects’ Personal Information
longer than the period for which it was originally needed, and in this regard our client’s hereby
consent to such longer retention.
9.19 Whilst we will do all things reasonably necessary to protect data subjects’ rights of privacy, we
cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of
data subjects’ Personal Information, whilst in our possession, made by third parties who are not
subject to our direct control, unless such disclosure is because of our gross negligence.
9.20 In addition to the above, we may automatically gather non-personal information about Data
Subjects, such as the type of internet browser they use or the website from which they accessed
our website. We may also compile aggregated data based on their interactions with our site,
such as the products or services they express interest in. This information cannot be used to
identify them and is solely intended to help us improve the effectiveness of our website.
Occasionally, we may share this non-personal or aggregated data with third parties for purposes
related to our website.
9.21 Our website may use cookies from time to time, which are small text files stored on the Data
Subject’s computer by their browser. Cookies often contain a unique identifier, allowing us to
recognize their specific browser and improve their experience.
9.22 They help us remember users and simplify navigation. Data Subjects can disable cookies through
their browser settings or delete existing ones, but please note that some website features may
not function properly if cookies are turned off.
ACCESS AND CORRECTION OF PERSONAL INFORMATION
9.23 Data Subjects have the right to access the Personal Information the Private Body holds about
them.
9.24 Data subjects also have the right to request the Private Body to update, correct or delete their
Personal Information on reasonable grounds.
9.25 Once a data subject objects to the processing of their Personal Information, the Private Body
may no longer process that Personal Information.
9.26 Where a data subject objects to the processing of their Personal Information it may affect the
validity of any and all other agreements between the parties where such processing is a material
requirement in such agreements.
9.27 The Private Body will take all reasonable steps to confirm the data subject’s identity before
providing details of their Personal Information or making changes to their Personal Information.
9.28 Data subjects have the right to object to the processing of their Personal Information.
9.29 In the event a data subject requires confirmation regarding the existence of the Personal
Information processed by the Private Body or believes that the Personal Information processed
by the Private Body requires rectification, the data subject is entitled to utilise the processes and
procedures set out in section A of this manual to request access to the records of the Private
Body set out in section 18(1)(h)(iii).
COMPLAINTS
9.30 Whilst we will do all things reasonably necessary to protect data subjects’ rights of privacy, we
cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of
data subjects’ Personal Information, whilst in our possession, made by third parties who are not
subject to our direct control, unless such disclosure is as a result of our gross negligence.
9.31 Should a data subject believe that we have used their Personal Information contrary to this
Manual and the provisions of the POPI Act, the data subject should first attempt to resolve any
concerns with us. If the data subject is not satisfied, they have the right to lodge a complaint
with the Information Regulator (which address can be found herein below), established in terms
of the POPI Act.
The Information Regulator (South Africa)
SALU Building
316 Thabo Sehume Street
Pretoria
0004
| TRANSBORDER FLOWS OF PERSONAL INFORMATION – (section 51(1)(iv) of PAIA and section 18(1)(g) of the POPI Act. |
|---|
10.1 The Private Body may from time to time need to transfer authorised Personal Information to
another country for storage purposes or for the rendering of services by a foreign third-party
service provider or otherwise. We will ensure that any person that we pass data subjects’
Personal Information to agrees to treat their information with the same level of protection as
we are obliged to in terms of section 72 of the POPI Act.
| SECURITY MEASURES TO PROTECT PERSONAL INFORMATION – Section 51(1)(v) |
|---|
11.1 The security measures implemented by the Private Body to ensure the confidentiality, integrity
and availability of Personal Information, are listed and described below:
| Devices and user stations are password protected | Firewalls |
| Virus protection | |
| Password protection on devices are changed regularly | |
| Data encryption | |
| Systems and devices are automatically locked after certain periods of inactivity |
| PHYSICAL SECURITY MEASURES: | CYBER SECURITY MEASURES: |
|---|---|
| Data is backed up |
| 12 UPDATES TO THE MANUAL – Section 51(2) |
|---|
The Private Body may update this manual every six months or from time to time as it may deem
necessary.
All Rights Reserved | DoughGetters | Privacy Policy
