1.Background to POPIA
POPIA is South Africa's primary data protection law.
The purpose of POPIA is to promote the protection of Information that is Processed by any Person, by prescribing certain minimum requirements for the Processing of Information.
These minimum requirements must be met in order for a Person to Process Information and include those requirements set forth in clause 4 of this Policy.
It is the policy of the Company that it will comply with the minimum requirements set forth in clause 4 of this Policy at all times.
2.Minimum Requirements for Processing Information
In order for the Company to Process Information in a manner which is consistent with POPIA, the Company must:
Process the Information lawfully and in a reasonable manner that does not infringe the right to privacy of the Person whose Information is being Processed;
Process the Information for a specific, explicitly defined and lawful purpose related to a function or activity of the Company;
Process the Information only if, given the purpose for which it is Processed, it is adequate, relevant and not excessive and if:
the Person whose Information will be Processed has consented to its Information being Processed;
it is necessary to Process the Information to carry out actions for the conclusion or performance of a contract to which the Person whose Information will be Processed is a party; or
it is necessary to Process the Information to comply with an obligation imposed by law on the Company or to protect a legitimate interest of the Company and/or the Person whose Information will be Processed;
take reasonable steps to ensure that the Person whose Information will be Processed is aware of the Information that will be Processed, the source from which that Information will be collected and the purpose for which that Information will be Processed;
take reasonable steps to ensure that the Information that is Processed is complete, accurate, not misleading and updated where necessary;
take reasonable technical and organisational measures to secure the integrity and confidentiality of Information that is Processed so as to prevent the loss, damage or unauthorised destruction of Information and the unlawful access to or Processing of Information; and
take reasonable steps to ensure that the Person whose Information will be Processed is aware of its rights in and to its Information.
3.The Purpose for Processing
The Company will Process Information for the purpose for which it is received by the Company, save that the Company will by means of the awareness and consent measures contemplated in this Policy, where appropriate and permissible, seek and obtain from its Stakeholders consent to a particular qualitatively and quantitatively circumscribed purpose which will facilitate the Processing by the Company of the Information.
The Company will seek and obtain from its Stakeholders consent for the Company collecting Information from its Stakeholders and where necessary from any other source for the purpose of the Company conducting and furthering its business interests in general, and including, without limitation, for the purpose of executing any rights and obligations that it may have in relation to a Stakeholder or any matter in respect of which a Stakeholder and/or the Information applies, and the maintenance of reasonable, accurate and complete historical record keeping.
4.Source of Information
The Company will only Process Information that it receives directly from a Stakeholder, save where:
the Information is public record or has deliberately been made public by the Stakeholder;
the Stakeholder has consented to the collection by the Company of the Information from another source;
the collection of Information from a source other than the Stakeholder would not prejudice a legitimate interest of the Stakeholder, is necessary to maintain or comply with an obligation imposed on the Company by law or to maintain the legitimate interests of the Company or the Information will be used for legal proceedings;
it is not reasonably practicable in the circumstances of the particular case to collect the Information directly from a Stakeholder, or to do so would prejudice a lawful purpose of the collection, or
it has received the consent of a Stakeholder to Process Information about that Stakeholder that it receives from another source, in which event it may Process Information about a Stakeholder that it receives from another source.