PROTECTION OF PERSONAL INFORMATION ACT
1. INTRODUCTION
1.1. The Protection of Personal Information Act (POPI) is intended to balance 2 competing interests. These are:
• Our individual constitutional rights to privacy (which requires our personal information to be protected); and
• The needs of our society to have access to and to process (work with) our personal information for legitimate purposes, including the purpose of doing business.
1.2. Where reference is made to the “processing” of personal information, this will include any activity in which the information is worked with, from the time that the information is collected, up to the time that the information is destroyed, regardless of whether the information is worked with manually, or by automated systems.
A copy of the full information Manual is available at:
BPW Axles (PTY) Ltd
Corner Kitty and Donald Street
Chrisville, Johannesburg
South Africa
2. CONDITIONS FOR THE LAWFUL PROCESSING OF PERSONAL INFORMATION
2.1. Chapter 3 of POPI provides for the minimum Conditions for Lawful Processing of Personal Information by a Responsible Party. These conditions may not be derogated from unless specific exclusions apply as outlined in POPI.
2.2. BPW may only process Special Personal Information under the following circumstances:
• The Data Subject has consented to such processing;
• The Special Personal Information was deliberately made public by the Data Subject;
• Processing is necessary for the establishment of a right or defence in law;
• Processing is for historical, statistical, or research reasons
• If processing of race or ethnic origin is in order to comply with affirmative action laws
All Data Subjects have the right to refuse or withdraw their consent to the processing of their Personal Information, and a Data Subject may object, at any time, to the processing of their Personal Information on any of the above grounds, unless legislation provides for such processing. If the Data subject withdraws consent or objects to processing then BPW shall forthwith refrain from processing the Personal Information.
Collection directly from the Data Subject: -
Personal Information must be collected directly from the Data Subject, unless:
• Personal information is contained in a public record;
• Personal information has been deliberately made public by the Data Subject;
• Personal information is collected from another source with the Data Subject’s consent;
• Collection of Personal Information from another source would not prejudice the Data Subject;
• Collection of Personal Information from another source is necessary to maintain, comply with or exercise any law or legal right;
• Collection from the Data Subject would prejudice the lawful purpose of collection;
• Collection from the Data Subject is not reasonably practicable.
3. THE PURPOSE OF THE PROCESSING OF PERSONAL INFORMATION
3.1. As outlined above, Personal Information may only be processed for a specific purpose.
3.2. The purposes for which BPW Processes, or will Process Personal Information, is set out hereunder:
3.2.1. Staff Administration.
3.2.2. Conducting credit reference checks and assessments.
3.2.3. Rendering services in accordance with contractual agreements concluded with customers.
3.2.4. Providing products and services to customers.
3.2.5. Compliance with Tax-related legislation.
3.2.6. Keeping accounts and records.
3.2.7. Administration of agreements
3.2.8. Detecting and prevention of fraud, crime, money laundering and other malpractice.
3.2.9. Conducting market and customer satisfaction research.
3.2.10. Marketing and Sales
3.2.11. Legal proceedings
3.2.12. Complying with legal and regulatory requirements
4. RECIPIENTS OF PERSONAL INFORMATION
4.1. BPW may disclose personal information to its service providers, vendors and suppliers who are involved in the delivery of products or services to it or in compliance with other legislative obligations.
4.2. Agreements have been put in place to ensure that all service providers, vendors and suppliers comply with the privacy and protection of personal information requirements as contained in the Act.
4.3. In order to ensure this protection, the Protection of Personal Information Agreement and Consent Declaration must be completed by each service provider, vendor or supplier and submitted to the Information Officer.
4.4. BPW may supply the Personal Information to any party to whom BPW may have assigned or transferred any of its rights or obligations under any agreement, and/or to service providers who render the following services:
• Capturing and organising of data;
• Storing of data;
• Sending of emails and other correspondence to customers;
• Conducting due diligence checks;
• Administration of the Medical Aid and Pension Schemes.
5. DESCRIPTION OF INFORMATION SECURITY MEASURES
5.1. BPW relies on up-to-date technology to ensure the confidentiality, integrity, and availability of the Personal Information under its care.
5.2. In order to secure the integrity and confidentiality of the personal information in our possession, and to protect it against loss or damage or unauthorized access, the following security safeguards will continue to be implemented:
5.3. The business premises where records are kept will remain protected by access control, burglar alarms and armed response.
5.4. Archived files will be stored behind locked doors and access control to these storage facilities will be implemented.
5.5. All the user terminals on the internal computer network and servers will be protected by passwords that are changed on a regular basis.
5.6. The email infrastructure will comply with industry standard security safeguards.
5.7. Vulnerability assessments will be carried out on the digital infrastructure on an annual basis to identify weaknesses in the systems and to ensure that there is adequate security in place.
5.8. An internationally recognized Firewall will be used to protect the data on the local servers, and antivirus protection will be run at least every hour to ensure the systems are kept updated.
5.9. The staff will be trained to carry out their duties in compliance with POPI, and this training must be ongoing.
5.10. It must be a term in every employment contract which creates the obligation to maintain full confidentiality in respect of all of BPW’s clients’ personal information.
5.11. The personal information of clients and employees will be destroyed timeously in a manner that de-identifies the person.
5.12. These security safeguards will be verified on a regular basis to ensure effective implementation, and these safeguards must be continually updated in response to new risks or deficiencies.
6. CONSENT TO THE PROCESSING OF PERSONAL INFORMATION BY A DATA SUBJECT
6.1. POPI defines consent to be “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information“.
6.2. In compliance with the conditions for the lawful processing of personal information set out in Chapter 3 of POPI, each data subject will be asked to complete a Protection of Personal Information Agreement and Consent Declaration.
6.3. This consent form provides data subjects with information regarding how BPW obtains, uses and discloses personal Information in accordance with the requirements of POPI and obtains the Data Subject’s consent to do so.
6.4. In order to ensure that the necessary consent is obtained in this way, the Protection of Personal Information Agreement and Consent Declaration must be completed by the Data Subject and submitted to the Information Officer.
7. OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION BY A DATA SUBJECT
7.1. Section 11 (3) of POPI and regulation 2 of the POPI Regulations provides that a Data Subject may, at any time, object to the Processing of his, her or its Personal Information in the prescribed form.
7.2. This is subject to the following exception contained in the Act:
7.2.1. A data subject may object, at any time, to the processing of personal information on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing.
7.2.2. Should a Data Subject seek to object to the processing of his/her/its Personal Information, the form must be completed by the Data Subject and submitted to the Information Officer.
8. REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION
8.1. Section 24 of POPI and regulation 3 of the POPI Regulations provides that a Data Subject may request for their Personal Information to be corrected/deleted in the prescribed form.
8.2. Should a Data Subject seek to correct or delete his, her or its Personal Information, the form must be completed by the Data Subject and submitted to the Information Officer.
8.3. BPW must notify the data subject, who has made a request in terms of subsection (1), of the action taken as a result of the request.
9. APPLICATION FOR THE CONSENT OF A DATA SUBJECT FOR THE PURPOSE OF DIRECT MARKETING
9.1. Direct Marketing includes any communication by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail.
9.2. Section 69 (2) provides that the processing of personal information of a data subject for the purpose of direct marketing is prohibited unless the data subject has given his, her or its consent to the processing.
9.3. Should BPW wish to obtain a Data Subject’s consent to process his, her or its Personal Information for the purpose of Direct Marketing, the form must be completed by the Responsible Party and delivered to the Data Subject.