MRS SOUTH AFRICA PTY LTD PROTECTION OF PERSONAL INFORMATION ACT (POPI ACT)
The purpose of the act is to prevent the misuse of personal information pertaining to individuals and entities. A critical element of the Act that specifically would apply to Mrs South Africa Pty Ltd is the lawful use and processing of data.
“Data Processing” is the term that refers to all operations or activities pertaining to the use of personal information, including three different areas of data processing: the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use of the personal information; the dissemination of personal information by means of transmission, distribution or any other form utilised in making the data available; and the merging, linking, restriction, degradation, erasure or destruction of the personal information.
Processing involves everything to do with the use of the data, which is obtained with consent; from when the organisation obtains the information to when the information is destroyed when it is no longer needed. This means that processing data covers the entire lifecycle of the information within the organisation from start to finish. When the information needs to be destroyed is linked to when the information is no longer needed for its relevant purposes, as well as, to when it is required by law to do so.
Mrs South Africa Pty Ltd ensures compliance by having created a framework that includes processes and policies. A thorough gap analysis with processes and policies have been put in place such as a personal information sharing policy, a security compromise policy, and a subject access request policy, amongst others. Mrs South Africa Pty Ltd has automated systems in place that not only allows for them to define their data management privacy policies, but also enables them to measure compliance with those policies.
Lastly, Mrs South Africa Pty Ltd has implemented adequate communication and training within their company structure with regards to all policies and procedures that are required to ensure POPI Act compliance. Mrs South Africa Pty Ltd has made POPI “Business-As-Usual” as they have incorporated compliance into their services and processes by adopting a “Privacy By Design” offering that is suitable for diverse stakeholder group
The POPI Act outlines 8 (eight) conditions for data processing compliance which Mrs South Africa Pty Ltd adheres to in all aspects of the business:
Mrs South Africa Pty Ltd holds this responsibility and is able to prove full compliance with the requirements outlined by the Act.
1.2. Processing Limitation:
Mrs South Africa Pty Ltd makes sure that all data must be obtained directly from the data subject with the required consent. Event Options further provides the data subject with a detailed explanation on what the data will be used for as well as if it will be used by third parties in the execution of the services required. Only the most essential information is obtained by Mrs South Africa Pty Ltd.
1.3.Data must be Purpose-Specific:
Mrs South Africa Pty Ltd does not obtain additional or irrelevant data. The company guarantees that the purpose and reason for obtaining the information will be made explicit, and the processing of the data for its specific purpose will be well documented.
1.4. The Further Processing Limitation
This condition inhibits Mrs South Africa Pty Ltd from processing information for a secondary purpose. This is only allowable if it can be proven that the secondary purpose is compatible with the original intent for the data. Again, Mrs South Africa Pty Ltd offers full transparency regarding the purpose for usage of all data obtained from their clients.
1.5. Information Quality
This pertains to Mrs South Africa Pty Ltd ensuring that the information obtained from clients is correct, complete and in no way misleading. Mrs South Africa Pty Ltd guarantees this condition has been met throughout various completed projects.
In addition to the data subject providing consent and being informed of the purpose for the data Mrs South Africa Pty Ltd provides the name and number of the responsible individual within the organisation to the subject/client. The data subject must be informed that they have the right to complain to the Information Regulator if they suspect any misuse of the information. Mrs South Africa Pty Ltd adheres to and is further compliant with this condition.
1.7. Security Safeguards
This entails the processes and strategies that must be put into place to ensure that data is kept private and secure. Email security is a key consideration for these security safeguards. That’s because email is more than a communication mechanism or an archive of semi-structured data, it’s the most targeted vector for most organisations, with 9 out of 10 cyber-attacks starting with email.
In order to ensure that Mrs South Africa Pty Ltd is sufficiently enabled to comply with the provisions of POPIA, the company has regulatory, cyber security, data management and analytics, representation to ensure alignment with the key aspects of POPIA. Mrs South Africa Pty Ltd have done their due diligence and conducted full risk assessments that have evaluated their processes and have made sure to find the best and most suitable technological solutions and services that can assist in the storage, security and management of all their client data.
1.8.Data Subject Participation
The data subject has the right to withdraw or change information at any time. They also have the right to request that the organisation, Mrs South Africa Pty Ltd, show them what personal information about them is being held. Mrs South Africa Pty Ltd is compliant to this condition, aware and in agreement that it does not have the right to refuse this condition.
2. PROTECTION OF PERSONAL INFORMATION ACT, 4 OF 2013
- Mrs South Africa Pty Ltd (“The Company”) is obliged to comply with the Protection of Personal Information Act 4 of 2013 (“POPI”)
- POPI requires the Company to inform their clients as to the manner in which their personal information is used, disclosed and destroyed
- This Policy sets out the manner in which the Company deals with its client’s personal information and stipulates the purpose for which the said information is used. The Policy is available on request from the Company
- The objective of this Policy is to protect the Company’s information assets from threats. This Policy establishes a general standard on the appropriate protection of personal information within the Company, provides principles regarding the right of individuals to privacy and to reasonable safeguards of their personal information
- For the purposes of this Policy, a client shall include any user of the platform.
2.2. PERSONAL INFORMATION COLLECTED
- Section 9 of POPI states that “Personal Information must be processed lawfully and in a reasonable manner that does not infringe the privacy of a data subject.”
- The Company collects and processes personal information of users of its platform. The type of information will depend on the need for which it is collected and will be processed for that purpose only. Examples of personal information The Company will collect includes:
220.127.116.11. Email addresses;
18.104.22.168. Identity numbers;
22.214.171.124. Telephone numbers; and
126.96.36.199. Client biographical data
- The Company may collect and process the client’s personal information but will only do so with the express consent of the data subject or when permitted or required to do so in terms of law
- The Company shall endeavour to have agreements in place with all suppliers who may receive the personal data of the data subject to ensure that the service provider complies with the requirements of POPI.
2.3. THE USAGE OF PERSONAL INFORMATION
- The client’s personal information will only be used for the purpose for which it was collected and as agreed upon with the client. This may include:
- Providing products or services to clients and to carry out the transactions requested;
- Confirming, verifying and updating client details;
- Conducting market or customer satisfaction research;
- For record keeping purposes;
- In connection with legal proceedings;
- Providing communication in respect of the Company that may affect clients; and
- To comply with legal and regulatory requirements or when it is otherwise allowed by law.
- According to Section 10 of POPI, personal information may only be processed under the following circumstances:
188.8.131.52 The client consents to the processing;
184.108.40.206 The necessity of processing;
220.127.116.11 Processing complies with an obligation imposed by law on the Company;
18.104.22.168 Processing protects a legitimate interest of the client;
22.214.171.124 Processing is necessary for pursuing the legitimate interests of the
- Company or of a third party to whom information is supplied — in order to provide the Company’s clients with products and or services, the Company and any of its product suppliers require certain personal information from the clients.
2.4. DISCLOSURE OF PERSONAL INFORMATION
2.4.1 The Company may disclose a client’s personal information to any of its companies or subsidiaries, joint venture companies and or approved third party service providers, whose services or products clients elect to use. The Company has agreements in place to ensure that compliance with confidentiality and privacy conditions.
2.4.2 The Company may share client personal information with and obtain information about clients from third parties for the reasons already discussed above.
2.4.3 The Company may also disclose a client’s information where it has a duty or a right to disclose in terms of applicable legislation, the law, or where it may be deemed necessary in order to protect the Company’s rights.
2.5. SAFEGUARDING CLIENT INFORMATION
2.5.1 It is a requirement of POPI to adequately protect personal information. The Company will continuously review its security controls and processes to ensure that personal information is secure.
- The following procedures are in place in order to protect personal information:
126.96.36.199. The Company Information Officer who is responsible for the compliance with the conditions of the lawful processing of personal information and other provisions of POPI
188.8.131.52 The Company information officer is to ensure the development and upkeep of this policy;
184.108.40.206. The company information office is to ensure that the policy is supported by appropriate documentation and that such documentation is kept up to date; and
220.127.116.11. The Company information officer ensure this policy and subsequent updates are communicated to relevant managers, representatives, staff and associates, where applicable.
18.104.22.168. The Company information officer will ensure this policy has been implemented within the Company;
22.214.171.124. Each new employee will be required to sign an employment contract, containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of POPI;
126.96.36.199. Every employee currently employed within the Company will be required to sign an addendum to their employment contract containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of POPI;
188.8.131.52. The Company archived client information is stored off-site. The Company has ensured that all third-party suppliers have satisfied the minimum requirements as set out in POPI and all further requirements that this policy contains;
184.108.40.206. The Company’s suppliers, insurers and other third-party service providers will be required to sign an agreement guaranteeing their commitment to the protection of personal information.
- The Company shall obtain consent from the client, or a person who has been given authorisation from the client, to process the client’s information
- Any freely given, specific, informed and unambiguous indication of the client’s wishes by which the client, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal information, consent will be deemed to have been given.
2.7. ACCESS AND CORRECTION OF PERSONAL INFORMATION
- Clients have the right to access their personal information held by the Company
- Clients also have the right to ask the Company to update, correct or delete their personal information on reasonable grounds
- Once a client objects to the processing of their personal information, the Company may no longer process said personal information
- The Company will take all reasonable steps to confirm its clients’ identity before providing details of their personal information or making changes to their personal information.
2.8. COMPANY INFORMATION OFFICER
- The details of the Company’s Information officer are as follows: Joani Johnson, email@example.com
- The Company’s Information officer, employees and key individuals undertake to adhere to the following principles:
- To obtain clients’ consent to process their personal information;
- To provide transparency with regards to the procedures governing the collection and processing of personal information;
- To comply with all regulatory requirements regarding the collection and processing of personal information;
- To collect and process personal information only by lawful means, in a manner compatible with the purpose for which it was collected;
- To inform clients when personal information is collected about them;
- To treat sensitive personal information with the utmost care
- To endeavour to keep personal information accurate and complete;
- To provide individuals with the opportunity to access the personal information relating to them and, where applicable, to comply with requests to correct, amend or delete personal information;
- To share personal information with third parties only when strictly necessary and with a reasonable assurance that the recipient has its own privacy and security protection controls in place for protection of personal information;
- To develop reasonable safeguards against risks such as unauthorized access, use or disclosure of personal information;
- To comply with any requirements in the event that information is exchanged through international borders.
3. AMENDMENTS TO THIS POLICY
3.1. Amendments to, or a review of this Policy, will take place on an ad hoc basis or at least once a year. Clients are advised to refer to the Company’s website periodically to keep abreast of any changes.
4.1. The management and Information Officer of The Company, are responsible for administering and overseeing the implementation of this policy and, as applicable, supporting guidelines, standard operating procedures, notices, consents and appropriate related documents and processes.
The Company and key individuals, representatives and staff are to be trained according to their functions in regulatory requirements, policies and guidelines that govern the protection of personal information, the Company will conduct periodic reviews and audits, where appropriate, to demonstrate compliance with privacy regulation policy and guidelines.
5. OPERATING CONTROLS
5.1. The Company, shall establish appropriate privacy standard operating controls that are consistent with this policy and regulatory requirements
This will include:
5.2.1 Allocation of information security responsibilities;
5.2.2 Incident reporting and management;
5.2.3 User ID addition or removal;
5.2.4 Information security training and education;
5.2.5 Data backup
6. AVAILABILITY OF THE MANUAL
This manual is made available on the Company’s website, or on request from the Company’s information officer