Information Manual

In terms of Section 51 of The Promotion of Access to Information

Act, No. 2 of 2000, (“PAIA”), and Section 18 of The Protection of

Personal Information Act, No. 4 of 2013, (“POPI”) compiled for:

DOUGH GETTERS (PTY) LTD

with Registration Number 2017/332953/07
("the Private Body")

TABLE OF CONTENTS
1. INTRODUCTION
2. DEFINITIONS AND INTERPRETATION
3. CONTACT DETAILS OF THE PRIVATE BODY – Section 51(1)(a)(i) of PAIA and section 18(1)(b) of the POPI Act
PART A: PROMOTION OF ACCESS TO INFORMATION
4. GUIDE ON HOW TO EXERCISE RIGHTS IN TERMS OF PAIA – Section51(1)(b)(i)
5. RECORDS AVAILABLE IN TERMS OF LEGISLATION OTHER THAN PAIA AND POPI– Section 51(1)(b)(iii) of PAIA
6. DESCRIPTION OF SUBJECTS AND CATEGORIES OF RECORDS – Section 51(1)(b)(iv) of PAIA
7. FORM OF REQUEST FOR RECORDS
8. FEES PRESCRIBED IN TERMS OF THE REGULATIONS – Section 51(1)(f) of PAIA
PART B: PROTECTION OF PERSONAL INFORMATION
9. PROTECTION OF PERSONAL INFORMATION - Section 51(1)(c)(i)-(iii) of PAIA read with section 18 of the POPI Act
10. TRANSBORDER FLOWS OF PERSONAL INFORMATION – Section 51(1)(iv) of PAIA and section 18(1)(g) of the POPI Act
11. SECURITY MEASURES TO PROTECT PERSONAL INFORMATION – Section 51(1)(v) of PAIA
12. UPDATES TO THE MANUAL – Section 51(2)
1. PART B: PROTECTION OF PERSONAL INFORMATION

1.1 This Information Manual is published in terms of section 51 of the Promotion of Access to


Information Act, No. 2 of 2000 (“PAIA”), as amended by the Protection of Personal Information

Act, No. 4 of 2013, (“POPI Act”) as well as section 18 of the POPI Act.


1.2 PAIA gives effect to the provisions of Section 32 of the Constitution, which provides for the right

of access to information held by the State and to information held by another person that is

required for the exercise and/or protection of any right.


1.3 The POPI Act gives effect to the provisions of, inter alia, Section 14 of the Constitution, which

provides for the right to privacy of all persons.


1.4 The information provided in this manual includes:


1.4.1 contact details of the Head, as defined in PAIA, of the Private Body;


1.4.2 a description of the guide referred to in section 10 of PAIA, (which is a guide which

was produced by the Human Rights Commission and after 1 July 2021 shall be made

available and amended, from time to time, by the Information Regulator defined in

POPI) dealing with access to information;


1.4.3 a description of the records of the Private Body which are available in terms of any

legislation other than the PAIA;


1.4.4 a description of the subjects on which the Private Body holds records and the

categories of records held on each subject;


1.4.5 a description of the subjects on which the Private Body holds personal information

and the categories of personal information held on each subject;


1.4.6 the purpose of processing personal information;


1.4.7 the recipients to whom the personal information may be supplied;


1.4.8 planned transborder flows of information (if applicable);


1.4.9 a general description of the security measures in place to ensure the confidentiality,

integrity, and availability of the information to be processed;




Information Manual in terms of Section 51 of The Promotion of Access to Information Act, No 2 of 2000 and Section 18 of

The Protection of Personal Information Act, No. 4 Of 2013


1.4.10 sufficient information so as to facilitate a request for access to a record of the Private

Body;


1.4.11 a privacy and POPIA policy.


1.5 The reference to any information in addition to that specifically required in terms of section 51

of PAIA and section 18 of the POPI Act does not create any right or entitlement (contractual or

otherwise) to receive such information, other than in terms of PAIA and the POPI Act.


1.6 The main aim of this manual is to:


1.6.1 disclose the types of records held by the Private Body and to facilitate the requests

for access to records of the Private Body, as permitted by PAIA (dealt with in Part A

hereof);


1.6.2 make data subjects aware of the type and source of information being collected, the

purpose of collecting and processing such information and related matters(dealt with

in Part B hereof).



This manual may be updated from time to time and shall be made available on the Private Body’s

website and/or at its principal place of business, to any person on request, subject to the

payment of a reasonable fee and to the Information Regulator.

2. DEFINITIONS AND INTERPRETATION

2.1 In this document, clause headings are for convenience and shall not be used in its interpretation

unless the context clearly indicates a contrary intention:


2.2 An expression which denotes -


2.2.1 any gender includes the other genders;


2.2.2 a natural person includes an artificial or juristic person and vice versa;


2.2.3 the singular includes the plural and vice versa;


2.3 The following expressions shall bear the meanings assigned to them below and similar

expressions bear corresponding meanings:


2.3.1 "data subject" means the person to whom personal information relates;


2.3.2 "Personal Information" means information relating to an identifiable living, natural person,

and where it is applicable, an identifiable existing juristic person;


2.3.3 "this document" or "this manual" means this information manual, together with all of its

annexures, as amended from time to time;


2.3.4 "the Private Body" means the private body to which this manual applies with their details as

they appear on the front page of this manual;


2.3.5 "requester" means a person or entity requesting access to a record that is under the control

of the Private Body.


2.4 Any reference to any statute, regulation or other legislation shall be a reference to that statute,

regulation or other legislation as at the signature date, and as amended or substituted from time

to time;


2.5 If any provision in a definition is a substantive provision conferring a right or imposing an

obligation on any party then, notwithstanding that it is only in a definition, effect shall be given

to that provision as if it were a substantive provision in the body of this manual;


2.6 Where any term is defined within a particular clause other than this, that term shall bear the

meaning ascribed to it in that clause wherever it is used in this manual;


2.7 Where any number of days is to be calculated from a particular day, such number shall be

calculated as excluding such particular day and commencing on the next day. If the last day of

such number so calculated falls on a day which is not a business day, the last day shall be deemed

to be the next succeeding business day;


2.8 Any reference to days (other than a reference to business days), months or years shall be a

reference to calendar days, months or years, as the case may be or as is otherwise defined in

any legislation;


2.9 The use of the word "including" followed by a specific example/s shall not be construed as

limiting the meaning of the general wording preceding it and the eiusdem generis rule shall not

be applied in the interpretation of such general wording or such specific example/s;


2.10 Insofar as there is a conflict in the interpretation of or application of this manual and PAIA or the

POPI Act, PAIA or the POPI Act shall prevail;


2.11 This manual does not purpot to be exhaustive of or comprehensively deal with every procedure

provided for in PAIA or all rights listed under the POPI Act. The reader relying on any provisions

of this Manual is advised to familiarise his/her/itself with the provisions of PAIA and the POPI

Act.




3. CONTACT DETAILS OF HEAD OF THE PRIVATE BODY AND THE INFORMATION OFFICER – Section 51(1)(a)(i) of PAIA and section 18 (1)(b) of the POPI Act

3.1 Head and deputy Information Officer, (defined in POPIA), of the Private Body: Willem Haarhoff.


3.1.1 Postal Address of Head of the Private Body: 162 Mitchell Street, Bergsig, George, 6529.


3.1.2 Street Address of Head of the Private Body: 162 Mitchell Street, Bergsig, George, 6529.


3.1.3 Telephone Number of Head of the Private Body: 076 440 0832.


3.1.4 Email of Head of the Private Body: willem@doughgetters.co.za.



3.2 Information Officer, (defined in POPIA), of the Private Body: Michiel Heyns Claassen


3.2.1 Postal Address: 162 Mitchell Street, Bergsig, George, 6529.


3.2.2 Street Address: 162 Mitchell Street, Bergsig, George, 6529.


3.2.3 Telephone Number: 082 472 1527.


3.2.4 Email: michiel@doughgetters.co.za.



3.3 The Act stipulates the following general responsibilities of the Information Officer: (1) to

encourage compliance with POPIA, (2) dealing with requests made to the Private Body in relation

to POPIA, (for instance, requests from Data Subjects to update or view their Personal

Information), (3) working with the Regulator in relation to investigations, (4) otherwise ensuring

compliance with POPIA, (5) as may be prescribed (i.e. keep an eye on the Regulator’s website).




3.4 Information Officers need to be registered with the Regulator before taking up their duties.


PART A: PROMOTION OF ACCESS TO

INFORMATION

4. GUIDE ON HOW TO EXERCISE RIGHTS IN TERMS OF PAIA– Section 51(1)(b)(i) of PAIA

4.2 The contact details of the HRC are as follows:


4.2.1 Postal address: Private Bag 2700, Houghton, 2041


4.2.2 Telephone: +27 11 484 8300


4.2.3 Telefax: +27 11 484 0582


4.2.4 Website: www.sahrc.org.za


4.2.5 Email: paia@sahrc.org.za


4.3 The guide is also available electronically at

https://www.sahrc.org.za/home/21/files/Section%2010%20guide%202014.pdf


4.4 With effect from 1 July 2021, the Information Regulator, (“IR”) must update and make available

the existing guide that had previously been compiled by the HRC containing information in an

easily comprehensible form and manner as may reasonable be required by a person who wishes

to exercise any right contemplated in PAIA and POPI.


4.5 The contact details of the IR are as follows:


4.5.1 Physical address: Braampark, Forum 3, 33 Hoof Street, Braampark, Johannesburg, 2017


4.5.2 Postal Address: P.O Box, 31533


4.5.3 Telephone: +27 10 023 5200


4.5.4 Telefax: +27 86 500 3351


4.5.5 Website: www.justice.gov.za/inforeg/contact.html


4.5.6 Email: inforeg@justice.gov.za.


5. RECORDS AVAILABLE IN TERMS OF LEGISLATION OTHER THAN PAIA AND POPI – Section 51(1)(b)(iii) of PAIA

5.1 Some of the records held by the Private Body are available in terms of legislation other than PAIA

or POPI, which legislation is listed below. Records that must be made available in terms of these

Acts shall be made available in terms of the requirements of PAIA and this manual. That

legislation includes:


5.1.1 The Companies Act, No. 71 Of 2008


5.1.2 Income Tax Act, No. 58 Of 1962


5.1.3 Value Added Tax Act, No. 89 Of 1991


5.1.4 Labour Relations Act, No. 66 Of 1995


5.1.5 Basic Conditions of Employment Act, No. 75 Of 1997


5.1.6 Skills Development Levies Act, No. 9 Of 1999


5.1.7 Unemployment Insurance Act, No. 63 Of 2001


5.1.8 Any Other Industry Applicable Legislation.

5. RECORDS AVAILABLE IN TERMS OF LEGISLATION OTHER THAN PAIA AND POPI – Section 51(1)(b)(iii) of PAIA

6.1 The Private Body holds various records. The subjects on which the Private Body holds records

and the categories of records held by the Private Body are reproduced in the tables below.


6.2 The listing of a category or subject matter in this manual does not guarantee access to such

records. All requests for access will be evaluated on a case-by-case basis in accordance with the

provisions of PAIA and other applicable legislation. A request for records shall be made in the

prescribed form set out later in this manual under the heading “FORM OF REQUEST FOR RECORDS”.


RECORD SUBJECTS: INTERNAL ADMINISTRATION, COMPLIANCE AND MANAGEMENT
Categories of records held:
Records of the owners of the Private Body
Records and minutes of the meetings of the owners and/or managers of the Private Body
Resolutions of the owners and/or managers of the Private Body
Agreements dealing with the internal arrangements between the owners and/or managers of the Private Body
Records relating to the creation and/or registration of the Private Body
Legislative compliance
Regulatory reports
RECORD SUBJECTS: HUMAN RESOURCES
Categories of records held:
Any personal records provided to the Private Body by their employees
List of employees
Conditions of employment and other employee-related contractual and quasi-legal records
Pension and provident fund records
Health and Safety records
Internal evaluation records
All internal policies applicable and accessible to the employees
RECORD SUBJECTS: FINANCE
Categories of records held:
Financial statements and other accounting records
Accounting reports
Taxation records
Debtors and creditors records
Insurance records
Banking statements
RECORD SUBJECTS: CLIENT RECORDS
Categories of records held:
Any records a client has provided to the Private Body or a third party acting for or on behalf of the Private Body
Contractual information
Client needs assessments
Personal records of clients
Any records a third party has provided to the Private Body about clients
Confidential, privileged, contractual and quasi-legal records of clients
Client evaluation records
Client profiling
Client account numbers
Any records a third party has provided to the Private Body either directly or indirectly
Records generated by or within the Private Body pertaining to clients, including transactional records
RECORD SUBJECTS: SERVICE PROVIDERS, SUPPLIERS AND THIRD PARTIES
Categories of records held:
Any records a client has provided to the Private Body or a third party acting for or on behalf of the Private Body
Lists of service providers and suppliers
Service providers’ and suppliers’ terms and conditions
Records kept in respect of other third parties, including without limitation joint venture partners, which includes records, falling within the subjects contemplated in this part of the manual, which can be said to belong to the Private Body but which are held by such third party
RECORD SUBJECTS: ASSETS
Categories of records held:
Register of assets (movable or immovable)
Insurance records relating to the assets
Register of intellectual property owned by the Private Body
RECORD SUBJECTS: OTHER RECORDS
Categories of records held:
Information relating to the Private Body’ s own commercial activities
Research information belonging to the Private Body, whether carried out itself or commissioned from a third party
Information technology including information systems, network security, software licenses, technology asset
Support services
Internal communication
7. FORM OF REQUEST FOR RECORDS

7.1 A request for records shall be accompanied by adequate proof of identity of the applicant, (such

as a certified copy of his/her identity document), and made using the prescribed form, a copy of

which is attached hereto and marked annexure "A" ("the prescribed form"). The prescribed form

is also available from the website of the Human Rights Commission at https://www.sahrc.org.za,

or the website of the Department of Justice and Constitutional Development at

https://www.doj.gov.za and as may be advised by the Information Regulator on or after 1 July

2021.


7.2 The prescribed form shall be submitted to the Private Body Head named in clause 3 hereof.


7.3 The above procedure shall apply if the requester is requesting information for personal use

and/or on behalf of another person, even if such other person is a permanent employee of the

Private Body.


7.4 The Head of the Private Body shall as soon as reasonably possible, and within 30 (thirty) days

after the request has been received, decide whether or not to grant such request.


7.5 The requester will be notified of the decision of the Head of the Private Body or the General

Manager in the manner indicated by the requester.


7.6 After access is granted, actual access to the record requested will be given as soon as reasonably

possible.


7.7 If the request for access is refused, the Head of the Private Body or the General Manager shall

advise the requester in writing of the refusal. The notice of refusal shall state:


7.7.1 adequate reasons for the refusal; and


7.7.2 that the requester may lodge an appeal with a court of competent jurisdiction against

the refusal of the request (including the period) for lodging such an appeal.


7.8 If the Head of the Private Body or the General Manager fails to respond within 30 (thirty) days

after a request has been received, it is deemed, in terms of section 58 read together with section

56(1) of PAIA, that the Head of the Private Body or the General Manager has refused the request


8. FEES PRESCRIBED IN TERMS OF THE REGULATIONS – Section 51(1)(f) of PAIA

8.1 The following applies to requests (other than personal requests):



8.1.1 A requestor is required to pay the prescribed fees (R50.00) before a request will be

processed;


8.1.2 If the preparation of the record requested requires more than the prescribed 6 (six)

hours, a deposit shall be paid (of not more than one third of the access fee which

would be payable if the request were granted);


8.1.3 A requestor may lodge an application with a court against the tender/payment of the

request fee and/or deposit;


8.2 Records may be withheld until the fees have been paid.


8.3 The fee structure shall be available by way of regulations published from time to time.


8.4 In addition to the request fee, the following reproduction fees are prescribed by the Minister in

respect of private bodies such as the Private Body:

DESCRIPTION: FEE:
For every photocopy of an A4-size page or part thereof: R1.10
For every printed copy of an A4-size page or part thereof held on a computer or in electronic or machine-readable form: R0.75
For a copy in a computer-readable form on compact disc: R70
(i) For a transcription of visual images, for an A4-size page or part thereof: (ii) For a copy of visual images: (i) R20 (ii) R60
(iii) For transcription of an audio record, for an A4-size page or part thereof: (iv) For a copy of an audio record: (iii) R20 (iv) R30
To search for the record for disclosure: R30 for each hour or part of an hour reasonably required for such search.

8.5 The request fee payable by a requester, other than a personal requester, referred to in

regulation 11(2) is R50,00.


8.6 For purposes of section 54(2) of the Act, the following applies:


8.6.1 Six hours as the hours to be exceeded before a deposit is payable; and


8.6.2 one third of the access fee is payable as a deposit by the requester.



8.7 The actual postage is payable when a copy of a record must be posted to a requester.

PART A: PROMOTION OF ACCESS TO

INFORMATION

9 PROTECTION OF PERSONAL INFORMATION (POPIA POLICY) - Section 51(1)(c)(i)-(iii) of PAIA read with section 18 of the POPI Act

INTRODUCTION


9.1 In South Africa, the right to privacy is protected in terms of the common law and section 14 of

the 1996 Constitution. As with all rights in the Bill of Rights, none are absolute, and can be limited

in terms of laws of general application. While the Constitution provides for, among other rights,

the right to privacy, the extent of the right to privacy may be limited by application of laws such

as the Promotion of Access to Information Act, 2 of 2000 and the Regulation of Interception of

Communications and Provision of Communication-related Information Act, 70 of 2002 (RICA).


9.2 POPI requires all South African organisations which handle personal information, to comply with

several important principles regarding privacy, disclosure, and trans-border flows of personal

information to other countries. POPI places responsibilities on the Private Body to process

personal information that it holds, in a fair and proper manner. The processing of such

information includes the collection, organising, storage, disclosure, transmission and use of

personal information.


9.3 The Private Body processes certain personal information, as defined in the POPI Act, (“Personal

Information”) relating to several data subjects, from time to time. A data subject is the person,

(natural or juristic), to whom Personal Information relates and from whom the Private Body

collects and processes information.



9.4 A description of the data subjects, (individuals and juristic persons), the information relating

thereto, the purpose of processing that information and the recipients of that Personal

Information is reproduced in the tables below.

DATA SUBJECTS AND PURPOSE FOR PROCESSING PERSONAL INFORMATION:

DATA SUBJECTS: EMPLOYEES
Personal Information processed: Source of the Personal Information Is the supply of Personal Information mandatory or voluntary?:
Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person Information provide by employee or candidate Voluntary
For a copy in a computer-readable form on compact disc: Information provide by employee or candidate Mandatory
Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person Information provide by employee or candidate Mandatory
Will any of the Personal Information be transferred to another country or international organisation?
No
Purpose of processing Personal Information:
To assess candidates for employment, to comply with legislative obligations in respect of employees, to load employee onto payroll and remunerate them
Recipient or categories of recipients to whom the Personal Information is supplied:
Human resources, management
The consequences of failure to provide information:
Inability to assess candidates for employment, inability to comply with legislative obligations in respect of employees, inability to load employee onto payroll and remunerate them.
DATA SUBJECTS: CLIENTS/CUSTOMERS
Personal Information processed: Source of the Personal Information Is the supply of Personal Information mandatory or voluntary?:
Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person Provided by client/customer Voluntary
Information relating to the education or the medical, financial, criminal or employment history of the person Provided by client/customer Mandatory
Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person Provided by client/customer Mandatory
Will any of the Personal Information be transferred to another country or international organisation?
No
Purpose of processing Personal Information:
To conduct needs assessment, to onboard client, to provide services to client, to invoice client.
Recipient or categories of recipients to whom the Personal Information is supplied:
Finance, management
The consequences of failure to provide information:
Inability to conduct needs assessment, inability to onboard client, inability to provide agreed services to client, inability to invoice client.
DATA SUBJECTS: SUPPLIERS
Personal Information processed: Source of the Personal Information Is the supply of Personal Information mandatory or voluntary?:
Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person Provided by suppliers Voluntary
Information relating to the education or the medical, financial, criminal or employment history of the person Provided by suppliers Mandatory
Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person Provided by suppliers Mandatory
Will any of the Personal Information be transferred to another country or international organisation?
No
Purpose of processing Personal Information:
To evaluate suppliers and their goods, to place orders for goods and settle supplier accounts.
Recipient or categories of recipients to whom the Personal Information is supplied:
Procurement, management
The consequences of failure to provide information:
Inability to evaluate suppliers and their goods, inability to place orders for goods and inability to settle supplier accounts.
DATA SUBJECTS: SERVICE PROVIDERS
Personal Information processed: Source of the Personal Information Is the supply of Personal Information mandatory or voluntary?:
Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person Provided by service providers Voluntary
Information relating to the education or the medical, financial, criminal or employment history of the person Provided by service providers Mandatory
Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person Provided by service providers Mandatory
Will any of the Personal Information be transferred to another country or international organisation?
No
Purpose of processing Personal Information:
To evaluate service providers and their services, to place orders for services and settle service provider accounts
Recipient or categories of recipients to whom the Personal Information is supplied:
Procurement, management
The consequences of failure to provide information:
Inability to evaluate service providers and their services, inability to place orders for services and inability to settle service provider accounts.
DATA SUBJECTS: PROSPECTIVE CLIENTS
Personal Information processed: Source of the Personal Information Is the supply of Personal Information mandatory or voluntary?:
Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person Provided by prospective client Voluntary
Information relating to the education or the medical, financial, criminal or employment history of the person Provided by prospective client Mandatory
Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person Provided by prospective client Mandatory
Will any of the Personal Information be transferred to another country or international organisation?
No
Purpose of processing Personal Information:
Market business, prepare proposals and quotations.
Recipient or categories of recipients to whom the Personal Information is supplied:
Marketing, management
The consequences of failure to provide information:
Inability to market business, inability to prepare proposals and quotations and limited business growth.

9.5 The Private Body may collect and process the above data subjects’ Personal Information as

defined in POPI and set out in the tables above and otherwise. The type of information will also

depend on the nature of the relationship with the data subject and the purpose for which the

information is collected and used.


9.6 The purpose of collecting the information set out in the tables above is set out therein. Personal

Information will be processed for those purposes and other lawful purposes only, even though

not set out above.


9.7 Whenever possible, the Private Body will inform the relevant data subject what information they

are required to provide to the Private Body and what information is optional.



9.8 Where Personal Information is collected in terms of specific legislation, the Private Body will

inform the data subject in terms of which legislation that data is collected.

LAWFUL BASIS OF COLLECTING PERSONAL INFORMATION

9.9 The Private Body needs to adhere to POPIA and protect personal information efficiently by

adhering to the principles of POPIA governing the lawful basis of collecting personal information

such as:


9.9.1 Purpose Limitation - Personal data may only be used for the specific purpose for

which it has been initially collected. Subsequent use for other purposes must be

compatible with this primary purpose.


9.9.2 Proportionality - Processing of personal data may not be excessive in relation to the

objective pursued by the Private Body. Data may be collected only to the extent

required.


9.9.3 Direct Collection - Personal data must generally be collected directly from the data

subject.


9.9.4 Transparency - The data subject must be aware what personal data is processed for

which purpose and who is responsible for it.


9.9.5 Data Quality - Personal data must be collected correctly. Appropriate measures must

be taken so that irrelevant or incomplete data is corrected or deleted.


9.9.6 Security - Appropriate technical and organizational measures must be taken to protect

personal data against unauthorized access, accidental loss or destruction and other

forms of unlawful processing. Data may be accessible only by persons who have a

“need to know”.


9.9.7 Deletion - Personal Data that is no longer required must be deleted. The period of

time data after which data is to be deleted shall be defined and the actual deletion

must be ensured. In line with the provisions of 14(1)(d) of POPIA our Data Subjects

hereby consent to the indefinite storage and retention of all Personal Information

which shall be deleted on request, unless otherwise provided by Legislation.

PROCESSING OF PERSONAL INFORMATION

9.10 Personal Information may only be processed if certain conditions are met which are listed below:


9.10.1 The data subject consents to the processing – consent is obtained directly from the

data subject;


9.10.2 The Personal Information is subject to a contract concluded between the parties or

such information is in the public domain;


9.10.3 Processing complies with an obligation imposed by law;


9.10.4 Processing protects a legitimate interest of clients and, employees so that the Private

Body can respond to their needs on a timeous basis and provide them with a beneficial

service;


9.10.5 Processing protects a legitimate interest of suppliers so that the Private Body can

provide them with business opportunities on a timeous basis and relevant

information;


9.10.6 Processing protects a legitimate interest of Employees to enable the Private Body to

provide them with the necessary services and protection.


9.11 We will not, without data subjects’ express consent use their Personal Information for any

purpose, other than:


specifically:


9.11.1 as set out in the abovementioned tables;

generally:


9.11.2 in relation to the provision of any goods and services to a data subject;


9.11.3 to inform the data subject of new services or products or special offers (unless they

have opted out from receiving marketing material from us);


9.11.4 to improve our product and/or service selection and their experience; or


9.11.5 to disclose their Personal Information to any third party as set out below:


9.11.5.1 to our employees and/or third party service providers who assist us to

interact with data subjects, their personal and contact information

being essential in order to assist us to communicate with the data

subjects properly and efficiently and facilitate the provision of services


9.11.5.2 to law enforcement, government officials, fraud detection agencies or

other third parties when we believe in good faith that the disclosure of

Personal Information is necessary to prevent physical harm or financial

loss, to report or support the investigation into suspected illegal

activity;


9.11.5.3 to our service providers (under contract with us) who help with parts of

our business operations (fraud prevention, marketing, technology

services etc). However, these service providers may only use data

subjects information in connection with the services they perform for

us and not for their own benefit;


9.11.5.4 to any third-party seller for purposes of sending data subjects an invoice

for any goods purchased from such third-party seller, which disclosed

information will be limited to data subjects’ email addresses;


9.12 We are entitled to use or disclose data subjects’ Personal Information if such use or disclosure is

required to comply with any applicable law, subpoena, order of court or legal process served on

us, or to protect and defend our rights or property.


9.13 Data subjects’ privacy is important to us and we will therefore not sell, rent or provide their

Personal Information to unauthorised third parties for their independent use, without their

consent.


9.14 We will not process personal information:


9.14.1 concerning the religious or philosophical beliefs, race or ethnic origin, trade union

membership, political persuasion, health or sex life or biometric information of a

data subject; or


9.14.2 the criminal behaviour of a data subject except to the extent that such information

relates to i) the alleged commission by a data subject of any offence; or ii) any

proceedings in respect of any offence allegedly committed by a data subject or the

disposal of such proceedings.


9.15 In line with our obligations in terms of section 22 of the POPI Act, where there are reasonable

grounds to believe that Personal Information has been accessed or acquired by any unauthorised

person, we will notify the Information Regulator and the data subject, where possible and follow

our procedures set out in our data breach policy.


9.16 When data subjects provide a rating or review of our services and/or goods, they consent to us

using that rating or review as we deem fit, including without limitation, on our website, in

newsletters or other marketing material. The name that will appear next to that rating or review

is their first name, as they would have provided. We will not display their surname, nor any of

their contact details, with a rating or review.


9.17 We will:


9.17.1 treat data subjects’ Personal Information as strictly confidential, save where we are

entitled to share it as set out in this section;


9.17.2 take appropriate technical and organisational measures to ensure that data subjects’

Personal Information is kept secure and is protected against unauthorised or

unlawful processing, accidental loss, destruction or damage, alteration, disclosure or

access;


9.17.3 provide data subjects with access to their Personal Information to view and/or

update personal details;


9.17.4 promptly notify data subjects if we become aware of any unauthorised use,

disclosure or processing of their Personal Information;


9.17.5 provide data subjects with reasonable evidence of our compliance with our

obligations under this section on reasonable notice and request; and


9.17.6 Information in our possession or control, save for that which we are legally obliged

to retain.


9.18 Given the nature of the information we retain, we will retain data subjects’ Personal Information

longer than the period for which it was originally needed, and in this regard our client’s hereby

consent to such longer retention.



9.19 Whilst we will do all things reasonably necessary to protect data subjects’ rights of privacy, we

cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of

data subjects’ Personal Information, whilst in our possession, made by third parties who are not

subject to our direct control, unless such disclosure is because of our gross negligence.


9.20 In addition to the above, we may automatically gather non-personal information about Data

Subjects, such as the type of internet browser they use or the website from which they accessed

our website. We may also compile aggregated data based on their interactions with our site,

such as the products or services they express interest in. This information cannot be used to

identify them and is solely intended to help us improve the effectiveness of our website.

Occasionally, we may share this non-personal or aggregated data with third parties for purposes

related to our website.


9.21 Our website may use cookies from time to time, which are small text files stored on the Data

Subject’s computer by their browser. Cookies often contain a unique identifier, allowing us to

recognize their specific browser and improve their experience.


9.22 They help us remember users and simplify navigation. Data Subjects can disable cookies through

their browser settings or delete existing ones, but please note that some website features may

not function properly if cookies are turned off.


ACCESS AND CORRECTION OF PERSONAL INFORMATION


9.23 Data Subjects have the right to access the Personal Information the Private Body holds about

them.


9.24 Data subjects also have the right to request the Private Body to update, correct or delete their

Personal Information on reasonable grounds.


9.25 Once a data subject objects to the processing of their Personal Information, the Private Body

may no longer process that Personal Information.


9.26 Where a data subject objects to the processing of their Personal Information it may affect the

validity of any and all other agreements between the parties where such processing is a material

requirement in such agreements.


9.27 The Private Body will take all reasonable steps to confirm the data subject’s identity before

providing details of their Personal Information or making changes to their Personal Information.


9.28 Data subjects have the right to object to the processing of their Personal Information.


9.29 In the event a data subject requires confirmation regarding the existence of the Personal

Information processed by the Private Body or believes that the Personal Information processed

by the Private Body requires rectification, the data subject is entitled to utilise the processes and

procedures set out in section A of this manual to request access to the records of the Private

Body set out in section 18(1)(h)(iii).


COMPLAINTS


9.30 Whilst we will do all things reasonably necessary to protect data subjects’ rights of privacy, we

cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of

data subjects’ Personal Information, whilst in our possession, made by third parties who are not

subject to our direct control, unless such disclosure is as a result of our gross negligence.


9.31 Should a data subject believe that we have used their Personal Information contrary to this

Manual and the provisions of the POPI Act, the data subject should first attempt to resolve any

concerns with us. If the data subject is not satisfied, they have the right to lodge a complaint

with the Information Regulator (which address can be found herein below), established in terms

of the POPI Act.



The Information Regulator (South Africa)

SALU Building

316 Thabo Sehume Street

Pretoria

0004


TRANSBORDER FLOWS OF PERSONAL INFORMATION – (section 51(1)(iv) of PAIA and section 18(1)(g) of the POPI Act.

10.1 The Private Body may from time to time need to transfer authorised Personal Information to

another country for storage purposes or for the rendering of services by a foreign third-party

service provider or otherwise. We will ensure that any person that we pass data subjects’

Personal Information to agrees to treat their information with the same level of protection as

we are obliged to in terms of section 72 of the POPI Act.

SECURITY MEASURES TO PROTECT PERSONAL INFORMATION – Section 51(1)(v)

11.1 The security measures implemented by the Private Body to ensure the confidentiality, integrity

and availability of Personal Information, are listed and described below:

Devices and user stations are password protected Firewalls
Virus protection
Password protection on devices are changed regularly
Data encryption
Systems and devices are automatically locked after certain periods of inactivity
PHYSICAL SECURITY MEASURES: CYBER SECURITY MEASURES:
Data is backed up
12 UPDATES TO THE MANUAL – Section 51(2)

The Private Body may update this manual every six months or from time to time as it may deem

necessary.

Share by: