DYKES VAN HEERDEN GROUP OF COMPANIES PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013 FRAMEWORK AND POLICY
1. SHORTENED NAME
- The Dykes van Heerden Protection of Personal Information Policy and Compliance Manual (dated May 2021) shall hereinafter be referred to as the “POPI Policy”, having been prepared in terms of the Protection of Personal Information Act 4 of 2013, as amended from time to time and in terms of the Regulations thereto (“POPI Act”).
- The POPI Policy has been unanimously adopted and approved by all of the directors of the Dykes van Heerden Group of Companies1 on 19 May 2021.
2. THE PURPOSE OF THE POPI ACT
- In terms of the Constitution, 1996 everyone has a right to privacy which includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.
- The purpose of the POPI Act is to amongst others to regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.
3. DVH IS A RESPONSIBLE PARTY
- Processing is defined in the POPI Act to include the collection, receipt, storage, recording, organisation, collation, updating or modification, usage, retrieval, retention and destruction of personal information.
- Personal information is defined very broadly as an identifiable, living, natural person’s information and, where applicable, an identifiable, existing juristic person’s information, including:
- Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- The name of the person as it appears with other personal information relating to that person or if disclosure of the name itself would reveal information about the person;
- Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- Biometric information of the person;
- The personal opinions, views or preferences of the person;
- The views or opinion of another individual about the person;
- Information relating to the education or the medical, financial, criminal or employment history of the person.
- As DvH intends on storing and processing personal information for the purposes of marketing to clients it is a responsible party as defined in the POPI Act and is required to comply with the POPI Act.
4. INFORMATION OFFICERS AND DEPUTY INFORMATION OFFICERS
- The directors of each office of DvH are responsible for ensuring compliance with the POPI Act and this Policy by each such office and by the staff of each such office.
- In order to assist the directors with discharging their duties the following nominated information officers and deputy information offices are appointed by each office to support and report to the directors:
- Dykes van Heerden Incorporated: Information Officer: Cheryl Ramsamy and Deputy Information Officer: to be determined by the directors from time to time;
- Dykes van Heerden (Gauteng) Incorporated Information Officer: Cheryl Ramsamy and Deputy Information Officer to be determined by the directors from time to time;
- Dykes van Heerden (Cape) Incorporated and Dykes van Heerden Slabbert Hopkins Incorporated: Information Officer: Elana Hopkins and Deputy Information Officer: to be determined by the directors from time to time;
- Dykes van Heerden (KZN) Incorporated: Information Officer: Thomas van Heeswijk and Deputy Information Officer: to be determined by the directors from time to time;
- and such other additional personnel as may be appointed by each company forming part of DvH as notified to the employees in writing from time to time (hereinafter each referred to as the “Nominated Information Officer”).
- Any and all assistance required in implementing the Policy, or concerns arising regarding potential and existing clients should be escalated to the Nominated Information Officer or Deputy Information Officer.
5. RIGHTS OF DATA SUBJECTS (SECTION 5)
- In terms of the POPI Act certain rights are given to “data subjects” (being the person to whom personal information relates). These rights include:
- Notification of the information being collected and for what purpose;
- Establishing what information the responsible party holds and the right to request access to such information.
- Object to the processing of his/her
- Request correction, destruction or deletion of personal
- Refuse processing for direct marketing by unsolicited electronic communications.
- Complain to the Regulator and institute civil
6. REQUIREMENTS TO BE COMPLIANT – CONDITIONS OF LAWFUL PROCESSING – CHAPTER 3 OF POPI ACT
- The POPI Act provides for the establishment of minimum requirements for processing of personal The conditions for lawful processing of personal information which consist of eight conditions, which will be dealt with as necessary in more detail in this Policy, namely:
- Condition 1 – Accountability;
- Condition 2 – Processing limitation (consent);
- Condition 3 – Specific purpose;
- Condition 4 – Further processing limitation;
- Condition 5 – Information quality;
- Condition 6 – Openness;
- Condition 7 – Security safeguards;
- Condition 8 – Data subject
7. PROCESSING LIMITATIONS – CONDITION 2
- The DvH Consent Form must be signed by the client personally and obtained by the client directly.
- The personal information obtained will be stored on our electronic database along with a scanned copy of the signed DvH Consent Form, assuming the client has consented to the processing and use of their personal information.
- If the clients do not consent to the processing and storage of their information on the DvH Consent Form and opts out of direct marketing, the DvH Consent Form is to be placed in the clients file and their personal information will not be included in our marketing Their personal information will remain on file and will be treated in the ordinary course in accordance with the DvH FICA obligations as set out in the DvH RMCP.
- It is noted that clients may at any time withdraw his/her consent at which time they shall be removed from the relevant marketing database.
8. PURPOSE SPECIFICATION – CONDITION 3
- The personal information of the client shall be retained for birthday notifications, anniversary notifications and for marketing the services of DvH and its affiliates as provided for in the DvH Consent Form.
- As provided for in the DvH Consent Form the personal information of clients shall be retained until the client requests the destruction or deletion of such information or otherwise requests to be removed from the DvH marketing database. At such time the Nominated Information Officer shall as soon as practicable ensure that such information is destroyed and deleted.
9. FURTHER PROCESSING LIMITATION – CONDITION 4
- Further processing of personal information may be undertaken as approved by the Directors and Nominated Information Officer from time to time, in accordance with the consent contained in the DvH Consent Form.
10. INFORMATION QUALITY – CONDITION 5
- The Nominated Information Officer must take all reasonable steps to ensure that the information uploaded to the relevant physical and electronic marketing databases are complete and accurate, are not misleading and are updated where necessary.
11. OPENNESS – CONDITION 6
- A client may request a copy of the DvH PAIA manual, a copy of which will be provided by the Nominated Information Officer on request.
- Clients must be made aware of certain information when obtaining their consent, this is specified in the DvH Consent Form and should be pointed out by staff to the client when the relevant form is signed.
12. SECURITY SAFEGUARDS– CONDITION 7
- DvH must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent –
- loss of, damage to or unauthorised destruction of personal information; and
- unlawful access to or processing of personal
- The Nominated Information Officer shall identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control.
- The Nominated Information Officer shall take such steps and shall ensure that DvH’s POPI Act obligations are carried forward into any such services contract and that service providers that may store and/or process such information from time to time agree to comply with the terms of this manual and the applicable statutory
- If personal information accessed or acquired by any unauthorised person the Nominated Information Officer must notify the Information Regulator and clients as soon as reasonably possible.
13. DATA SUBJECT PARTICIPATION – CONDITION 8
- Clients may request DvH and the Nominated Information Officer shall then correct or delete information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
- On request from a client subject DvH and the Nominated Information Officer shall as soon as reasonably possible correct, destroy or delete the personal information.
14. RECORDS OF INFORMATION NOT TO BE KEPT BY DVH
- DvH will not store or process information relating to a client’s religious or philosophical beliefs, or a data subjects race or ethnic origin (other than such information which is set out in a client’s identity number and is obtained by default but such information is not used to differentially categorise or process information); or trade union membership; or political persuasions, or in respect of a persons health or sex life or the criminal or biometric information of clients.
15. PROCESSING OF PERSONAL INFORMATION RELATING TO CHILDREN
- Information regarding children shall only be stored and processed with the prior consent of a competent person, as provided for in the DvH Consent Form.
16. CODE OF CONDUCT
- The Nominated Compliance Officer shall advise of any amendments to the DvH Consent Form or this Policy from time to time in terms of amendments to the POPI Act, the Regulations issued pursuant thereto and any directives and codes of conduct issued by the Information Regulator from time to time.
17. TRAINING
- Training of staff and employees will be conducted by way of:
- A meeting involving the entire staff complement of employees and administrative personnel and for all new staff in each group of companies forming part of DvH.
- Training may be undertaken in group sessions, when importance changes occur and as frequently as the board of directors may direct. Training and individual refresher training will also be available to employees on request.
- Each staff member will be provided with a copy of the Policy as revised from time to time and may be required to sign an acknowledgement of receipt and an acknowledgement that training has been effected.
18. NON-COMPLIANCE AND PENALTIES FOR NON-COMPLIANCE
- Compliance will be enforced by an Information Regulator, which will have far-reaching powers. The legislation provides for the following penalties for non-compliance after the initial grace period:
- 12 months’ to ten years’
- Up to R 10 million
- Civil
- Failure by any employee to comply with this Policy will constitute a breach of such employee’s conditions of employment, and may therefore expose such employee to disciplinary procedures, or may expose the staff member and DvH to criminal penalties which are In the event of non-compliance, alleged or suspected non- compliance with the POPI Act and this Policy a disciplinary hearing will be held and non-compliance could result in dismissal.
DVH PAIA – MANUAL
AVAILABILITY AND PRECRIBED FORMS – REQUESTS FOR ACCESS
- All requests for access to information should be addressed to that particular office of DvH at that office’s address or email of the Officer. In terms of the Act, all requests must be completed on the prescribed request Form2 (Request for Access to Records), which can be downloaded from the DvH website.
Access Request
- Use the Prescribed PAIA Form on the Company website.
- Address your request to the Information Officer.
- Provide sufficient detail to enable the Company to identify:
- The record(s)
- The requestor (and, if an agent is lodging the request, proof of capacity).
- The South African postal address, e-mail address or fax number of the requester.
- The form of access required. e. If the requestor wishes to be informed of the decision in any manner (in addition to written) the manner and particulars thereof. f. The right which the requestor is seeking to exercise or protect with an explanation of the reason, the record is required to exercise or protect the right.
- The Regulator has, in terms of section 10(1) of PAIA, as amended, updated and made available the revised Guide on how to use PAIA (“Guide”), in an easily comprehensible form and manner, as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and POPIA. The Guide is available in each of the official languages and in braille. The aforesaid Guide contains the description of-
- the objects of PAIA and POPIA;
- the postal and street address, phone and fax number and, if available, electronic mail address of the Information Officer of every public body, and every Deputy Information Officer of every public and private body designated in terms of section 17(1) of PAIA1 and section 56 of POPIA2;
CONTACT DETAILS OF THE DVH BRANCHES AND THEIR DATA OFFICERS
|
Dykes van Heerden Slabbert Hopkins Incorporated | 121- 122 Edward Road Cape Town, 7530 | Elena Hopkins (Director) | 0861 110 210 | elanah@dvh.law.za |
Dykes van Heerden (KZN) Inc | 133 Kingsway Street,
Amanzimtoti, 4126 |
Lisa Boniface | 031 903-1851 | lisa@kzndvh.za.net |
UPDATING OF THE POLICY AND MANUAL
The Directors / Information Officer of each of the DvH offices within the Group may, from time to time, of an update this Manual, which will be available on the website.