INFORMATION MANUAL
IN TERMS OF SECTION 51 OF THE PROMOTION OF ACCESS TO
INFORMATION ACT, NO. 2 OF 2000, (“PAIA”), AND SECTION 18 OF THE PROTECTION OF PERSONAL INFORMATION ACT, NO. 4 OF 2013, (“POPI”) COMPILED FOR:
Venture Workspace (Pty) Ltd
with Registration Number 2019/293393/07
(“the Private Body”)
TABLE OF CONTENTS
1. INTRODUCTION
2. DEFINITIONS AND INTERPRETATION
3. CONTACT DETAILS OF THE PRIVATE BODY – Section 51(1)(a)(i) of PAIA and section 18(1)(b) of the POPI Act
PART A: PROMOTION OF ACCESS TO INFORMATION
4. GUIDE ON HOW TO EXERCISE RIGHTS IN TERMS OF PAIA – Section51(1)(b)(i)
5. RECORDS AVAILABLE IN TERMS OF LEGISLATION OTHER THAN PAIA AND POPI– Section 51(1)(b)(iii) of PAIA
6. DESCRIPTION OF SUBJECTS AND CATEGORIES OF RECORDS – Section 51(1)(b)(iv) of PAIA
7. FORM OF REQUEST FOR RECORDS
8. FEES PRESCRIBED IN TERMS OF THE REGULATIONS – Section 51(1)(f) of PAIA
PART B: PROTECTION OF PERSONAL INFORMATION
9. PROTECTION OF PERSONAL INFORMATION – Section 51(1)(c)(i)-(iii) of PAIA read with section 18 of the POPI Act
10. TRANSBORDER FLOWS OF PERSONAL INFORMATION – Section 51(1)(iv) of PAIA and section 18(1)(g) of the POPI Act
11. SECURITY MEASURES TO PROTECT PERSONAL INFORMATION – Section 51(1)(v) of PAIA
12. UPDATES TO THE MANUAL – Section 51(2)
1 INTRODUCTION
1.1 This Information Manual is published in terms of section 51 of the Promotion of Access to Information Act, No. 2 of 2000 (“PAIA”), as amended by the Protection of Personal Information Act, No. 4 of 2013, (“POPI Act”) as well as section 18 of the POPI Act.
1.2 PAIA gives effect to the provisions of Section 32 of the Constitution, which provides for the right of access to information held by the State and to information held by another person that is required for the exercise and/or protection of any right.
1.3 The POPI Act gives effect to the provisions of, inter alia, Section 14 of the Constitution, which provides for the right to privacy of all persons.
1.4 The information provided in this manual includes:
1.4.1 contact details of the Head, as defined in PAIA, of the Private Body;
1.4.2 a description of the guide referred to in section 10 of PAIA, (which is a guide which was produced by the Human Rights Commission and after 1 July 2021 shall be made available and amended, from time to time, by the Information Regulator defined in POPI) dealing with access to information;
1.4.3 a description of the records of the Private Body which are available in terms of any legislation other than the PAIA;
1.4.4 a description of the subjects on which the Private Body holds records and the categories of records held on each subject;
1.4.5 a description of the subjects on which the Private Body holds personal information and the categories of personal information held on each subject;
1.4.6 the purpose of processing personal information;
1.4.7 the recipients to whom the personal information may be supplied;
1.4.8 planned trans-border flows of information (if applicable);
1.4.9 a general description of the security measures in place to ensure the confidentiality, integrity, and availability of the information to be processed;
1.4.10 sufficient information so as to facilitate a request for access to a record of the Private Body;
1.5 The reference to any information in addition to that specifically required in terms of section 51 of PAIA and section 18 of the POPI Act does not create any right or entitlement (contractual or otherwise) to receive such information, other than in terms of PAIA and the POPI Act.
1.6 The main aim of this manual is to:
1.6.1 disclose the types of records held by the Private Body and to facilitate the requests for access to records of the Private Body, as permitted by PAIA (dealt with in Part A hereof);
1.6.2 make data subjects aware of the type and source of information being collected, the purpose of collecting and processing such information and related matters(dealt with in Part B hereof).
This manual may be updated from time to time and shall be made available on the Private Body’s website and/or at its principal place of business, to any person on request, subject to the payment of a reasonable fee and to the Information Regulator.
2 DEFINITIONS AND INTERPRETATION
2.1 In this document, clause headings are for convenience and shall not be used in its interpretation unless the context clearly indicates a contrary intention:
2.2 An expression which denotes –
2.2.1 any gender includes the other genders;
2.2.2 a natural person includes an artificial or juristic person and vice versa;
2.2.3 the singular includes the plural and vice versa;
2.3 The following expressions shall bear the meanings assigned to them below and similar expressions bear corresponding meanings:
2.3.1 “data subject” means the person to whom personal information relates;
2.3.2 “Personal Information” means information relating to an identifiable living, natural person, and where it is applicable, an identifiable existing juristic person;
2.3.3 “this document” or “this manual” means this information manual, together with all of its annexures, as amended from time to time;
2.3.4 “the Private Body” means the private body to which this manual applies with their details as they appear on the front page of this manual;
2.3.5 “requester” means a person or entity requesting access to a record that is under the control of the Private Body.
2.4 Any reference to any statute, regulation or other legislation shall be a reference to that statute, regulation or other legislation as at the signature date, and as amended or substituted from time to time;
2.5 If any provision in a definition is a substantive provision conferring a right or imposing an obligation on any party then, notwithstanding that it is only in a definition, effect shall be given to that provision as if it were a substantive provision in the body of this manual;
2.6 Where any term is defined within a particular clause other than this, that term shall bear the meaning ascribed to it in that clause wherever it is used in this manual;
2.7 Where any number of days is to be calculated from a particular day, such number shall be calculated as excluding such particular day and commencing on the next day. If the last day of such number so calculated falls on a day which is not a business day, the last day shall be deemed to be the next succeeding business day;
2.8 Any reference to days (other than a reference to business days), months or years shall be a reference to calendar days, months or years, as the case may be or as is otherwise defined in any legislation;
2.9 The use of the word “including” followed by a specific example/s shall not be construed as limiting the meaning of the general wording preceding it and the eiusdem generis rule shall not be applied in the interpretation of such general wording or such specific example/s;
2.10 Insofar as there is a conflict in the interpretation of or application of this manual and PAIA or the POPI Act, PAIA or the POPI Act shall prevail;
2.11 This manual does not purport to be exhaustive of or comprehensively deal with every procedure provided for in PAIA or all rights listed under the POPI Act. The reader relying on any provisions of this Manual is advised to familiarise his/her/itself with the provisions of PAIA and the POPI Act.
3 CONTACT DETAILS OF THE PRIVATE BODY – Section 51(1)(a)(i) of PAIA and section 18 (1)(b) of the POPI Act
3.1 Head of the Private Body: Louis Fourie.
3.2 Postal Address of Head of the Private Body: PO Box 2137, Clareinch, 7740.
3.3 Street Address of Head of the Private Body: Ground Floor Brookside Building, 11 Imam Haron Road, Claremont, 7804.
3.4 Telephone Number of Head of the Private Body: 0210351400.
3.5 Email of Head of the Private Body: louis@ventureworkspace.co.za.
PART A: PROMOTION OF ACCESS TO INFORMATION
4 GUIDE ON HOW TO EXERCISE RIGHTS IN TERMS OF PAIA– Section 51(1)(b)(i) of PAIA
4.1 The Human Rights Commission (“the HRC”) has compiled a guide, as contemplated in section 10 of PAIA, containing information to assist any person who wishes to exercise any right as contemplated in PAIA.
4.2 The contact details of the HRC are as follows:
4.2.1 Postal address: Private Bag 2700, Houghton, 2041
4.2.2 Telephone: +27 11 484 8300
4.2.3 Telefax: +27 11 484 0582
4.2.4 Website: www.sahrc.org.za
4.2.5 Email: paia@sahrc.org.za
4.3 The guide is also available electronically at https://www.sahrc.org.za/home/21/files/Section%2010%20guide%202014.pdf
4.4 With effect from 1 July 2021, the Information Regulator, (“IR”) must update and make available the existing guide that had previously been compiled by the HRC containing information in an easily comprehensible form and manner as may reasonable be required by a person who wishes to exercise any right contemplated in PAIA and POPI.
4.5 The contact details of the IR are as follows:
4.5.1 Physical address: Braampark, Forum 3, 33 Hoof Street, Braampark, Johannesburg, 2017
4.5.2 Postal Address: P.O Box, 31533
4.5.3 Telephone: +27 10 023 5200
4.5.4 Telefax: +27 86 500 3351
4.5.5 Website: www.justice.gov.za/inforeg/contact.html
4.5.6 Email: inforeg@justice.gov.za.
5 RECORDS AVAILABLE IN TERMS OF LEGISLATION OTHER THAN PAIA AND POPI – Section 51(1)(b)(iii) of PAIA
5.1 Some of the records held by the Private Body are available in terms of legislation other than PAIA or POPI, which legislation is listed below. Records that must be made available in terms of these Acts shall be made available in terms of the requirements of PAIA and this manual. That legislation includes:
5.1.1 THE COMPANIES ACT, NO. 71 OF 2008
5.1.2 INCOME TAX ACT, NO. 58 OF 1962
5.1.3 VALUE ADDED TAX ACT, NO. 89 OF 1991
5.1.4 LABOUR RELATIONS ACT, NO. 66 OF 1995
5.1.5 BASIC CONDITIONS OF EMPLOYMENT ACT, NO. 75 OF 1997
5.1.6 EMPLOYMENT EQUITY ACT, NO. 55 OF 1998
5.1.7 SKILLS DEVELOPMENT LEVIES ACT, NO. 9 OF 1999
5.1.8 UNEMPLOYMENT INSURANCE ACT, NO. 63 OF 2001
5.1.9 ELECTRONIC COMMUNICATIONS AND TRANSACTIONS ACT, NO. 25 OF 2002
5.1.10 TELECOMMUNICATIONS ACT, NO. 103 OF 1996
5.1.11 ELECTRONIC COMMUNICATIONS ACT, NO. 36 OF 2005
5.1.12 CONSUMER PROTECTION ACT, NO. 68 OF 2008
5.1.13 PREVENTION OF ORGANISED CRIME ACT 121 OF 1998
5.1.14 FINANCIAL INTELLIGENCE CENTRE ACT 38 OF 2001
5.1.15 BROAD-BASED BLACK ECONOMIC EMPOWERMENT ACT, NO. 53 OF 2003
5.1.16 NATIONAL CREDIT ACT, NO. 34 OF 2005
5.1.17 any other industry applicable legislation.
6 DESCRIPTION OF SUBJECTS AND CATEGORIES OF RECORDS – Section 51(1)(b)(iv) of PAIA
6.1 The Private Body holds various records. The subjects on which the Private Body holds records and the categories of records held by the Private Body are reproduced in the tables below.
6.2 The listing of a category or subject matter in this manual does not guarantee access to such records. All requests for access will be evaluated on a case by case basis in accordance with the provisions of PAIA and other applicable legislation. A request for records shall be made in the prescribed form set out later in this manual under the heading “FORM OF REQUEST FOR RECORDS”.
RECORD SUBJECTS:
INTERNAL ADMINISTRATION, COMPLIANCE AND MANAGEMENT
Categories of records held:
Records of the owners of the Private Body
Records and minutes of the meetings of the owners and/or managers of the Private Body
Resolutions of the owners and/or managers of the Private Body
Agreements dealing with the internal arrangements between the owners and/or managers of the Private Body
Records relating to the creation and/or registration of the Private Body
Internal auditing and risk
Legislative compliance
Regulatory reports
RECORD SUBJECTS: HUMAN RESOURCES
Categories of records held:
Any personal records provided to the Private Body by their employees
List of employees
Conditions of employment and other employee-related contractual and quasi-legal records
Employee tax and insurance fund information including unemployment insurance fund contributions, group life, disability and income protection
Health and Safety records
Codes of conduct as well as the relevant disciplinary codes and procedures
All internal policies applicable and accessible to the employees
Any records a third party has provided to the Private Body about any of their employees
RECORD SUBJECTS: FINANCE
Categories of records held:
Financial statements and other accounting records
Accounting reports
Taxation records
Debtors and creditors records
RECORD SUBJECTS: CLIENT RECORDS
Categories of records held:
Any records a client has provided to the Private Body or a third party acting for or on behalf of the Private Body
Contractual information
Client needs assessments
Personal records of clients
Any records a third party has provided to the Private Body about clients
Confidential, privileged, contractual and quasi-legal records of clients
Client account numbers
Records generated by or within the Private Body pertaining to clients, including transactional records
RECORD SUBJECTS:
SERVICE PROVIDERS, SUPPLIERS AND THIRD PARTIES
Categories of records held:
Any records a client has provided to the Private Body or a third party acting for or on behalf of the Private Body
Lists of service providers and suppliers
Service providers’ and suppliers’ terms and conditions
Records kept in respect of other third parties, including without limitation joint venture partners, which includes records, falling within the subjects contemplated in this part of the manual, which can be said to belong to the Private Body but which are held by such third party
RECORD SUBJECTS: ASSETS
Categories of records held:
Insurance records relating to the assets
Register of intellectual property owned by the Private Body
RECORD SUBJECTS: OTHER RECORDS
Categories of records held:
Information relating to the Private Body’ s own commercial activities
Environment and market information
Information technology including information systems, network security, software licenses, technology asset
Support services
Internal communication
7 FORM OF REQUEST FOR RECORDS
7.1 A request for records shall be accompanied by adequate proof of identity of the applicant, (such as a certified copy of his/her identity document), and made using the prescribed form, a copy of which is attached hereto and marked annexure “A” (“the prescribed form”). The prescribed form is also available from the website of the Human Rights Commission at https://www.sahrc.org.za, or the website of the Department of Justice and Constitutional Development at https://www.doj.gov.za and as may be advised by the Information Regulator on or after 1 July 2021.
7.2 The prescribed form shall be submitted to the Private Body Head named in clause 3 hereof.
7.3 The above procedure shall apply in the event that the requester is requesting information for personal use and/or on behalf of another person, even if such other person is a permanent employee of the Private Body.
7.4 The Head of the Private Body shall as soon as reasonably possible, and within 30 (thirty) days after the request has been received, decide whether or not to grant such request.
7.5 The requester will be notified of the decision of the Head of the Private Body or the General Manager in the manner indicated by the requester.
7.6 After access is granted, actual access to the record requested will be given as soon as reasonably possible.
7.7 If the request for access is refused, the Head of the Private Body or the General Manager shall advise the requester in writing of the refusal. The notice of refusal shall state:
7.7.1 adequate reasons for the refusal; and
7.7.2 that the requester may lodge an appeal with a court of competent jurisdiction against the refusal of the request (including the period) for lodging such an appeal.
7.8 If the Head of the Private Body or the General Manager fails to respond within 30 (thirty) days after a request has been received, it is deemed, in terms of section 58 read together with section 56(1) of PAIA, that the Head of the Private Body or the General Manager has refused the request.
8 FEES PRESCRIBED IN TERMS OF THE REGULATIONS – Section 51(1)(f) of PAIA
8.1 The following applies to requests (other than personal requests):
8.1.1 A requestor is required to pay the prescribed fees (R50.00) before a request will be processed;
8.1.2 If the preparation of the record requested requires more than the prescribed 6 (six) hours, a deposit shall be paid (of not more than one third of the access fee which would be payable if the request were granted);
8.1.3 A requestor may lodge an application with a court against the tender/payment of the request fee and/or deposit;
8.2 Records may be withheld until the fees have been paid.
8.3 The fee structure shall be available by way of regulations published from time to time.
8.4 In addition to the request fee, the following reproduction fees are prescribed by the Minister in respect of private bodies such as the Private Body:
DESCRIPTION: FEE:
For every photocopy of an A4-size page or part thereof: R1.10
For every printed copy of an A4-size page or part thereof held on a computer or in electronic or machine-readable form: R0.75
For a copy in a computer-readable form on compact disc: R70
DESCRIPTION: FEE:
(i) For a transcription of visual images, for an A4-size page or part thereof:
(ii) For a copy of visual images: (i) R20(ii) R60
(iii) For transcription of an audio record, for an A4-size page or part thereof:
(iv) For a copy of an audio record: (iii) R20(iv) R30
To search for the record for disclosure: R30 for each hour or part of an hour reasonably required for such search.
8.5 The request fee payable by a requester, other than a personal requester, referred to in regulation 11(2) is R50,00.
8.6 For purposes of section 54(2) of the Act, the following applies:
8.6.1 Six hours as the hours to be exceeded before a deposit is payable; and
8.6.2 one third of the access fee is payable as a deposit by the requester.
8.7 The actual postage is payable when a copy of a record must be posted to a requester.
PART B: PROTECTION OF PERSONAL INFORMATION
9 PROTECTION OF PERSONAL INFORMATION – Section 51(1)(c)(i)-(iii) of PAIA read with section 18 of the POPI Act
9.1 The Private Body processes certain personal information, as defined in the POPI Act, (“Personal Information”) relating to several data subjects, from time to time. A data subject is the person, (natural or juristic), to whom Personal Information relates and from whom the Private Body collects and processes information.
9.2 A description of the data subjects, (individuals and juristic persons), the information relating thereto, the purpose of processing that information and the recipients of that Personal Information is reproduced in the tables below.
DATA SUBJECTS: EMPLOYEES
Personal Information processed: Source of the Personal Information Is the supply of Personal Information mandatory or voluntary?:
Information relating to the education or the medical, financial, criminal or employment history of the person Employee Mandatory
Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person Employee Mandatory
The biometric information of the person Employee Mandatory
Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence Employee Voluntary
DATA SUBJECTS: EMPLOYEES
Will any of the Personal Information be transferred to another country or international organisation?
No
Purpose of processing Personal Information:
Job Application, Employee Contract, Payroll, compliance with legislative obligations
Recipient or categories of recipients to whom the Personal Information is supplied:
Management
The consequences of failure to provide information:
Unable to process contract and payroll and comply with legislative requirements
DATA SUBJECTS: CLIENTS/CUSTOMERS
Personal Information processed: Source of the Personal Information Is the supply of Personal Information mandatory or voluntary?:
Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person Clients Mandatory
The biometric information of the person Clients Mandatory
Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence Clients Voluntary
The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person Clients Voluntary
DATA SUBJECTS: CLIENTS/CUSTOMERS
Will any of the Personal Information be transferred to another country or international organisation?
No
Purpose of processing Personal Information:
Lease agreement, billing and for the provision of the services
Recipient or categories of recipients to whom the Personal Information is supplied:
Management
The consequences of failure to provide information:
Unable to process leases, provide services or invoice
DATA SUBJECTS: SUPPLIERS
Personal Information processed: Source of the Personal Information Is the supply of Personal Information mandatory or voluntary?:
Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person Supplier Mandatory
Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence Supplier Voluntary
The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person Supplier Voluntary
DATA SUBJECTS: SUPPLIERS
Will any of the Personal Information be transferred to another country or international organisation?
No
Purpose of processing Personal Information:
For billing, ordering goods and accounting
Recipient or categories of recipients to whom the Personal Information is supplied:
Management
The consequences of failure to provide information:
Unable to process payments or order goods
DATA SUBJECTS: SERVICE PROVIDERS
Personal Information processed: Source of the Personal Information Is the supply of Personal Information mandatory or voluntary?:
Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person Service Providers Mandatory
Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence Service Providers Voluntary
The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person Service Providers Voluntary
DATA SUBJECTS: SERVICE PROVIDERS
Will any of the Personal Information be transferred to another country or international organisation?
No
Purpose of processing Personal Information:
Billing Purposes and ordering services
Recipient or categories of recipients to whom the Personal Information is supplied:
Management
The consequences of failure to provide information:
Inability to order services or attend to billing
DATA SUBJECTS: PROSPECTIVE CLIENTS
Personal Information processed: Source of the Personal Information Is the supply of Personal Information mandatory or voluntary?:
Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person Prospective Client or publicly available information Mandatory
Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence Prospective Client Voluntary
The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person Electronic Voluntary
DATA SUBJECTS: PROSPECTIVE CLIENTS
Will any of the Personal Information be transferred to another country or international organisation?
No
Purpose of processing Personal Information:
Preparing quotations and conducting needs assessments
Recipient or categories of recipients to whom the Personal Information is supplied:
Management
The consequences of failure to provide information:
Unable to prepare quotations and conduct needs assessments
9.3 Where Personal Information is collected in terms of specific legislation, the Private Body will inform the data subject in terms of which legislation that data is collected.
9.4 Data subjects have the right to object to the processing of their Personal Information.
9.5 In the event a data subject requires confirmation regarding the existence of the Personal Information processed by the Private Body or believes that the Personal Information processed by the Private Body requires rectification, the data subject is entitled to utilise the processes and procedures set out in section A of this manual to request access to the records of the Private Body set out in section 18(1)(h)(iii).
9.6 We will not, without data subjects’ express consent use their Personal Information for any purpose, other than:
specifically:
9.6.1 as set out in the abovementioned tables; generally:
9.6.2 in relation to the provision of any goods and services to a data subject;
9.6.3 to inform the data subject of new features, special offers and promotional competitions offered by us or any of our divisions, affiliates and/or partners (unless they have opted out from receiving marketing material from us);
9.6.4 to improve our product and/or service selection and their experience on our website; or
9.6.5 to disclose their Personal Information to any third party as set out below:
9.6.5.1 to our employees and/or third party service providers who assist us to interact with data subjects via our website, for the ordering of goods or services or when delivering goods or services to data subjects, their personal and contact information being essential in order to assist us to communicate with the data subjects properly and efficiently;
9.6.5.2 to our divisions, affiliates and/or partners (including their employees and/or third party service providers) in order for them to interact directly with data subjects via email or any other method for purposes of sending data subjects marketing material regarding any current or new goods or services, new features, special offers or promotional items offered by them (unless the data subjects have opted out from receiving marketing material from us);
9.6.5.3 to law enforcement, government officials, fraud detection agencies or other third parties when we believe in good faith that the disclosure of Personal Information is necessary to prevent physical harm or financial loss, to report or support the investigation into suspected illegal activity;
9.6.5.4 to our service providers (under contract with us) who help with parts of our business operations (fraud prevention, marketing, technology services etc). However, these service providers may only use data subjects information in connection with the services they perform for us and not for their own benefit;
9.6.5.5 to our suppliers in order for them to liaise directly with data subject regarding any defective goods or services which requires their involvement;
9.6.5.6 to any third-party seller for purposes of sending data subjects an invoice for any goods purchased from such third-party seller, which disclosed information will be limited to data subjects’ email addresses;
9.7 We are entitled to use or disclose data subjects’ Personal Information if such use or disclosure is required in order to comply with any applicable law, subpoena, order of court or legal process served on us, or to protect and defend our rights or property. In the event of a fraudulent online payment, we are entitled to disclose relevant Personal Information for criminal investigation purposes or in line with any other legal obligation for disclosure of the Personal Information which may be required of it.
9.8 Data subjects’ privacy is important to us and we will therefore not sell, rent or provide their Personal Information to unauthorised third parties for their independent use, without their consent.
9.9 We will not process personal information concerning:
9.9.1 the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
9.9.2 the criminal behaviour of a data subject to the extent that such information relates to
i) the alleged commission by a data subject of any offence; or ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
unless
9.9.2.1 the data subject has given us specific consent to process such data; or
9.9.2.2 processing is necessary for the establishment, exercise or defence of a right or obligation in law;
9.9.2.3 processing is necessary to comply with an obligation of international public law; or
9.9.2.4 processing is for historical, statistical or research purposes to the extent that:
(i) the purpose serves a public interest or (ii) requesting consent would constitute an unreasonable requirement in the circumstances.
9.10 In line with our obligations in terms of section 22 of the POPI Act, where there are reasonable grounds to believe that Personal Information has been accessed or acquired by any unauthorised person, we will notify the Information Regulator and the data subject, where possible.
9.11 When data subjects provide a rating or review of our services and/or goods, they consent to us using that rating or review as we deem fit, including without limitation, on our website, in newsletters or other marketing material. The name that will appear next to that rating or review is their first name, as they would have provided. We will not display their surname, nor any of their contact details, with a rating or review.
9.12 We will:
9.12.1 treat data subjects’ Personal Information as strictly confidential, save where we are entitled to share it as set out in this section;
9.12.2 take appropriate technical and organisational measures to ensure that data subjects’ Personal Information is kept secure and is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access;
9.12.3 provide data subjects with access to their Personal Information to view and/or update personal details;
9.12.4 promptly notify data subjects if we become aware of any unauthorised use, disclosure or processing of their Personal Information;
9.12.5 provide data subjects with reasonable evidence of our compliance with our obligations under this section on reasonable notice and request; and
9.12.6 upon data subjects request, promptly return or destroy any and all of their Personal Information in our possession or control, save for that which we are legally obliged to retain.
9.13 We will not retain data subjects’ Personal Information longer than the period for which it was originally needed, unless we are required by law to do so, or they consent to us retaining such information for a longer period.
9.14 We undertake never to sell or make data subjects’ Personal Information available to any third- party other than as provided for in this section.
9.15 Whilst we will do all things reasonably necessary to protect data subjects’ rights of privacy, we cannot guarantee or accept any liability whatsoever for unauthorised or unlawful disclosures of data subjects’ Personal Information, whilst in our possession, made by third parties who are not subject to our direct control, unless such disclosure is as a result of our gross negligence.
9.16 Should a data subject believe that we have used their Personal Information contrary to this Manual and the provisions of the POPI Act, the data subject should first attempt to resolve any concerns with us. If the data subject is not satisfied, they have the right to lodge a complaint with the Information Regulator (which address can be found herein below), established in terms of the POPI Act.
The Information Regulator (South Africa) SALU Building
316 Thabo Sehume Street Pretoria
0004
10 TRANSBORDER FLOWS OF PERSONAL INFORMATION – (section 51(1)(iv) of PAIA and section 18(1)(g) of the POPI Act.
10.1 The Private Body may from time to time need to transfer authorised Personal Information to another country for storage purposes or for the rendering of services by a foreign third-party service provider or otherwise. We will ensure that any person that we pass data subjects’ Personal Information to agrees to treat their information with the same level of protection as we are obliged to in terms of section 72 of the POPI Act.
11 SECURITY MEASURES TO PROTECT PERSONAL INFORMATION –
Section 51(1)(v)
11.1 The security measures implemented by the Private Body to ensure the confidentiality, integrity and availability of Personal Information, are listed and described below:
PHYSICAL SECURITY MEASURES: CYBER SECURITY MEASURES:
Access control to the premises and certain key areas, which access is restricted to authorised personnel Firewalls
Devices and user stations are password protected Virus protection
Devices (laptops or otherwise) and user stations are safely secured by case lock or otherwise when not in use Password protection on devices are changed regularly
Servers are stored in access-controlled rooms Data is backed up
Security gate Protection of information stored on printers
Cameras
Access control (employee key card)
On site security guards
Safe storage of physical documentation
Discarded documentation is shredded
12 UPDATES TO THE MANUAL – Section 51(2)
The Private Body may update this manual every six months or from time to time as it may deem necessary.
SIGNED at on 20
THE HEAD OF THE PRIVATE BODY
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |