Protection of Personal Information policy

1. INTRODUCTION

CG McCreesh and Associates (Pty) Ltd (“the Company”) is a private company, duly incorporated in terms of South African law and registered with the Companies and Intellectual Property Commission (company registration number 2013/192776/07).

The Protection of Personal Information Act 4 of 2013 (“POPIA”) regulates the lawful collection, storage, usage, handling, processing, transfer, retention, archiving and disposal of a Data Subject’s Personal Information (see definitions below).

As part of its business functions, the Company collects and processes Personal Information, as defined in POPIA.

The Company is responsible to collect, store, use, handle, process, transfer, retain, archive, and otherwise manage Personal Information in a lawful, legitimate, and responsible manner in accordance with the provisions set out in POPIA.

The purpose of the POPI Policy is to set out the procedures and processes to manage the collection, processing, and deletion of Personal Information, to manage all the risks associated therewith and to ensure compliance with POPIA.

The POPI Policy demonstrates the Company’s commitment to protecting the privacy rights of Data Subjects in the following manner:

  • Through stating desired behaviour and directing compliance with the provisions of POPIA and best practice.

  • By cultivating an organisational culture that recognises privacy as a valuable human right.

  • By developing and implementing internal controls for the purpose of managing the compliance risks associated with the protection of Personal Information.

  • By creating business practices that will provide reasonable assurance that the rights of Data Subjects are protected and balanced with the legitimate business needs of the organisation.

  • By assigning specific duties and responsibilities to management and employees, including the appointment of an Information Officer and Deputy Information Officer in order to protect the interests of the Company, its clients and 3rd party service providers.

  • By raising awareness through training and providing guidance to all employees who process Personal Information so that they can act correctly, confidently, and consistently.

Failing to comply with POPIA could potentially damage the Company’s reputation or expose the Company to civil claims for damages. The protection of Personal Information is therefore every employee’s responsibility.

The Company will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the necessary awareness and training of its employees and encouragement of desired behaviour.

The Company will take appropriate steps, when necessary, which may include disciplinary action, against those employees who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this policy.

2. DEFINITIONS

The following definitions are those set out or referenced in POPIA itself and are applied throughout this policy, unless the context indicates a contrary meaning:

“Child” means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect any matter concerning him- or herself;

“Consent” means any voluntary, specific, and informed expression of will in terms of which permission is given for the collection and processing of Personal Information;

“Data Subject” means the person to whom Personal Information relates;

“De-identify”, in relation to Personal Information of a Data Subject, means to delete any information that:

  • identifies the Data Subject;

  • can be used or manipulated by a reasonably foreseeable method to identify the Data Subject; or

  • can be linked by a reasonably foreseeable method to other information that identifies the Data Subject;

“Direct Marketing” means to approach a Data Subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:

  • promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject; or

  • requesting the Data Subject to make a donation of any kind for any reason;

“Electronic Communication” means any text, voice, sound, or image message sent over an electronic communications network which is stored in the network or in The Recipient’s terminal equipment until it is collected by The Recipient;

“Information Officer” of, or in relation to, a private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;

“Information Regulator” means the independent regulatory body having jurisdiction throughout South Africa, and having been established in terms of section 39 of POPIA to perform certain functions under both POPIA and Promotion of Access to Information Act (PAIA);

“Person” means a natural person or a juristic person;

“Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

  • information relating to the education or the medical, financial, criminal or employment history of the person;

  • any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;

  • the biometric information of the person;

  • the personal opinions, views, or preferences of the person;

  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

  • the views or opinions of another individual about the person; and

  • the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person;

“Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:

  • the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval;

  • alteration, consultation, or use;

  • dissemination by means of transmission, distribution or making available in any other form; or

  • merging, linking, as well as restriction, degradation, erasure, or destruction of information;

Promotion of Access to Information Act” and “PAIA” mean the Promotion of Access to Information Act 2 of 2000, together with Regulation 187 of 15 February 2002 as amended to 1 June 2007;

“Protection of Personal Information Act” and “POPIA” means the Protection of Personal Information Act 4 of 2013, together with any and all Regulations that may in the future be promulgated thereunder;

“Public Record” means a record that is accessible in the public domain, and which is in the possession of or under the control of a public body, whether or not it was created by that public body;

“Record” means any recorded information:

  • regardless of form or medium, including any of the following:

  • writing on any material;

    • information produced, recorded, or stored by means of any tape recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded, or stored;

    • label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;

    • book, map, plan, graph, or drawing;

    • photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;

  • in the possession or under the control of a responsible party;

  • whether or not it was created by a responsible party; and

  • regardless of when it came into existence;

“Regulator” means the Information Regulator established in terms of section 39;

“Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing Personal Information, in this document, being the company CG McCreesh and Associates (Pty) Ltd, and all its associated and holding companies and associated business units and divisions;

“Restriction” means to withhold from circulation, use or publication of any Personal Information that forms part of a filing system, but not to delete or destroy such information;

“Special Personal Information” means Personal Information as referred to in    section 26 of POPIA concerning:

  • the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or

  • the criminal behaviour of a Data Subject to the extent that such information relates to:

  • the alleged commission by a Data Subject of any offence; or

    • any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings;

“Unique Identifier” means any identifier that is assigned to a Data Subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that Data Subject in relation to that responsible party.

3. Principles of POPI

POPIA creates nine actionable rights for South African citizens (Data Subjects), listed as follows:

  • Right to be notified about collection and processing of Personal Information.

  • Right to access Personal Information.

  • Right to request correction of Personal Information.

  • Right to request deletion of Personal Information.

  • Right to object to the processing of Personal Information.

  • Right not to have Personal Information processed for the purpose of direct marketing by means of unsolicited electronic communications.

  • Right to not be subject to a decision which results in legal circumstances based solely on the basis of the automated processing.

  • Right to complain to the Information Regulator.

  • Right to effect judicial remedy.

POPIA creates eight conditions for lawful data processing, in which the consent of the Data Subject is central, i.e.,

  • Accountability (processing is lawful and done in a non-privacy infringing way).

  • Processing limitation (processing only for the given purpose).

  • Purpose specification (specific purpose must be explicitly defined).

  • Further processing limitation (additional processing must still be in accordance with original purpose that the end-user gave their consent to).

  • Information quality (make sure that the data is complete, accurate and updated).

  • Openness (Data Subject aware of all Personal Information collected, documentation of all processing operations).

  • Security safeguards (must ensure protection and confidentiality of Personal Information).

  • Data Subject participation (Data Subject can exercise their rights to access, correct and delete their data).

POPIA prescribes specific authorisation and conditions precedent required for the processing of Personal Information relating to minors.

At all times, the Company will endeavour to ensure that the Data Subject’s rights and conditions for lawful data processing, as detailed in POPIA, are adhered to.

4. COLLECTION OF PERSONAL INFORMATION

The Company will approach all identified Data Subjects, in writing, to obtain their consent for the collection and processing of their Personal Information and explain the purpose therefor.

The purpose for the collection of Personal Information is to enable the Company:

  • To comply with lawful obligations, including amongst others, all applicable labour, tax, and financial legislation such as:

    • The South African Companies Act 71 of 2008;

    • The Tax Administration Act 28 of 2011;

    • The National Credit Act 34 of 2005;

    • The Broad Based Black Economic Empowerment laws (B-BBEE);

    • Basic Conditions of Employment Act 75 of 1997;

    • Employment Equity Act 55 0f 1998; and

    • Income Tax Act 58 of 1962.

  • To give effect to a contractual relationship between the Company and the Data Subject;

  • To conduct its business operations; and

  • To protect the legitimate interests of the Company, the Data subject and/or any third parties.

The process of collecting Personal Information will include, amongst others, the following:

  • From written requests, including e-mail.

  • From application forms, either online or hard copy, regarding any of the Company’s services or opportunities.

  • From the submission of identity documents, driver’s licenses, passports, utility bills, bank statements, etc by Data Subjects for FICA and other regulatory requirements.

  • Public platforms, such as social media, internet portals, etc.

The purpose of holding Personal Information is to enable the Company to provide services to Data Subjects, which will include amongst others the following:

  • Fulfilling contractual obligations.

  • Sending communications.

  • Updating records, including contact details.

  • Answering enquiries and providing information or advice on existing or new services.

  • Processing and responding to complaints.

  • Meeting legal obligations under relevant legislation, as envisaged above.

  • Complying with any other law, rule, regulation, lawful and binding determination, decision, or direction of a regulator, or where a government authority makes recommendations which the Company must or elects to follow.

Special Personal Information will not be collected and processed by the Company unless it is required in terms of the provisions of POPIA, Section 27.

In all such instances the authorisation of the Information Officer must be obtained before any collection or processing takes place.

Personal Information regarding a child will not be collected and processed by the Company unless it is required in terms of the provisions of POPIA, Section 35.

In all such instances the authorisation of the Information Officer must be obtained before any collection or processing takes place.

5. CONFIDENTIALITY UNDERTAKING

All Personal Information provided to the Company will only be used for the purposes set out above.

The Company will not share, sell, or disclose any Personal Information other than as described in this policy.

The Company may, depending on particular business needs, disclose Personal Information to any of the following:

  • The Company’s employees.

  • Financial services product providers, for the purposes of the particular business need.

  • Third parties, in order to fulfil client’s requests.

  • IT systems administrators.

  • Professional advisors such as tax and accounting service providers.

  • Regulators with statutory responsibilities to regulate areas of the Company’s business.

  • Law enforcement agencies.

  • Any other legitimate request for an authorised purpose, with the Data Subject’s consent.

In some instances, the Company may be required to disclose Personal Information without the Data Subject’s consent. Specific instances where this may occur include, amongst others, the following:

  • When required or authorised by law.

  • When required to produce records or documents by a warrant or court order.

6. WITHOLDING CONSENT TO COLLECT AND PROCESS PERSONAL INFORMATION

All Data Subjects are within their rights to withhold consent to the Company collecting and processing their Personal Information.

In the event that consent to providing the Company with Personal Information is withheld, the Company may not be able to engage with the Data Subject or enter into an agreement or business relationship.

Any instances where consent is withheld must be referred to the Information Officer.

7. STORAGE OF PERSONAL INFORMATION

Personal Information supplied to and stored by The Company can be in any of the following formats:

  • Hard copy – paper based documents.

  • Soft copy – electronic information, stored on computers, memory sticks, electronic devices (e.g., mobile phones), or on servers.

Any Personal Information provided to the Company will be held and stored securely for the purpose for which it was collected.

The secure storage facilities for all the Personal Information will be checked regularly by the Company to ensure compliance with required security and privacy standards.

The Personal Information contained in soft copies will be stored electronically on Google Workspace secure server.

When Personal Information is stored on the server it is protected by using transport layer security (TLS) encryption.

Only secure access is permitted to the server.

All laptop and desktop computers will be password protected, and passwords will be tested to ensure they are of sufficient strength.

All laptop and desktop computers must have the auto lock facility enabled.

No Personal Information will be stored unencrypted on any laptop or desktop computer.

No Personal Information may be downloaded onto mobile phones, tablets, external hard drives, or memory sticks.

The Personal Information contained in hard copies will be stored and retained safely under lock and key.

Access to The Company’s premises is restricted and controlled via a biometric access system and camera surveillance.

All e-mail and internet connections must be through an exchange encrypted client or via OWA/https.

8. RETENTION, ARCHIVING AND DESTRUCTION OF PERSONAL INFORMATION

Personal Information will not be retained for longer than is necessary for achieving the purpose for which it was collected and subsequently processed and will be destroyed and/or deleted when appropriate.

The exceptions to the above principle specifically provided in POPIA are where:

  • the retention of the record is required or authorised by law;

  • the Company reasonably requires the record for lawful purposes related to its functions or activities;

  • the retention of the record is required in terms of an agreement between the Company and a service provider; or

  • the record is retained for historical purposes, with the Company having established appropriate safeguards against the record being used for any other purpose.

When the Company is no longer authorised to retain Personal Information, it shall destroy or delete such Personal Information or records of Personal Information or de-identify them in a manner that prevents their reconstruction in an intelligible form.

9. DISCLOSURE AND TRANSFER OF PERSONAL INFORMATION TO OTHERS

As a general principle no Personal Information will be disclosed to any 3rd parties without the written consent of the concerned Data Subjects.

Should business needs so dictate, the Company may from time-to-time transfer and/or disclose Personal Information to other parties, including its group companies or subsidiaries, joint venture companies, and/or approved third party product and service providers.

Such disclosure shall always be subject to a written agreement concluded between the Company and such other person (“The Recipient”) obligating The Recipient to comply with strict confidentiality, with all the information security conditions and provisions as contained in the Company POPI Policy.

Any requests from 3rd parties for Personal Information stored by The Company must be referred to the Information Officer.

10. TRANSFER OF PERSONAL INFORMATION OUTSIDE OF SOUTH AFRICA

The Company may be required to transfer Personal Information outside of the borders of South Africa, depending on the business needs.

If the Company transfers Personal Information outside of the South African borders it undertakes to transfer only to a recipient in a country that has in place similar privacy laws to POPIA or has binding corporate rules or binding agreements that provides the necessary privacy protection.

The requirements of POPIA Chapter 9, Section 72 will be adhered to at all times.

11. RIGHT TO OBJECT TO THE PROCESSING OF PERSONAL INFORMATION

All Data Subjects have the right to have their Personal Information processed in accordance with the eight conditions of lawful processing of Personal Information as set out in POPIA.

In terms of Section 11(3) of POPIA and in the prescribed manner, they also have the right, unless legislation provides for such processing, to object at any time to the Company processing their Personal Information, on reasonable grounds and relating to a particular situation.

On receipt of any notice of objection together with the reasons therefor, the Company is responsible to place any further processing of that data subject’s Personal Information on hold until the reason for the objection has been addressed and either:

  • the objection is resolved and withdrawn, or

  • the objection is upheld and accepted by the Company.

In the event that the objection is upheld, no further processing of that data subject’s Personal Information shall be done by the Company.

Data Subjects also have the right to submit a complaint directly to the Information Regulator in terms of Section 74 of POPIA, alleging interference with the protection of their Personal Information.

12. RIGHT TO WITHDRAW CONSENT FOR THE PROCESSING OF PERSONAL INFORMATION

In terms of Section 11(2) of POPIA, Data Subjects have the right to withdraw their consent to the Company processing their Personal Information.

This withdrawal is on the proviso that the lawfulness of the processing of their Personal Information before such withdrawal, if the processing is necessary to carry out actions for the conclusion or performance of a contract to which they are a party, will not be affected.

13. RIGHT TO ACCESS PERSONAL INFORMATION

Data Subjects have the right at any time to request the Company to provide them with:

  • The details of any of their Personal Information that the Company holds, including any record relating to their Personal Information; and

  • The details of the manner in which the Company has used and processed their Personal Information.

Such request shall be made in writing to the Information Officer of the Company.

The data subject shall make the request in terms of Section 53 of PAIA and specifically, as set out in Form C of the PAIA Regulations of 2002 as amended, which standard PAIA Form is available on request from the Information Officer of the Company.

14. RIGHT TO REQUEST CORRECTION, DESTRUCTION OR DELETION

Data Subjects have the right to request the Company, where necessary, to correct and/or delete their Personal Information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.

Data Subjects also have the right to request the Company to destroy or to delete a record of their Personal Information that the Company is no longer authorised to retain.

Upon receiving either of the requests as set out above, the Company is responsible to follow the process as out in Section 24 of POPIA, which deals specifically with the correction of Personal Information.

15. ACCURACY OF INFORMATION 

POPIA requires that all Personal Information and related details as supplied by Data Subjects are complete, accurate and up to date. Whilst the Company will always use its best endeavours to ensure that their Personal Information is reliable, it is the Data Subject’s responsibility to advise the Company of any changes to their Personal Information, as and when these changes may occur.

16. DIRECT MARKETING, ADVERTISING AND PROMOTIONAL ACTIVITIES

The Company undertakes not to further process any Personal Information for the purpose of marketing to Data Subjects any third-party products or other optional products.

Notwithstanding the above, the Company including its associated and holding companies may further process Personal Information for the purpose of providing Data Subjects with market news and/or the Company’s own products and services.

Should Data Subjects not wish to receive such communications from the Company, they will be provided with an opportunity to opt out of receiving any such communication.

The Company will maintain a register of all Data Subjects who have opted out of receiving any communication and/or marketing material.

17. INFORMATION OFFICER AND DEPUTY INFORMATION OFFICER

The Company Information Officer’s details are as follows:

Name:  Cormac McCreesh

1st floor N/E Block

5 Wessels Road

Rivonia

Johannesburg

Gauteng

2128

Tel:           081 529 1864

The Information Officer’s duties and responsibilities will include all aspects as outlined and described in the following documents:

  • POPIA Part B, Section 55

  • “Guidance Note on Information Officers and Deputy Information Officers”, as published by the Information Regulator on April 1st, 2021