1. POLICY STATEMENT
1.1. Everyone has rights with regard to how their personal information is handled. During the course of its activities Kriel & Co will collect, store and process personal information about Kriel & Co staff, customers, suppliers and other third parties. Kriel & Co recognises the need to treat it in an appropriate and lawful manner.
2. RELEVANT DEFINITIONS
2.1. The following terms bear the meaning given to them here in this policy and its annexures:
2.1.1. “Child” is a human being under the age of 18 who has not been declared legally competent by a court.
2.1.2. "Data subjects" for the purpose of this policy include all living individuals and juristic persons about whom Kriel & Co holds personal information. All data subjects have legal rights in relation to their personal information.
2.1.3. “IO” means the information officer appointed as such by Kriel & Co in terms of section 56 of POPIA and who will have the ultimate responsibility to ensure that Kriel & Co complies with the provisions of POPIA.
2.1.4. "Operators" include any person who processes personal information on behalf of a responsible party. Employees of responsible parties are excluded from this definition, but it could include suppliers which handle personal information on Kriel & Co’s behalf.
2.1.5. "Personal information" means information relating to an identifiable, living, natural person, and (where applicable) an identifiable, existing juristic person, including the name, race, gender, marital status, address and identifying number of a person, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person.
2.1.6. “POPIA” means the Protection of Personal Information Act 4 of 2013.
2.1.7. "Processing" is any activity that involves use of personal information. It includes any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including -
184.108.40.206. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
220.127.116.11. dissemination by means of transmission, distribution or making available in any other form; or
18.104.22.168. merging, linking, as well as restriction, degradation, erasure, or destruction of information.
2.1.8. “Processing conditions” are the 8 (eight) conditions for the lawful processing of personal information set out in Chapter 3 of POPIA.
2.1.9. “Regulator” means the Information Regulator established in terms of section 39 of POPIA.
2.1.10. “Responsible parties" are the people who or organisations which determine the purposes for which, and the manner in which, any personal information is processed. They have a responsibility to establish practices and policies in line with POPIA. Kriel & Co is the responsible party of all personal information used in its business
2.1.11. "Special personal information" includes personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject (including images, lie detector and psychometric tests and fingerprints); or the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
2.1.12. "Users" include employees whose work involves using personal information. Users have a duty to protect the information they handle by following Kriel & Co data privacy and data protection policies at all times.
3. ABOUT THIS POLICY
3.1. This policy applies to all users and will come into effect when POPIA becomes fully effective.
3.2. The types of information that Kriel & Co may be required to handle include details of current, past, and prospective employees, clients, suppliers, and others that Kriel & Co deals with. The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in POPIA and other regulations. POPIA imposes restrictions on how Kriel & Co may use that information.
3.3. POPIA applies to the automated or non-automated processing of personal information entered into a record in any form (provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof) by or for Kriel & Co.
3.4. This policy sets out Kriel & Co’s rules on personal information protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation, and destruction of personal information.
3.5. This policy does may be amended at any time.
3.6. The IO is responsible for ensuring compliance with POPIA and with this policy. That post is held by Francois Kriel, (+27) 012 881 6533, firstname.lastname@example.org. Any questions or concerns about the operation of this policy should be referred in the first instance to the IO.
3.7. If you consider that the policy has not been followed in respect of personal information about yourself or others you should raise the matter with your line manager or the IO.
4. PURPOSE OF THE POLICY
4.1. The purpose of the policy is to establish management direction and high-level objectives for regulating the manner in which personal information is processed and to provide for remedies in cases where personal information is not handled accordingly. Further purposes of the policy include:
4.1.1. the supplementation of Kriel & Co policies and to align it with South African laws;
4.1.2. compliance with the requirements of POPIA;
4.1.3. the identification and codification of documents and ensuring adequate protection and maintenance of accuracy of documents where required;
4.1.4. providing a set framework and unified policy regarding the methods and procedures for the retention and destruction of documents;
4.1.5. ensuring records that are no longer required or documents that are of no value are destroyed properly and in accordance with the data retention schedule; and
4.1.6. providing assistance to employees in understanding the requirements relating to the protection of personal information and the retention and destruction of documents.
5. PROCESSING CONDITIONS
5.1. Anyone processing personal information must comply with the following eight processing conditions:
5.1.1. Condition 1: Accountability;
5.1.2. Condition 2: Processing Limitation;
5.1.3. Condition 3: Purpose Specification;
5.1.4. Condition 4: Further Processing Limitation;
5.1.5. Condition 5: Information Quality;
5.1.6. Condition 6: Openness;
5.1.7. Condition 7: Security Safeguards; and
5.1.8. Condition 8: Data Subject Participation.
5.2. Condition 1: Accountability
5.2.1. Kriel & Co must ensure that the processing conditions are complied with.
5.2.2. Kriel & Co has appointed an IO to encourage and support Kriel & Co overall compliance with POPIA.
5.2.3. The IO is responsible for implementing personal information security measures, which will, among other things, address document retention, access to information and classification of data.
5.2.4. Kriel & Co will furthermore designate specific individuals to monitor compliance with information security standards within each business area.
5.2.5. Training or awareness sessions for employees on information security will be conducted on a regular basis.
5.3. Condition 2: Processing limitation
5.3.1. Personal information may only be processed lawfully and in a manner that does not infringe on the privacy of a data subject.
5.3.2. Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant, and not excessive.
5.3.3. There are a number of grounds that Kriel & Co may use in order to process personal information, including consent from the data subject or if it is necessary to protect the legitimate interests of Kriel & Co, the data subject or a third party to do so.
5.3.4. It is advisable to obtain voluntary, informed, and specific consent from data subjects, where possible, before collecting their personal information. This can be done by means of the data subject accepting and consenting to be bound by a privacy statement which sets out details as to how and why Kriel & Co processes a data subject’s personal information.
5.3.5. A data subject may withdraw consent at any time and such withdrawal of consent should be noted. A data subject may also object at any time on reasonable grounds, to the processing of its personal information, save if other legislation provides for such processing. Kriel & Co may then no longer process the personal information unless it has another lawful justification for doing so.
5.3.6. Generally, personal information must be collected from the data subject directly except in certain circumstances which may include if the data subject has made personal information public or if collection from another source is necessary.
5.4. Condition 3: Purpose specification
5.4.1. Personal information may only be collected for specific, explicitly defined and lawful reasons relating to the functions or activities of Kriel & Co, of which the data subject is (generally) made aware. Data subjects can be made aware of the reasons by means of a privacy statement published on Kriel & Co’s website and incorporated by reference in data-subject facing documents, such as terms and conditions or onboarding forms.
5.4.2. Personal information will only be collected to the extent that it is required for the specific purpose and as a general rule notified to the data subject. Any personal information which is not necessary for that purpose will not be collected in the first place.
5.4.3. Records of personal information may only be kept for as long as necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
22.214.171.124. retention of the record is required or authorised by law;
126.96.36.199. the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
188.8.131.52. retention of the record is required by a contract between the parties thereto; or
184.108.40.206. the data subject or a competent person where the data subject is a child has consented to the retention of the record.
5.4.4. Personal information will therefore not be kept longer than is necessary for the purpose for which it was collected. This means that personal information must be destroyed or deleted in a manner that prevents its reconstruction in an intelligible form or be de-identified as soon as reasonably practicable after Kriel & Co is no longer authorised to retain the record. For guidance on how long certain personal information is likely to be kept before being destroyed, contact the IO.
5.5. Condition 4: Further processing limitation
5.5.1. Further processing of personal information must be compatible with purpose of collection.
5.5.2. Once collected, personal information will therefore, as a general rule, only be processed for the specific purposes notified to the data subject when the personal information was first collected or for any other purposes specifically permitted by POPIA. This means that personal information will not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the personal information is processed, the data subject will be informed of the new purpose and consent will be obtained before any processing occurs. Where this is not possible, the IO should be consulted.
5.5.3. Where personal information is transferred to a third party for further processing, the further processing must be compatible with the purpose for which it was initially collected, unless the data subject has consented to such further processing or it is permitted in terms of POPIA.
5.6. Condition 5: Information quality
5.6.1. Kriel & Co must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary in light of the purpose for which such information is collected.
5.6.2. Information which is incorrect, or misleading is not accurate and steps will therefore be taken to check the accuracy of any personal information at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date information will be destroyed.
5.6.3. The IO will develop processes for:
220.127.116.11. checking the accuracy and completeness of records containing personal information;
18.104.22.168. dealing with complaints relating to the timeliness and accuracy of personal information;
22.214.171.124. data subjects to periodically verify and update their personal information;
126.96.36.199. making individuals aware of these processes; and
188.8.131.52. monitoring and tracking updates to personal information.
5.6.4. The IO will furthermore put procedures in place to verify that records containing personal information remain relevant, accurate and up-to-date.
5.7. Condition 6: Openness
5.7.1. Kriel & Co must take reasonably practicable steps to ensure that the data subject is aware of :
184.108.40.206. the information being collected and where the information is not collected from the data subject, the source from which it is collected;
220.127.116.11. the names and addresses of Kriel & Co;
18.104.22.168. the purpose for which the information is being collected;
22.214.171.124. whether or not the supply of the information by that data subject is voluntary or mandatory;
126.96.36.199. the consequences of failure to provide the information;
188.8.131.52. any particular law authorising or requiring the collection of the information;
184.108.40.206. where applicable, the fact that the responsible party intends to transfer the information to a country or international organisation and the level of protection afforded to the information by that country or international organisation;
220.127.116.11. any further information such as the recipient or category of recipients of the information, the nature or category of the information and the existence of the right of access to and the right to rectify the information collected;
18.104.22.168. the existence of the right to object to the processing of personal information; and
22.214.171.124. the right to lodge a complaint to the Regulator and the contact details of the Regulator.
5.7.2. The above can be set out in a privacy statement which is made available on Kriel & Co’s website.
5.7.3. By law all organisations in South Africa are required to have a PAIA manual which will outlines to the public:
126.96.36.199. categories of personal information collected by Kriel & Co;
188.8.131.52. purpose of processing personal information Kriel & Co;
184.108.40.206. description of the categories of data subjects and of the information or categories of information relating thereto;
220.127.116.11. the recipients or categories of recipients to whom the personal information may be supplied;
18.104.22.168. planned transborder flows of personal information; and
22.214.171.124. a general description of information security measures to be implemented by Kriel & Co.
5.8. Condition 7: Security safeguards
5.8.1. Kriel & Co will keep all personal information secure against the risk of loss, unauthorised access, interference, modification, destruction, or disclosure and conduct regular risk assessments to identify and manage all reasonably foreseeable internal and external risks to personal information under its control.
5.8.2. Kriel & Co will secure the integrity of the personal information under Kriel & Co control.
5.8.3. In order to protect personal information Kriel & Co has implemented the Worldwide Policies on Information Asset Protection.
Duty in Respect of Operators
5.8.4. Operators (i.e., third parties which may process personal information on behalf of Kriel & Co) include call centres, outsourced payroll administrators, marketing database companies, recruitment agencies, psychometric assessment centres, document management warehouses, external consultants and software providers.
5.8.5. Kriel & Co will implement the following key obligations in respect of operators:
126.96.36.199. The operator may not process personal information on behalf of Kriel & Co without the knowledge and authorisation of Kriel & Co;
188.8.131.52. Kriel & Co will ensure that the operator implements the security measures required in terms of Condition 7: Security Safeguards;
184.108.40.206. There will be a written contract in place between Kriel & Co and the operator which requires the operator to maintain the confidentiality and integrity of personal information processed on behalf of Kriel & Co; and
220.127.116.11. If the third party is located outside of South Africa, Kriel & Co will comply with the requirements in POPIA in respect of transborder transfers of personal information.
Duties in Respect of Security Compromises
5.8.6. In the event that personal information has been compromised, or if there is a reasonable belief that a compromise has occurred, Kriel & Co (or an operator processing personal information on its behalf) will notify the Information Regulator and the relevant data subjects (if their contact details are available).
5.8.7. Kriel & Co’s Security Compromises Policy deals with the steps to be followed if a security compromise occurs.
5.9. Condition 8: Data subject participation
Request for Information
5.9.1. Kriel & Co recognises that a data subject has the right to request Kriel & Co to confirm, free of charge, whether or not it holds personal information about the data subject and request Kriel & Co to provide a record or a description of the personal information held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information at a prescribed fee.
5.9.2. All users will comply with Kriel & Co’s Subject Access Request Policy and PAIA manual in respect of any access to personal information requests by data subjects.
Request to Correct or Delete
5.9.3. The data subject may request the IO to:
18.104.22.168. correct or delete personal information relating to the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, misleading, or obtained unlawfully; or
22.214.171.124. destroy or delete a record of personal information about the data subject that Kriel & Co is no longer authorised to retain.
5.9.4. There are prescribed forms to be completed by the data subject to exercise these rights and they are included in Kriel & Co’s PAIA manual.
5.9.5. Kriel & Co will provide credible proof to the data subject of the action that has been taken in response to the request.
5.9.6. If any changes to the personal information will have an impact on any decisions to be made about the data subject, Kriel & Co will inform all third parties to whom the information has been disclosed, including any credit bureaus, of such changes
6. SPECIAL PERSONAL INFORMATION AND INFORMATION OF CHILDREN
6.1. Kriel & Co must be extra careful if it processes special personal information or information of children. As a general rule consent is required (and consent in respect of a child must be obtained from the parent or guardian) if there is no law in place that obliged Kriel & Co to process such information, such as the Employment Equity Act, 1998.
6.2. Examples of when special personal information of users is likely to be processed are set out below:
6.2.1. information about an employee's physical or mental health or condition in order to monitor sick leave and take decisions as to the employee's fitness for work;
6.2.2. the employee's racial or ethnic origin or religious or similar information in order to monitor compliance with employment equity legislation;
6.2.3. the use of CCTV camera footage;
6.2.4. internal forensic investigations; and
6.2.5. in order to comply with legal requirements and obligations to third parties.
7.1. Kriel & Co must obtain prior authorisation from the Regulator on a once-off basis prior to any processing if it plans to -
7.1.1. process any unique identifiers (defined as “any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party”) of data subjects –
126.96.36.199. for a purpose other than the 1 (one) for which the identifier was specifically intended at collection; and
188.8.131.52. with the aim of linking the information together with information processed by other responsible parties;
7.1.2. process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
7.1.3. process information for the purposes of credit reporting (such as a credit bureau); or
7.1.4. transfer special personal information or the personal information of children under 18 (eighteen), to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
7.2. The procedures to apply for such prior authorisation are set out at https://www.justice.gov.za/inforeg/docs/InfoRegSA-Invite-PriorAuthorisation-20210311.pdf.
8. FAIR AND LAWFUL PROCESSING
8.1. POPIA is intended not to prevent the processing of personal information, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
8.2. For personal information to be processed lawfully, certain requirements have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the responsible party or the party to whom the personal information is disclosed. In most cases when special personal information is being processed, the data subject's explicit consent to the processing of such information will be required.
8.3. Personal information about users may be processed for legal, personnel, administrative and management purposes and to enable the responsible party (i.e. Kriel & Co) to meet its legal obligations as an employer, for example to pay users, monitor their performance and to confer benefits in connection with their employment.
8.4. Personal information about customers, suppliers and other third parties may be processed for the purposes set out in Kriel & Co’s PAIA manual [and privacy statement].
9. TRANSBORDER TRANSFERS OF PERSONAL INFORMATION
9.1. Kriel & Co may not transfer personal information about a data subject to a third party who is in a foreign country unless:
9.1.1. the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that:
184.108.40.206. effectively upholds principles for reasonable processing of the information that are substantially similar to Processing Conditions; and
220.127.116.11. includes provisions, that are substantially similar to those of POPIA, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
9.1.2. the data subject consents to the transfer;
9.1.3. the transfer is necessary for the performance of a contract (in which case, instances of information is transferred securely to the United State of America and New Zealand where the headquarters is based of cloud service providers Kriel & Co utilizes for its internal systems and processes) between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request;
9.1.4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
9.1.5. the transfer is for the benefit of the data subject, and -
18.104.22.168. it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
22.214.171.124. if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
10. DIRECT MARKETING
10.1. At the outset it should be noted that POPIA draws a distinction between direct marketing by means of unsolicited electronic communications and direct marketing in person or by mail or telephone. Several provisions in POPIA draw a distinction between these two types of marketing.
10.2. ''Direct marketing'', as defined in POPIA, means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
10.2.1. promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
10.2.2. requesting the data subject to make a donation of any kind for any reason.
10.3. ''Electronic communication'', in turn, is defined as "[a]ny text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient's terminal equipment until it is collected by the recipient" (our emphasis).
10.4. When Kriel & Co does direct marketing, it must provide data subjects with an opt out. In addition, electronic direct marketing is stringently regulated under POPIA. If Kriel & Co processes personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines (i.e., machines that are able to do automated calls without human intervention), facsimile machines, SMSs or e-mail is prohibited unless the data subject:
10.4.1. has given his, her or its consent in the prescribed manner and form set out in regulations 6 of the POPIA Regulations to the processing; or
10.4.2. is a customer of Kriel & Co, as defined in section 69 of POPIA.
11. MONITORING AND REVIEW OF THE POLICY
This policy is reviewed regularly by the IO to ensure it is achieving its stated objectives.