Privacy Policy

Definitions

  1. “The body” refers to CHIPSHAKE IT CLOSE CORPORATION with registration nr 2004/028654/23, duly registered as such in accordance with the laws of the Republic of South Africa and having its principal place of business address situated at Kingfisher Street 1, Woodlands Estate, Bendor, Polokwane.
  2. “Consent” means the voluntary, specific and informed expression of will
  3. “Data Subject” means the natural or juristic person to whom the Personal Information relates and includes owners, tenants, visitors, employees and any other natural person and/or juristic person
  4. “Direct Marketing” means approaching a Data Subject personally for the purposes of selling a product or service, or requesting a donation
  5. “Personal Information” means information relating to an identifiable, living person, and shwere it is applicable, an identifiable, existing juristic person, including, but not limited to:
    1. information relating to the race, gender, sex , pregnancy, marital status, nationality, ethnicity or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the personal
    2. information relating to the education or the medical, financial, criminal or employment history of the person
    3. any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person
    4. the biometric information
    5. the personal opinions, views or preferences
    6. correspondence sent by the person that is implicitly or explicitly private or confidential in nature or further correspondence that would reveal contents of the original correspondence
    7. the views or opinions of another individual about the person; and
    8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
  6. Processing” means any operation or activity or any set of operations, whether or not by automatic means, including
    1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use
    2. dissemination by means of transmission, distribution or making available in any other form; or
    3. merging, linking, as well as restriction, degradation, erasure or destruction of information
  7. “Information Officer” means the head of a private body as contemplated in section 1 of the POPI Act.
  8. “Electronic Communication” means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
  9. “Broad Based Black Economic Empowerment” means the viable economic empowerment of all black people, in particular women, workers, youth, people with disabilities and people living in rural areas, through diverse but integrated socio-economic strategies that include, but are not limited to-
    1. increasing the number of black people that manage, own and control enterprises and productive assets
    2. facilitation ownership and management of enterprises and productive assets by communities, workers, co-operatives and other collective enterprises
    3. human resource and skills development
    4. achieving equitable representation in all occupational categories and levels in the workforce
    5. preferential procurement from enterprises that are owned or managed by black people; and
    6. investment in enterprises that are owned or managed by black people.
  10. “Operator” means any third party who assist The Body in its daily functions of its business and service delivery.
  11. “POPI Act” means the Protection of Personal Information Act, No. 4 of 2013.
  12. “Policy” refers to this Privacy Policy drafted in terms of the POPI Act.

    Capitalised terms used in this Policy have the meanings ascribed thereto in Section 1 of POPIA and PAIA as the context specifically requires, unless otherwise defined herein.

INTRODUCTION

  1. This Privacy Policy (hereinafter referred to as “the Policy” and/or “this Policy”) sets out how The Body will meet its obligations and requirements imposed on it by the POPI Act and further how the Body uses, protects and processes any information that is collected form a Data Subject.
  2. The requirements and the premise on which this Policy is founded is established in terms of the POPI Act and PAIA.
  3. This Policy applies to the Body’s employees and/or any other person, including and without detracting from the generality thereof, any juristic or natural person, prospective employees, employment candidates, service providers, operators, clients/customers/consumers, governmental, provincial and municipal agencies or entities, regulators, Requesters of information or records as defined in the part A of this manual which was drafted in terms of PAIA, persons making enquiries and/or third parties, including all associated, relatives and/or family members of such Data Subjects or any person who may be acting on behalf of or in a representative capacity in respect of the Data Subject, and from whom The Body receives Personal Information.
  4. Chapter 3 of POPIA provides for the minimum Conditions for Lawful Processing of Personal Information by a Responsible Party. These conditions may not be derogated from unless specific exclusions apply as outlined in POPIA.
  5. The Body needs Personal Information relating to both individual and juristic persons in order to carry out its business and organisational functions. The manner in which this information is Processed and the purpose for which it is Processed is determined by The Body. The Body is accordingly a Responsible Party for the purposes of POPIA and will ensure that the Personal Information of a Data Subject:
    1. is processed lawfully, fairly and transparently. This includes the provision of appropriate information to Data Subjects when their data is collected by the Body, in the form of privacy or data collection notices. The Body must also have a legal basis (for example, consent) to process Personal Information;
    2. is processed only for the purposes for which it was collected;
    3. will not be processed for a secondary purpose unless that processing is compatible with the original purpose.
    4. is adequate, relevant and not excessive for the purposes for which it was collected;
    5. is accurate and kept up to date;
    6. will not be kept for longer than necessary;
    7. is processed in accordance with integrity and confidentiality principles; this includes physical and organisational measures to ensure that Personal Information, in both physical and electronic form, are subject to an appropriate level of security when stored, used and communicated by The Body, in order to protect against access and acquisition by unauthorised persons and accidental loss, destruction or damage;
    8. is processed in accordance with the rights of Data Subjects, where applicable

APPLICATION

  1. This Policy applies to all Data Subjects, including, its managements, its employees, its directors, third party operators and/or service providers, sub-contractors, agents, customers and/or clients, and/or any other person, whether natural or juristic, that has any dealings with The Body.
  2. The Body collects and uses Personal Information of the individuals and/or corporate entities that with which it works and/or has any dealings with in order to carry out and conduct operations of its business and statutory obligations effectively and maintain satisfactory customer services.
  3. The lawful collection of Personal Information is deemed as crucial in ensuring successful service delivery to The Body’s clients, suppliers and distributors as well as in maintaining the confidentiality between The Body and all other stakeholders. 
  4. This Policy will be applicable upon the receipt of Personal Information by the Data Subject.  The Data Subject may sign the relevant consent forms for the use and/or storage of information.  However, the voluntary provision of Personal Information by the Data Subject to The Body will be deemed as agreeing to this policy and that the Data Subject consents to the processing of its personal information.
  5. Current clients will be made aware of the Policy and will be advised to familiarise themselves with same.  They will also be made aware of the fact that they may reasonably object to the processing of their Personal Information and be afforded an opportunity to do so.  Should a client/customer/consumer not object as mentioned, The Body will deem same to be an acceptance of this Policy and consent to the Processing of its personal information.
  6. Current employees will be made aware of the Policy and will be advised to familiarise themselves with same.  They will also be made aware of the fact that they may reasonably object to the processing of their Personal Information and be afforded an opportunity to do so.  Should an employee not object as mentioned, The Body will deem same to be an acceptance of this Policy and consent to the Processing of its personal information.
    1. All new employees will be informed of the Policy and will be requested to consent to same.  The consent may be included in its employment contract.

COLLECTION OF INFORMATION

  1. Personal Information is collected from the Data Subject directly.  Same may be done as follow, without limitation:
    1. By The Body requesting the information from the Data Subject in writing and/or verbally with the possibility of same being reduced to in writing and the Data Subject providing the Personal Information as requested.
    2. Personal Information may also be collected when a Data Subject provides the Information voluntarily when it applies for employment, solicits services from The Body or to The Body, when it submits enquiries with The Body.
    3. By The Body lawfully obtaining same from a third party during the course of rendering services to the third party as contractor and/or operator assisting it in conducting its business and rendering services.  Subsequently, the Personal Information is received from the third party who is duly authorised to share the Personal Information and who has obtained the consent from the Data Subject to do so.  In such an event, this Policy will also apply to the information received from the third party and The Body will protect the Personal Information as set out herein and as if same was obtained from the Data Subject directly.
    4. By way of “cookies” or similar technologies.  Cookies are small software programs that install themselves on computers and mobile devices and they store data specific to a particular user and remembers the user’s preferences about The Body’s website.  The cookies may be stored on the user’s computer or devices for various lengths of time and every time the user returns to the website, the cookies record this data which is then transmitted to The Body or to third parties with whom The Body works as specified herein.
      • The Body may collect information about the user’s computer, including where available, its operating system, browser type, third-party software installed on the user’s device, installation and uninstallation rates, the language of the user’s device, the computer manufacturer, screen size and model of the device and other technical information for system administration and to report aggregate information to The Body’s advertisers.  The statistical data about the user’s browsing actions and patterns is derived from Personal Information but is not considered Personal Information in law as it does not identify any individual.
      • When a user visits the Body’s website, it may place cookies onto the user’s device, or read cookies already on the device, subject always to obtaining the user’s consent, where requires, in accordance with applicable law.  The Body uses cookies o record information about the user’s device, browser, preferences and browsing habits. 
      • Subsequently, The Body may process Personal Information through cookies and similar technologies.
    5. Biometric information by way of facial and/or fingerprint recognition.
  2. In the event of The Body requesting information from the Data Subject as described in clause 4.1.1. The Body will apply its best endeavours to inform the Data Subject what information is required, and which information is optional.

CATEGORIES OF DATA SUBJECTS

The Body will protect the following information of its directors, employees, customers, clients, consumers, service providers, employees, and other Data Subjects set out below:

Categories of Data Subjects and categories of Personal Information relating theretoPersonal Information Processed
Natural Persons:    Full names. Contact details. Physical and Postal Address. Identification numbers. Date of birth. Tax number (and other related tax information). Confidential correspondence. Biometric details
Juristic PersonsFull names of legal entity. Names and details of contact persons. general contact details. Registration number and other registration details. Physical and postal addresses. Financial information and details. Founding documents. Tax related information. VAT number and VAT related documents. Names and details of authorized signatories. Beneficiaries (where applicable. )Shareholder Information (where applicable). Broad Based Black Economic Empowerment Information (where necessary and applicable)  
Payment beneficiaries:   Bank Account Currency Code, Bank Account Id, Bank Account Name, Bank Account Number, Bank Account Type; beneficiary address, transaction details; payment narrative and, for certain data transferred, National Insurance numbers.  
Personnel:    Full name; ID numbers. Contact details (address/telephone number). Race. Gender. Education. Physical and postal address. Income TAX numbers

The body has applied its best efforts to provide a comprehensive list.  However, this list may be updated from time to time.

SPECIAL PERSONAL INFORMATION

  1. It may be that in the course of rendering services to a customer/client/consumer and/or for employment purposes, The Body may need to collect Special Personal Information as described in Section 26(a) and (b) of the POPI Act, which reads as follow:
    (b)       the criminal behavior of a data subject to the extent that such information relates to –
               (i)    the alleged commission by a data subject to any offense; or
              (ii)   the proceedings in respect of any offense allegedly committed by a data subject or the disposal of such proceedings.”
  2. The abovementioned information will only be processed for a legitimate purpose and only for the purposes specified by The Body.
  3. The information will further only be processed by obtaining the Data Subject’s prior consent.
  4. It may be that The Body will request Special Personal Information from its employees for certain purposes such as, but not limited to, statistical purposes, access to its premises, ensuring that an employee/contractor can render a specific service or is qualified for the position for which it is being considered, association purposes which may affect The Body, etc.   In this event, The Body will inform the Data Subject of the purpose for which same is being obtained and request consent to process same accordingly.

PURPOSE OF PROCESSING PERSONAL INFORMATION

  1. The Body is established and registered in terms of the applicable laws of the Republic of South Africa which laws imposes certain statutory obligations on The Body which must be complied with.  These obligations may require the Body to process, store, keep and share personal information collected by it with third parties or to ensure that the Body complies with these obligations through the effective and necessary governance of The Body.
  2. As set out herein, the Personal Information may only be Processed for a specific purpose and the purpose(s) for which The Body processes information is set out here:
Data SubjectReason/Purpose
For Clients / Consumers / Customers and any other third partiesTo provide services to the Client in accordance with terms agreed to by the Client;
To verify the identity of the Client or the client’s representative(s) who contact The Body or may be contacted by the Body
To monitor and/or record calls and electronic communications with the client for quality, training, investigation and/or fraud prevention purposes
For crime detection, prevention, investigation and prosecution
To manage The Body’s relationship with the Client
The purposes related to any authorized disclosure made in terms of agreement, law or regulation.
To identify payments received from and made to clients
Verifying and updating information of clients
Conducting marketing and satisfaction research and reviews;
Recovering and collecting of outstanding payments due and owing to The Body
To form a view of residents as individuals and to identify, developer improve The Body
Communicating with clients by email, SMS, letter, telephone or in any other way relating to The Body’s affairs in general as well as in relation to the client personally
Security purposes
To enforce or defend The Body’s rights
Performing checks
For any legal proceedings that need to be instituted or defended
Complying with The Body’s Regulatory and other obligations
For Service ProvidersVerifying and updating information
Administration agreements
Verifying information and performing checks
Purposes relating to the agreement or contractual relationship or possible agreement or business relationships between the parties
Security purposes
Payment of Invoices
Complying with The Body’s Regulatory and other obligations
Any other reasonably required purpose relating to the Body’s business
Any other reasonably required purpose relating to the Body’s business and access protocols
For any legal proceedings that need to be instituted or defended
For EmployeesVerifying and updating information
Performing duties in terms of any agreement
Verification of prospective employees’ information
General matters relating to employees
Payroll
Disciplinary action
Training
Any other reasonably required purpose relating to the employment or possible employment relationship
Security purposes
Any other reasonably required purpose relating to The Body’s business and access protocols
Staff administration
Conducting marketing and satisfaction research and reviews
For any legal proceedings that need to be instituted or defended.
For the purpose of enabling The Body to fulfill its obligations as set out in the Employment contract

The Body has applied its best efforts in supplying all the reasons for which Personal Information is processed.  However, this list may be updated from time to time.

3. Personal Information will also only be processed in the ordinary course of business and for the purposes set out herein. 
4. Further to this, the Body will only use the information for the purposes for which it was obtained. 
5. The information will only be used for secondary purpose if such purpose constitutes a legitimate interest and is closely related to the original or primary purpose for which the Personal Information was collected and/or if you consent has been obtained.

CATEGORIES OF RECIPIENTS FOR PROCESSING PERSONAL INFORMATION

  1. The Body may share the Personal Information with its affiliates, associated companies, agents and any other person that may use this information to send the Data Subject information in relation to The Body.
  2. As such, the Body may supply the Personal Information collected by it to any party whom The Body may have assigned or delegated or transferred any of its rights and obligations in terms of and/or under any service provider that renders the following services:
    • Administration and management functions, including internal operating services;
    • Data hosting services;
    • IT services;
    • Customer services
    • Sending of emails and other correspondence to customers/consumers/clients;
    • Administration of medical aid’s, pension schemes or trade unions;
    • General maintenance services;
    • Security services;
    • Insurance companies;
    • Enforcing The Body’s rules;
    • Legal and collection purposes;
    • Providing the Body with biometric security services;
    • document review and technology services;
  3. The Body may further disclose the information a competent Court or authority upon request or when receiving a subpoena to do so, and/or for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including, but not limited to, safeguarding against, and the prevention of threats to, public security.
  4. Should The Body engage a third-party Operator to process any Personal Information it recognises that any Operator who is in a foreign country must be subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection similar to the POPI Act. 
    • In such an event, the Body will ensure that the Operator/third party undertakes to protect the Personal Information in line with applicable data protection legislation and the transfer is necessary in order to provide The Body’s products and/or services.
  5. The Body will review its relationships with Operators it is already engaged or to be engaged with and, to the extent required by any applicable law, require such an Operator to be bound by contractual and/or legal obligations to:-
    • only process such Personal Information in accordance with prior written consent; and
    • use appropriate measures to protect the confidentiality and security of such Personal Information.
  6. When making authorized disclosures or transfers of personal information in terms of section 72 of POPIA, Personal Data may be disclosed to recipients located in countries which do not offer a level of protection for those data as high as the level of protection as South Africa. 
    • In all or most instances The Body will attempt to ensure that the third party outside of the Republic of South Africa has adopted a law that provides for an adequate level of protection substantially like the POPI Act and/ The Body will request that the third party undertakes in writing to protect the Personal Information in line with applicable data protection legislation and the transfer is necessary in order to provide The Body’s products and services.
    • However, The Body accepts that clause 8.6.1. may not always be possible and as such The Body will obtain your consent before transferring your Personal Information.  The Body will further request that third party undertakes in writing to protect the Personal Information in line with applicable data protection legislation of South Africa.

ACCESS TO PERSONAL INFORMATION

  1. This section must be read with The Body’s PAIA Manual which promotes the access to information.
  2. Any Natural or Juristic Person may request access, deletion or amendments to their Personal Information held by The Body and/or its agents.  Same is to be done by completing the applicable forms annexed hereto and adhering to the procedure set out in the PAIA Manual and to be sent to the Information Officer.  The Information Officer may accept or deny the request for access. 
    • Upon acceptance of the request, the timeline stipulated in paragraph 7.7 of the PAIA manual will apply for the processing of the application.
  3. In the event that the application for access to Personal Information is denied, the Information Officer is to provide written reasons as to why same is denied and same is to be kept on record.
    1. The Requester may then appeal his request to the Information Regulator.
    2. Should the Information Regulator also deny the request for access to the Personal Information, the Requester may approach a competent Court for the appropriate and/or necessary relief within 30 days of notification of the decision. 
    3. The Requester may upon denial of his/her/its request by the Information Officer, approach a competent Court for the appropriate and/or necessary relief within 30 days of notification of the decision.
  4. In the event that the information requested cannot be found and/or the Body believes that the record does not exist or cannot be found, after a reasonable search was conducted, the Requester will be notified by way of an affidavit, which will set out the steps to be taken to obtain the information, sworn to by the Information Officer within 30 days of completing the reasonable search.
  5. The request for access to Personal Information may be refused on the following grounds, without being limited thereto:
    1. To protect Personal Information that the Body hold in relation to third parties (where natural or juristic persons including deceased persons) from unreasonable disclosure;
    2. To protect commercial and proprietary information that The Body holds about or in relation to a third party which may or may not include trade secrets, financial, commercial, labour, technical or scientific information that may, if revealed, will bring about loss and/or hard to the third party in question;
    3. In the event that disclosure will breach duties of confidentiality to that third party in terms of an agreement;
    4. Disclosure of the Information would result in endangering the life or physical safety and security of an individual;
    5. Disclosure of the information would result in the prejudice or impairing the protection or safety of the public;
    6. The disclosure of information is privileged from production in legal proceedings, unless the legal privilege is waived;
    7. Disclosure of such information would harm the commercial and financial interests of The Body;
    8. The record is contained as a computer or software program; and
    9. The record contains any research that has been conducted or will be conducted on behalf of The Body.

DATA ACCURACY & SECURITY

  1. The Body will restrict the processing of Personal Information to data which is sufficient for the fulfilment of the primary purpose and applicable legitimate purpose for which it was collected.
  2. The Body has implemented and will continue to implement appropriate technical and organisational security measures to protect Personal Information in its possession against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, in accordance with applicable law.
  3. The Body undertakes to institute and maintain the data protection measures to accomplish the following objectives outlined below. The details given are to be interpreted as examples of how to achieve an adequate data protection level for each objective. The Body may use alternative measures and adapt to technological security development, as needed, provided that the objectives are achieved.
    1. Access Control of Persons
      The Body shall implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment where the data are processed.
    2. Data Media Control
      The Body undertakes to implement suitable measures to prevent the unauthorized manipulation of media, including reading, copying, alteration or removal of the data media used by the Body and containing personal data of Clients.
    3. Data Memory Control
      The Body undertakes to implement suitable measures to prevent unauthorized input into data memory and the unauthorized reading, alteration or deletion of stored data.
    4. User Control
      The Body shall implement suitable measures to prevent its data processing systems from being used by unauthorized persons by means of data transmission equipment.
    5. Access Control to Data
      The Body represents that the persons entitled to use the Body’s data processing system are only able to access the data within the scope and to the extent covered by their respective access permissions (authorization).
    6. Transmission Control
      The Body shall be obliged to enable the verification and tracing of the locations / destinations to which the personal information is transferred by utilization of the Body’s data communication equipment / devices.
    7. Transport Control
      The Body shall implement suitable measures to prevent Personal Information from being read, copied, altered or deleted by unauthorized persons during the transmission thereof or during the transport of the data media.
    8. Organization Control
      The Body shall maintain its internal organization in a manner that meets the requirements of this Manual.
  4. Should there be reasonable grounds to suspect that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised third party, the Body will notify the Regulator and the Data Subject, unless a public body responsible for the detection, prevention or investigation of offences or the relevant regulator informs The Body that notifying the Data Subject will impede a criminal investigation.
  5. Due to the fact that the internet is an pen system, the transmission of information via the internet is not completely secure and even though The Body implements all reasonable security measures to ensure the protection of the Data Subject’s Personal Information, it cannot guarantee the security of any information transmitted using the internet or internet related services, and The Body cannot be held liable for any loss of privacy occurring during the course of such transmission.

DATA MINIMISATIONS

  1. The Body will restrict its Processing of Personal Information to data which is sufficient for the fulfilment of the primary purpose and applicable legitimate purpose for which it was collected.

CONDITIONS FOR LAWFUL PROCESSING

  1. The Body endeavours to comply with the conditions under which personal information may be processed lawfully in terms of Chapter 3 of the POPI Act, which are as follows:
    1. Condition 1:  Accountability
    2. Condition 2:  Processing Limitation
    3. Condition 3:  Purpose specification
    4. Condition 4:  Further processing limitation
    5. Condition 5:  Information quality
    6. Condition 6:  Openness
    7. Condition 7:  Security safeguards
    8. Condition 8:  Data Subject participation
  2. The Body further endeavours to comply with all sections thereunder to ensure that Personal Information collected by it duly complies with these conditions.

DATA RETENTION

  1. The Body will retain and store Personal Information for the period for which the data is required to serve its primary purpose or a legitimate interest or for the period required to comply with an applicable legal requirement imposed by law, whichever is longer.

RIGHTS OF THE DATA SUBJECT

  1. A Data Subject may have rights under the South African and other laws to have access to its Personal Information and to request the Body to rectify, delete or restrict use of same.
  2. The Body acknowledges that a Data Subject may also have rights to object to its personal Information being used.
  3. The Body acknowledges that a Data Subject may also have the right to ask for the transfer of Personal information made available to The Body and to withdraw its consent to use the Personal Information.
  4. The abovementioned may be done by submitting the forms attached hereto and marked as Addendums C and D respectively, to the Information Officer, who will consider such a request accordingly and may adhere to or reject the request and provide reasons for its decision if necessary.  Should the Information Officer reject such a request, the Data Subject may approach the Regulator and/or Competent Court for the necessary relief.

DESTRUCTION OF RECORDS/DOCUMENTS/INFORMATION

  1. Documents may be destroyed after the termination of the retention period specified herein, or as determined by The Body from time to time. 
  2. Files are to be checked to ensure that they may be destroyed and also to ascertain if there are important original documents in the file. 
  3. Original Documents must be returned to the holder thereof, failing which, they should be retained by the Body pending such return.
  4. Deletion of electronic records must be done in consultation with the IT department and/or IT services, to ensure that deleted information is incapable of being reconstructed/recovered.

DIRECT MARKETING

  1. The Body may process a Data Subject’s Personal Information for the purposes of providing it with information regarding services which may be of interest to it.  As such, same may be done by direct marketing which may be done electronically or telephonically.
  2. The Data Subject will be given the opportunity to unsubscribe or opt-out of this marketing and The Body undertakes to adhere to the request.

AVAILABILITY OF THE PAIA MANUAL AND PRIVACY POLICY

  1. The Body will update the PAIA Manual at such intervals as may be deemed necessary.
  2. Both the PAIA Manual and Privacy Policy is available to view at the premises of The Body and/or upon request from the Information Officer and/or Deputy Information Officer, whose details are repeated here:
    The Information Officer’s contact details are as follow:
    Name: Pieter Van Wyk
    Physical address: Kingfisher Street1, Woodlands Estate, Bendor, Polokwane, 0699
    Postal address: PO Box 11112, Bendor Park, Polokwane, 0713
    Telephone number: 082 470 3985
    Email address: pieter@chipshake.co.za