Privacy (POPI) Statement


GROBLER MALOPE INCORPORATED's

Protection of Private Information Manual
& Policy Statement


1. INTRODUCTION

This Protection of Private Information Policy Statement and Manual ("Policy) describes the way that Grobler Malope Inc. ("THE COMPANY") will meet its legal obligations and requirements concerning confidentiality and information security standards. The provisions within the Policy are primarily based upon the Protection of Personal Information Act, No 4 of 2013 (POPI), as that is the critical piece of legislation covering the security and confidentiality of personal information. POPI requires THE COMPANY to inform its clients how their personal information will be used, disclosed, and destroyed. THE COMPANY guarantees its commitment to protect its client's privacy and ensuring that their personal information is used appropriately, transparently, securely, and in accordance with applicable laws.


2. DEFINITIONS

1.1Consentmeans the voluntary, specific, and informed expression of will;
1.2Data Subjectmeans the natural or juristic person to whom the Personal Information relates;
1.3Direct Marketingmeans approaching a Data Subject personally to sell them a product or service or request a donation;
1.4POPImeans the Protection of Personal Information Act, No. 4 of 2013;
1.5Personal Informationmeans information relating to an unidentifiable, living, natural person or an identifiable, existing juristic person, as defined in POPI;
1.6Processingmeans an operation or activity, whether or not by automatic means, concerning Personal Information;
1.7The COMPANYmeans Grobler Malope Inc. and any of its future subsidiary companies.

3. SCOPE OF THE POLICY

The Policy applies to all employees, directors, sub-contractors, agents, and appointees. In addition, the Policy provisions apply to both on and off-site processing of personal information.


4. POLICY STATEMENT

THE COMPANY collects and uses the Personal Information of the individuals and corporate entities with whom it works to operate and carry out its business effectively. THE COMPANY regards the lawful and appropriate processing of all Personal Information as crucial to successful service delivery and essential to maintaining confidence between THE COMPANY and those individuals and entities who deal with it. THE COMPANY, therefore, fully endorses and adheres to the principles of the Protection of Personal Information Act ("POPI").


5. PROCESSING OF PERSONAL INFORMATION

5.1. Purpose of Processing

THE COMPANY uses the Personal Information under its care in the following ways:

  • Conducting FICA, credit reference checks, and assessments;
  • Identifying and managing its clients;
  • Assisting clients with financial planning and legal strategies;
  • Identifying clients, Company, and personal records;
  • Administration of estates and wills;
  • Providing legal services to clients;
  • Detecting and preventing fraud, crime, money laundering, and other malpractice; 
  • Conducting market or customer satisfaction research; 
  • Marketing and sales; 
  • In connection with legal proceedings;
  • Staff administration - Keeping of accounts and records;
  • Complying with legal and regulatory requirements; 
  • Profiling data subjects for direct communication/marketing.

5.2. Personal Information Collected

Section 9 of POPI states, "Personal Information may only be processed if, given the purpose for which it is processed, is adequate, relevant and not excessive."


THE COMPANY collects and processes clients' personal information on the needs of the business. The type of information will depend on the requirements for which it is collected and will be processed for that purpose only. THE COMPANY will inform the client of the required and optional information whenever possible. THE COMPANY aims to have agreements with all product suppliers, insurers, and third-party service providers to ensure a mutual understanding regarding protecting the customer's personal information. With the customer's consent, THE COMPANY may also supplement the information provided with the knowledge that it receives from other providers to offer a more consistent and accurate service to its clients.


5.3. Categories of Data Subjects and their Personal Information

THE COMPANY may possess records relating to suppliers, shareholders, contractors, service providers, staff, and customers:

 Entity Type Personal Information Processed
Customers: Natural PersonsNames; contact details; physical and postal addresses; date of birth; ID number; tax-related information; nationality; gender; confidential correspondence; marital status, medical information
Customer – Juristic Persons / EntitiesNames of contact persons; name of legal entity; physical and postal address and contact details; financial information; registration number; founding documents; tax-related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; BBBEE information
Contracted Service ProvidersNames of contact persons; name of legal entity; physical and postal address and contact details; financial information; registration number; founding documents; tax-related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; BBBEE information
Employees / DirectorsGender; pregnancy; marital status; colour, race; age; language; education information; financial information; employment history; Identity number; physical and postal address; contact details; opinions; criminal record; well-being; medical information
For purposes of completeness, THE COMPANY may, in general, hold the following personal records at its physical address/-es:

General Attendance registers; Correspondence; Founding Documents Licenses (categories); Minutes of Management Meetings; Minutes of Staff Meetings; Statutory Returns; Conditions of Service; Employee Records; Employment Contracts; Employment Equity Records; General Correspondence; Industrial and Labour Relations Records; Information relating to Health and Safety Regulations; Pension and Provident Fund Records; Performance Appraisals; Personnel Guidelines, Policies and Procedures; Remuneration Records and Policies Statutory Records; Training Records; Brochures on Company Information; Client and Customer Registry; Contracts; Information relating to Employee Sales Performance; Information pertaining to Work-In-Progress; Marketing and Future Strategies; Marketing Records; Production Records; Sales Records; Suppliers Registry; Annual Financial Statements; Asset Register; Banking Records; Budgets; Financial Transactions; Insurance Information; Internal Audit Records; Management Accounts; Purchase and Order Information Tax Records (company and employee); IT Policies and Procedures; User Manuals; FICA Docs; Identity Numbers Dates of birth; Telephone numbers; emails; Addresses; Banking details; Bank account numbers; License numbers; Fidelity Fund Certificates; Registration numbers; BEE Certificates; Contractual agreements; Tender documents; Invoices
IT PRACTICES OF THE COMPANYNetwork Security controls passwords for Virus & Malware Protection Software updates, Disaster Recovery & back-up policy

5.4. Categories of Recipients for Processing the Personal Information

THE COMPANY may share the Personal Information with its agents, affiliates, and associated companies who may use this information to communicate and send the Data Subject information on products and services. THE COMPANY may supply the Personal Information to any party to whom THE COMPANY may have assigned or transferred any of its rights or obligations under any agreement and to service providers who render the following services:

  • Capturing and organising of data;
  • Storing of data;
  • Sending of emails and other correspondence to customers;
  • Conducting due diligence checks;
  • Administration of the Medical Aid and Pension Schemes.

5.5. Retention of Personal Information Records

THE COMPANY may retain Personal Information records indefinitely unless the Data Subject objects to it. If the Data Subject objects to indefinite retention of its Personal Information, THE COMPANY shall keep the Personal Information records to the extent permitted or required by law.


5.6. General Description of Information Security Measures

THE COMPANY employs up-to-date technology to ensure the confidentiality, integrity, and availability of the Personal Information under its care. Measures include:

  • Firewalls
  • Virus protection software and update protocols
  • Logical and physical access control;
  • Secure setup of hardware and software making up the IT infrastructure;
  • Outsourced Service Providers who process Personal Information on behalf of THE COMPANY are contracted to implement security controls;
  • Personal information shall be stored on-site, and access shall be limited to authorised personnel only.
  • All electronic files or data shall be backed up to cloud-based services.

6. ACCESS TO PERSONAL INFORMATION

All individuals and entities may request access, amendment, or deletion of their Personal Information held by THE COMPANY. Any requests should be directed to the Information Officer on the prescribed form.


6.1. Remedies available if request for access to Personal Information is refused

6.1.1. Internal Remedies THE COMPANY does not have internal appeal procedures.

As such, the decision made by the Information Officer about a request is final. A requester will have to exercise such external remedies at their disposal if a request is refused and the requester is not satisfied with the response provided by the information officer.


6.1.2. External Remedies

A requester dissatisfied with the Information Officer's refusal to disclose information may apply to a court for relief within 30 days of notification of the decision. Likewise, a third party dissatisfied with the Information Officer's decision to grant a request for information may apply to a court for relief within 30 days of notification of the decision. For purposes of the Act, courts that have jurisdiction over these applications are the Constitutional Court, the High Court, or another court of similar status.


6.2. Grounds for Refusal

THE COMPANY may legitimately refuse to grant access to a requested record within a particular category. Grounds on which THE COMPANY may refuse access include:

  • Protecting personal information that THE COMPANY holds about a third person (who is a natural person), including a deceased person, from unreasonable disclosure;
  • Protecting commercial information that THE COMPANY holds about a third party or THE COMPANY (for example, trade secrets; financial, commercial, scientific or technical information that may harm the commercial or financial interests of the organisation or the third party);
  • If disclosure of the record would result in a breach of a duty of confidence owed to a third party in terms of an agreement;
  • If disclosure of the record would endanger the life or physical safety of an individual;
  • If disclosure of the record would prejudice or impair the security of property or means of transport;
  • If disclosure of the record would prejudice or impair the protection of a person in accordance with a witness protection scheme; - If disclosure of the record would prejudice or impair the protection of the safety of the public;
  • The record is privileged from production in legal proceedings unless the legal privilege has been waived;
  • Disclosure of the record (containing trade secrets, financial, commercial, scientific, or technical information) would harm the commercial or financial interests of THE COMPANY;
  • Disclosure of the record would put THE COMPANY at a disadvantage in contractual or other negotiations or prejudice it in commercial competition;
  • The record is a computer program; and
  • The record contains information about research being carried out or about to be carried out on behalf of a third party or THE COMPANY.

Records that cannot be found or do not exist

If THE COMPANY has searched for a record and it is believed that it does not exist or cannot be found, the requester will be notified by an affidavit or affirmation. This will include the steps that were taken to try to locate the record.


7. IMPLEMENTATION GUIDELINES
7.1. Training & Dissemination of Information

This Policy has been put in place throughout THE COMPANY. Training on the Policy and POPI will take place with all affected employees. All new employees will be made aware at induction or through training programs of their responsibilities under the terms of this Policy and POPI. In addition, THE COMPANY will inform all the staff of data protection modifications, updates, and information-sharing policies, legislation, or guidelines.


7.2. Employee Contracts

Each new employee will sign an Employment Contract containing the relevant consent clauses for the use and storage of employee information and a confidentiality undertaking as part and will be personally responsible for ensuring there are no breaches of confidentiality concerning any Personal Information, however it is stored. Failure to comply will result in the instigation of a disciplinary procedure. In addition, each employee currently employed within THE COMPANY will sign an addendum to their Employment Contract containing the relevant consent clauses for the use and storage of employee information and a confidentiality undertaking as part and will be personally responsible for ensuring there are no breaches of confidentiality concerning any Personal Information, however it is stored. Failure to comply will result in the instigation of a disciplinary procedure.


8. EIGHT PROCESSING CONDITIONS

POPI is implemented by abiding by eight processing conditions. THE COMPANY shall abide by these principles in all its processing activities.


8.1. Accountability

THE COMPANY shall ensure that all processing conditions, as set out in POPI, are complied with when determining the purpose and means of processing Personal Information and during the processing itself. THE COMPANY shall remain liable for compliance with these conditions, even if it has outsourced its processing activities.


8.2. Processing Limitation
8.2.1. Lawful grounds

The processing of Personal Information is only lawful if, given the purpose of processing, the information is adequate, relevant, and not excessive.


THE COMPANY may only process Personal Information if one of the following grounds of lawful processing exists:

  • The Data Subject consents to the processing;
  • Processing is necessary for the conclusion or performance of a contract with the Data Subject;
  • Processing complies with a legal responsibility imposed on THE COMPANY;
  • Processing protects a legitimate interest of the Data Subject;
  • Processing is necessary to pursue a legitimate interest of THE COMPANY or a third party to whom the information is supplied.

Special Personal Information includes:

  • Religious, philosophical, or political beliefs;
  • Race or ethnic origin;
  • Trade union membership;
  • Health or sex life;
  • Bio-metric information (including blood type, fingerprints, DNA, retinal scanning, voice recognition, and photographs);
  • Criminal behaviour;
  • Information concerning a child.

THE COMPANY may only process Special Personal Information under the following circumstances:

  • The Data Subject has consented to such processing;
  • The Special Personal Information was deliberately made public by the Data Subject;
  • Processing is necessary for the establishment of a right or defense in law;
  • Processing is for historical, statistical, or research reasons
  • If the processing of race or ethnic origin is to comply with affirmative action laws

All Data Subjects have the right to refuse or withdraw their consent to the processing of their Personal Information, and a Data Subject may object, at any time, to the processing of their Personal Information on any of the above grounds, unless legislation provides for such processing. If the Data subject withdraws consent or objects to processing, then THE COMPANY shall refrain from processing the Personal Information.


8.2.2. Collection directly from the Data Subject

Personal Information must be collected directly from the Data Subject unless:

  • Personal Information is contained in a public record;
  • Personal Information has been deliberately made public by the Data Subject;
  • Personal Information is collected from another source with the Data Subject’s consent;
  • Collection of Personal Information from another source would not prejudice the Data Subject;
  • Collection of Personal Information from another source is necessary to maintain, comply with or exercise any law or legal right;
  • Collection from the Data Subject would prejudice the lawful purpose of the collection;
  • Collection from the Data Subject is not reasonably practicable.

8.3. Purpose Specification

THE COMPANY shall only process Personal Information for the specific purposes as set out and defined above herein.


8.4. Further Processing

New processing activity must be compatible with the original purpose of processing. For example, further processing will be regarded as consistent with the goal of collection if:

  • Data Subject has consented to the further processing;
  • Personal Information is contained in a public record;
  • Personal Information has been deliberately made public by the Data Subject;
  • Further processing is necessary to maintain, comply with or exercise any law or legal right;
  • Further processing is necessary to prevent or mitigate a threat to public health or safety or the life or health of the Data Subject or a third party.

8.5. Information Quality

THE COMPANY shall take reasonable steps to ensure that Personal Information is complete, accurate, not misleading, and updated. THE COMPANY shall periodically review Data Subject records to ensure that the Personal Information is valid and correct.


Employees should, as far as reasonably practicable, follow the following guidelines when collecting Personal Information:

  • Personal Information should be dated when received;
  • A record should be kept of where the Personal Information was obtained;
  • Changed to information records should be dated;
  • Irrelevant or unneeded Personal Information should be deleted or destroyed;
  • Personal Information should be stored securely on a secure electronic database or in a secure physical filing system.

8.6. Openness

THE COMPANY shall take reasonable steps to ensure that the Data Subject is made aware of the following:

  • What Personal Information is collected, and the source of the information; 
  • The purpose of collection and processing;
  • Whether the supply of Personal Information is voluntary or mandatory, and the consequences of a failure to provide such information;
  • Whether the collection is in terms of any law requiring such collection;
  • Whether the Personal Information shall be shared with any third party.

8.7. Data Subject Participation

Data Subject has the right to request access to, amendment, or deletion of their Personal Information. All such requests must be submitted in writing to the Information Officer. Unless there are grounds for refusal as set out in paragraph 7.2 above, THE COMPANY shall disclose the requested Personal Information:

  • On receipt of adequate proof of identity from the Data Subject or requester;
  • Within a reasonable time; - On receipt of the prescribed fee, if any;
  • In an appropriate format.

THE COMPANY shall not disclose any Personal Information to any party unless the requester's identity has been verified.


8.8. Security Safeguards

THE COMPANY shall ensure the integrity and confidentiality of all Personal Information in its possession by taking reasonable steps to:

  • Identify all reasonably foreseeable risks to information security;
  •  Establish and maintain appropriate safeguards against such threats.

8.8.1. Written records

  • Personal Information records should be kept in locked cabinets or safes;
  • When in use, Personal Information records should not be left unattended in areas where non-staff members may access them;
  • THE COMPANY shall implement and maintain a “Clean Desk Policy” where all employees shall be required to clear their desks of all Personal Information when leaving their desks for any length of time and at the end of the day;
  • Personal Information which is no longer required should be disposed of by shredding. 

Any loss or theft of, or unauthorised access to, Personal Information must be immediately reported to the Information Officer.


8.8.2. Electronic Records

  • All electronically held Personal Information must be saved in a secure database;
  • As far as reasonably practicable, no Personal Information should be saved on individual computers, laptops, or hand-held devices;
  • All computers, laptops, and hand-held devices should be access protected with a password, fingerprint, or retina scan, with the password being of reasonable complexity and changed frequently;
  • THE COMPANY shall implement and maintain a “Clean Screen Policy” where all employees shall be required to lock their computers or laptops when leaving their desks for any length of time and to log off at the end of the day;
  • Electronic Personal Information, which is no longer required, must be deleted from the individual laptop or computer and the relevant database. The employee must ensure that the information has been completely deleted and is not recoverable.

Any loss or theft of computers, laptops, or other devices containing Personal Information must be immediately reported to the Information Officer, who shall notify the IT department and take all necessary steps to delete the information, if possible remotely.


9. DIRECT MARKETING

All Direct Marketing communications shall contain THE COMPANY's details and an address or method for the customer to opt-out of further marketing communication.


9.1. Existing Customers

Direct Marketing by electronic means to existing customers is only permitted:

  • If the customer’s details were obtained in the context of a sale or service; and
  • For the purpose of marketing the same or similar products;

The customer must be given the opportunity to opt-out of receiving direct marketing on each occasion of direct marketing.


9.2. Consent

THE COMPANY may send electronic Direct Marketing communication to Data Subjects who have consented to receive it. THE COMPANY may approach a Data Subject for consent only once.


9.3. Record Keeping

THE COMPANY shall keep a record of the following:

  • Date of consent;
  • The wording of the consent;
  • Who obtained the consent;
  • Proof of opportunity to opt-out on each marketing contact;
  • Record of opt-outs.

10. DESTRUCTION OF DOCUMENTS

10.1. Documents may be destroyed after the termination of the retention period specified herein or as determined by the Company from time to time.


10.2. Each department is responsible for attending to the destruction of its documents and electronic records, which must be done on a regular basis. Files must be checked to ensure that they may be destroyed and to ascertain if important original documents are in the file. Original documents must be returned to the holder thereof, failing which, THE COMPANY should retain them pending such return.


10.3. The documents must be made available for collection by the Shred-It, or another approved document disposal company.


10.4. Deleting electronic records must be done in consultation with the IT Department to ensure that deleted information is incapable of being reconstructed or recovered.


11. STATUTORY RETENTION PERIODS 

Document TypePeriod

Companies Act
  • Any documents, accounts, books, writing, records, or other information that a company is required to keep in terms of the Act;
  • Notice and minutes of all shareholders meetingS, including resolutions adopted and documents made available to holders of securities;
  • Copies of reports presented at the annual general meeting of the company; 
  • Copies of annual financial statements required by the Act;
  • Copies of accounting records as required by the Act;
  • Record of directors and past directors after the director has retired from the company;
  • Written communication to holders of securities, and Minutes and Resolutions of directors’ meetings, any audit committee, and directors’ committees.
   7 Years
  • Registration certificate;
  • Memorandum of Incorporation and alterations and amendments;
  • Rules;
  • Securities register and uncertified securities register;
  • Register of company secretary and auditors and
  • Regulated Companies (companies to which chapter 5, part B, C, and Takeover Regulations apply) – Register of disclosure of person who holds beneficial interest equal to or in excess of 5% of the securities of that class issued.
  Indefinitely

Consumer Protection Act
  • Full names, physical address, postal address, and contact details;
  • ID number and registration number;
  • Contact details of a public officer in case of a juristic person;
  • Service rendered;
  • Cost to be recovered from the consumer;
  • Frequency of accounting to the consumer;
  • Amounts, sums, values, charges, fees, remuneration specified in monetary terms;
  • Conducting a promotional competition refer to Section 36(11)(b) and Regulation 11 of Promotional Competitions;
  3 years  

Financial Intelligence Centre Act
  • Whenever a reportable transaction is concluded with a customer, the institution must keep a record of the identity of the customer;
  • If the customer is acting on behalf of another person, the identity of the person on whose behalf the customer is acting and the customer’s authority to act on behalf of that other person;
  • If another person is acting on behalf of the customer, the identity of that person and that other person’s authority to act on behalf of the customer;
  • How the identity of the persons referred to above was established;
  • The nature of that business relationship or transaction;
  • In the case of a transaction, the amount involved and the parties to that transaction;
  • All accounts that are involved in the transactions concluded by that accountable institution in the course of that business relationship and that single transaction;
  • The name of the person who obtained the identity of the person transacting on behalf of the accountable institution;
  • Any document or copy of a document obtained by the accountable institution
  5 years

Compensation for Occupational Injuries and Diseases Act
Register, record, or reproduce the earnings, time worked, payment for piece work and overtime, and other prescribed particulars of all the employees.

4 years
Section 20(2) documents :
  • Health and safety committee recommendations made to an employer in terms of issues affecting the health of employees and of any report made to an inspector in terms of the recommendation;
  • Records of incidents reported at work.
  3 years
Asbestos Regulations, 2001, regulation 16(1):
  • Records of assessment and air monitoring, and the asbestos inventory; 
  • Medical surveillance records;
Hazardous Biological Agents Regulations, 2001, Regulations 9(1) and (2):
  • Records of risk assessments and air monitoring;
  • Medical surveillance records.
Lead Regulations, 2001, Regulation 10:
  • Records of assessments and air monitoring;
  • Medical surveillance records
Noise-induced Hearing Loss Regulations, 2003, Regulation 11:
  • All records of assessment and noise monitoring;
  • All medical surveillance records, including the baseline audiogram of every employee.
  40 years
Hazardous Chemical Substance Regulations, 1995, Regulation 9:
  • Records of assessments and air monitoring; -Medical surveillance records
  30 years

Basic Conditions of Employment Act
Section 29(4):
  • Written particulars of an employee after termination of employment;
Section 31:
  • Employee’s name and occupation;
  • Time worked by each employee;
  • Remuneration paid to each employee;
  • Date of birth of any employee under the age of 18 years.
  3 years

Employment Equity Act
  • Records in respect of the company's workforce, employment equity plan, and other records relevant to compliance with the Act;
  • Section 21 report, which is sent to the Director General
  3 years

Labour Relations Act
  • Records to be retained by the employer are the collective agreements and arbitration awards.
  3 years
  • An employer must retain prescribed details of any strike, lock-out, or protest action involving its employees;
  • Records of each employee specifying the nature of any disciplinary transgressions, the actions taken by the employer, and the reasons for the actions
  Indefinite

Unemployment Insurance Act
  • Employers must retain personal records of each of their current employees in terms of their names, identification number, monthly remuneration, and address where the employee is employed.
  5 years
 
Tax Administration Act
Section 29 documents which:
  • Enable a person to observe the requirements of the Act;
  • Are specifically required under a Tax Act by the Commissioner by the public notice;
  • Will enable SARS to be satisfied that the person has observed these requirements
  5 years

Income Tax Act
  • Amount of remuneration paid or due to the employee;
  • The amount of employee's tax deducted or withheld from the compensation paid or due;
  • The income tax reference number of that employee;
  • Any further prescribed information;
  • Employer Reconciliation return.
  5 years

Value Added Tax Act
  • Where a vendor’s basis of accounting is changed, the vendor shall prepare lists of debtors and creditors showing the amounts owing to the creditors at the end of the tax period immediately preceding the changeover period;
  • Importation of goods, bill of entry, other documents prescribed by the Custom and Excise Act and proof that the VAT charge has been paid to SARS;
  • Vendors are obliged to retain records of all goods and services, rate of tax applicable to the supply, list of suppliers or agents, invoices and tax invoices, credit and debit notes, bank statements, deposit slips, stock lists, and paid cheques;
  • Documentary proof substantiating the zero-rating of supplies;
  • Where a tax invoice, credit or debit note, has been issued concerning a supply by an agent or a bill of entry as described in the Customs and Excise Act, the agent shall maintain sufficient records to enable the name, address, and VAT registration number of the principal to be ascertained.